Your message dated Sat, 23 Apr 2016 12:49:20 +0000
with message-id <[email protected]>
and subject line Bug#819818: fixed in imlib2 1.4.8-1
has caused the Debian Bug report #819818,
regarding imlib2: CVE-2016-3993: off-by-one OOB read in __imlib_MergeUpdate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
819818: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819818
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libimlib2
Version: 1.4.6-2+deb8u1
Severity: normal
Tags: upstream patch

Dear Maintainer,

1) I re-compiled imlib2 package with debug information,
2) compiled and installed tests (data, src/bin),
3) run `valgrind imlib2_test`,
4) moved mouse to right lower corner of window;

==16086== Invalid read of size 1
==16086== at 0x4E79C4E: __imlib_MergeUpdate (in /usr/lib/x86_64-linux-gnu/libImlib2.so.1.4.6)
==16086==    by 0x401773: main (in /usr/bin/imlib2_test)
==16086==  Address 0x9d20360 is 0 bytes after a block of size 1,200
alloc'd
==16086==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==16086== by 0x4E798E3: __imlib_MergeUpdate (in /usr/lib/x86_64-linux-gnu/libImlib2.so.1.4.6)
==16086==    by 0x401773: main (in /usr/bin/imlib2_test)

In gdb, it points to src/lib/updates.c:

   |                 for (xx = x + 1, ww = 1;                         |
  >|                      (T(xx, y).used & T_USED) && (xx < tw); xx++,|
   |                 for (yy = y + 1, hh = 1, ok = 1;                 |

xx is 20 and tw is 20, so T(xx, y) addresses one byte out of buffer.

Pretty obvious, off-by-one error due to swapped condition order.
In unlucky case, this can result in application crash.
Security implications: very minor, DoS at most, only for application drawing images using coordinates from untrusted source ("drawing images from untrusted sources" by itself is safe).
Two *alternative* patches attached (apply only *one* of them).
TODO: I have not tried to search for similar pattern over codebase yet.

Note: there are no changes affecting this code in 1.4.7 (sid) or 1.4.8 (upstream).

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libimlib2:amd64 depends on:
ii  libbz2-1.0         1.0.6-7+b3
ii  libc6              2.19-18+deb8u4
ii  libfreetype6       2.5.2-3+deb8u1
ii  libgif4            4.1.6-11+deb8u1
ii  libid3tag0         0.15.1b-11.1~local1
ii  libjpeg62-turbo    1:1.3.1-12
ii  libpng12-0         1.2.50-2+deb8u2
ii  libtiff5           4.0.3-12.3+deb8u1
ii  libx11-6           2:1.6.2-3
ii  libxext6           2:1.3.3-1
ii  multiarch-support  2.19-18+deb8u4
ii  zlib1g             1:1.2.8.dfsg-2+b1

libimlib2:amd64 recommends no packages.

libimlib2:amd64 suggests no packages.

-- no debconf information

Description: off-by-one out-of-bound read due to reversed condtion
Author: Yuriy M. Kaminksiy <[email protected]>

Note: you need *either* off-by-one-alternative.patch, *or* this patch;
DO NOT APPLY BOTH! (it won't break, but would unnecessarily clutter code)

Index: imlib2-1.4.6/src/lib/updates.c
===================================================================
--- imlib2-1.4.6.orig/src/lib/updates.c
+++ imlib2-1.4.6/src/lib/updates.c
@@ -111,7 +111,7 @@ __imlib_MergeUpdate(ImlibUpdate * u, int
                   int                 xx, yy, ww, hh, ok;
 
                   for (xx = x + 1, ww = 1;
-                       (T(xx, y).used & T_USED) && (xx < tw); xx++, ww++);
+                       (xx < tw) && (T(xx, y).used & T_USED); xx++, ww++);
                   for (yy = y + 1, hh = 1, ok = 1;
                        (yy < th) && (ok); yy++, hh++)
                     {

Description: off-by-one out-of-bound read due to reversed condtion, alternative solution (allocates one more guard cell).
Author: Yuriy M. Kaminksiy <[email protected]>

Note: you need *either* off-by-one-reversed-condition.patch, *or* this patch;
DO NOT APPLY BOTH! (it won't break, but would unnecessarily clutter code)

Index: imlib2-1.4.6/src/lib/updates.c
===================================================================
--- imlib2-1.4.6.orig/src/lib/updates.c
+++ imlib2-1.4.6/src/lib/updates.c
@@ -34,13 +34,14 @@ __imlib_MergeUpdate(ImlibUpdate * u, int
    th = h >> TB;
    if (h & TM)
       th++;
-   t = malloc(tw * th * sizeof(struct _tile));
+   t = malloc((tw * th + 1) * sizeof(struct _tile));
    /* fill in tiles to be all not used */
    for (i = 0, y = 0; y < th; y++)
      {
         for (x = 0; x < tw; x++)
            t[i++].used = T_UNUSED;
      }
+   t[i].used = T_UNUSED; /* guard OOB */
    /* fill in all tiles */
    for (uu = u; uu; uu = uu->next)
      {


--- End Message ---
--- Begin Message ---
Source: imlib2
Source-Version: 1.4.8-1

We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <[email protected]> (supplier of updated imlib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Apr 2016 13:39:26 +0100
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source amd64
Version: 1.4.8-1
Distribution: unstable
Urgency: high
Maintainer: Alessandro Ghedini <[email protected]>
Changed-By: Alessandro Ghedini <[email protected]>
Description:
 libimlib2  - image loading, rendering, saving library
 libimlib2-dev - image loading, rendering, saving library (development files)
Closes: 639414 785369 819818 821732
Changes:
 imlib2 (1.4.8-1) unstable; urgency=high
 .
   * New upstream release
   * Fix divide-by-zero on 2x1 ellipse as per CVE-2011-5326 (Closes: #639414)
   * Fix off-by-one OOB read as per CVE-2016-3993 (Closes: #819818)
   * Fix out-of-bounds read in the GIF loader as per CVE-2016-3994
     (Closes: #785369)
   * Fix integer overflow as per CVE-2016-4024 (Closes: #821732)
   * Refresh patches
   * Update symbols file
   * Update Vcs links
   * Bump Standards-Version to 3.9.8 (no changes needed)
   * Fix spelling-error-in-description
Checksums-Sha1:
 5a93832dbb9e35b20f42602500f71379e32cc7e5 2006 imlib2_1.4.8-1.dsc
 982ffe64592a6b075f4ba5ffe9dd92266c505d9c 1028562 imlib2_1.4.8.orig.tar.gz
 a66a763f0ba7ac3cca51adabb52a9c5ce9af54d5 11628 imlib2_1.4.8-1.debian.tar.xz
 8d2fc19ec788163673356063a700eee727b05318 421696 
libimlib2-dbgsym_1.4.8-1_amd64.deb
 5a5fa3ce51a9ec60cb998e06482181e8f8903f64 196926 libimlib2-dev_1.4.8-1_amd64.deb
 421cca802a98e9d574cc84b54489d81bdcedaa25 204620 libimlib2_1.4.8-1_amd64.deb
Checksums-Sha256:
 027d47ccd8b40f830274880abe78cd639d778dbe7e9b9503fa546a1c8f1c419c 2006 
imlib2_1.4.8-1.dsc
 b5b97be5446d9c5635c288bfe970896148d8bc027ab01f854112cae03b65a3a5 1028562 
imlib2_1.4.8.orig.tar.gz
 211fed683ebc77d1f91c229e27bbce1ef0d88aea17a6584a324ad82ec1d013df 11628 
imlib2_1.4.8-1.debian.tar.xz
 9f9d0f4a3507eec042b8ddaae47a0cfe92398d45cebfdca641d6de62a6372a5b 421696 
libimlib2-dbgsym_1.4.8-1_amd64.deb
 13e996c8e4ede7693cbb6eea696c0e305ae519af1720fcb1851a7ec5dea19bd5 196926 
libimlib2-dev_1.4.8-1_amd64.deb
 a9cee479608e93ea0305c9b8ed3509568a5c909b0cc4b9cfbde8403c9f0a4b7b 204620 
libimlib2_1.4.8-1_amd64.deb
Files:
 8c6322245baee7ccfe52cc694449bc2a 2006 libs optional imlib2_1.4.8-1.dsc
 2e9d5054022945ed14935d5f61fc2145 1028562 libs optional imlib2_1.4.8.orig.tar.gz
 cd78bae35929765c7866a4c40e851580 11628 libs optional 
imlib2_1.4.8-1.debian.tar.xz
 b433b107a6f9a679ba7bd6a8b98f723f 421696 debug extra 
libimlib2-dbgsym_1.4.8-1_amd64.deb
 a44ea04aabd60cc48e99f69341a3ab8c 196926 libdevel optional 
libimlib2-dev_1.4.8-1_amd64.deb
 da86fe35fb1d6d910211499838fd5fbb 204620 libs optional 
libimlib2_1.4.8-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXG23NAAoJEK+lG9bN5XPLb8UP/RbVATo6bEVOAJKJEGa5PvHg
ZLp8bh75K1w6CnZFkgsLYdumLQ7lI4V5yLrqdqi5HTbMtX2gsyEZpAWFXfEqGpGY
v+pnMelWPYGqPjvHs2r2451oeeLf6Lzqnoj8+fGR8LhQ9NI8Zp0PPBl/4xYsZnFu
IghCHk+iUNU//EkTcPa8plTuc4OCdv+jD88w2BE8o6UpWZqglAfLm+Z0aWdTszvg
bxlfJoo2sMQ1X68d0ACQzmr9DDvKf1c2wDjQrZNyxLYRMrsN+sJEgh+g0iY1NqOl
ZV1GP6ZbBazOYkkfR9Dw/+b+N/aPMKdGU+t0yChH6cJJcXPcGgrWR+4b6Ia1yM5S
cOoAcH9KR4SUU+Ih3uRjk4AVv37qHr/A2KB4CxIKWWXdMflZ4zjZONkGZP0ZRKzD
FgNUwWZVYQ3M4OQ8LS3P3023e2b98IyrYDTIpJBSHNHOmKpOSMOnHyXH391zOzx9
vOiBVqII8DvcfhfBCqX7S5jlQ2niWBjRrh946c9ZdMZJJQUEpaNyBsN42t1fQAzq
xVVzah8LkbR37AJpiZdfvy2wY5qz4FQs29Ypbeu1SFOrUi0L+Ig2gvCEiVFeVZls
W3EGG7GhCHmOmhaCoPY3fDiGG6ftmU+S1DINMuuAJx2ohCJoWktXwObR066xOolP
7kCgUphtazOcojYlGSh/
=eoRm
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to