Your message dated Mon, 25 Apr 2016 22:19:34 +0000
with message-id <[email protected]>
and subject line Bug#819818: fixed in imlib2 1.4.5-1+deb7u2
has caused the Debian Bug report #819818,
regarding imlib2: CVE-2016-3993: off-by-one OOB read in __imlib_MergeUpdate
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
819818: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=819818
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: libimlib2
Version: 1.4.6-2+deb8u1
Severity: normal
Tags: upstream patch

Dear Maintainer,

1) I re-compiled imlib2 package with debug information,
2) compiled and installed tests (data, src/bin),
3) run `valgrind imlib2_test`,
4) moved mouse to right lower corner of window;

==16086== Invalid read of size 1
==16086== at 0x4E79C4E: __imlib_MergeUpdate (in /usr/lib/x86_64-linux-gnu/libImlib2.so.1.4.6)
==16086==    by 0x401773: main (in /usr/bin/imlib2_test)
==16086==  Address 0x9d20360 is 0 bytes after a block of size 1,200
alloc'd
==16086==    at 0x4C28C20: malloc (vg_replace_malloc.c:296)
==16086== by 0x4E798E3: __imlib_MergeUpdate (in /usr/lib/x86_64-linux-gnu/libImlib2.so.1.4.6)
==16086==    by 0x401773: main (in /usr/bin/imlib2_test)

In gdb, it points to src/lib/updates.c:

   |                 for (xx = x + 1, ww = 1;                         |
  >|                      (T(xx, y).used & T_USED) && (xx < tw); xx++,|
   |                 for (yy = y + 1, hh = 1, ok = 1;                 |

xx is 20 and tw is 20, so T(xx, y) addresses one byte out of buffer.

Pretty obvious, off-by-one error due to swapped condition order.
In unlucky case, this can result in application crash.
Security implications: very minor, DoS at most, only for application drawing images using coordinates from untrusted source ("drawing images from untrusted sources" by itself is safe).
Two *alternative* patches attached (apply only *one* of them).
TODO: I have not tried to search for similar pattern over codebase yet.

Note: there are no changes affecting this code in 1.4.7 (sid) or 1.4.8 (upstream).

-- System Information:
Debian Release: 8.3
  APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable'), (100, 'proposed-updates')
Architecture: i386 (x86_64)
Foreign Architectures: amd64

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=ja_JP.UTF-8, LC_CTYPE=ja_JP.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages libimlib2:amd64 depends on:
ii  libbz2-1.0         1.0.6-7+b3
ii  libc6              2.19-18+deb8u4
ii  libfreetype6       2.5.2-3+deb8u1
ii  libgif4            4.1.6-11+deb8u1
ii  libid3tag0         0.15.1b-11.1~local1
ii  libjpeg62-turbo    1:1.3.1-12
ii  libpng12-0         1.2.50-2+deb8u2
ii  libtiff5           4.0.3-12.3+deb8u1
ii  libx11-6           2:1.6.2-3
ii  libxext6           2:1.3.3-1
ii  multiarch-support  2.19-18+deb8u4
ii  zlib1g             1:1.2.8.dfsg-2+b1

libimlib2:amd64 recommends no packages.

libimlib2:amd64 suggests no packages.

-- no debconf information

Description: off-by-one out-of-bound read due to reversed condtion
Author: Yuriy M. Kaminksiy <[email protected]>

Note: you need *either* off-by-one-alternative.patch, *or* this patch;
DO NOT APPLY BOTH! (it won't break, but would unnecessarily clutter code)

Index: imlib2-1.4.6/src/lib/updates.c
===================================================================
--- imlib2-1.4.6.orig/src/lib/updates.c
+++ imlib2-1.4.6/src/lib/updates.c
@@ -111,7 +111,7 @@ __imlib_MergeUpdate(ImlibUpdate * u, int
                   int                 xx, yy, ww, hh, ok;
 
                   for (xx = x + 1, ww = 1;
-                       (T(xx, y).used & T_USED) && (xx < tw); xx++, ww++);
+                       (xx < tw) && (T(xx, y).used & T_USED); xx++, ww++);
                   for (yy = y + 1, hh = 1, ok = 1;
                        (yy < th) && (ok); yy++, hh++)
                     {

Description: off-by-one out-of-bound read due to reversed condtion, alternative solution (allocates one more guard cell).
Author: Yuriy M. Kaminksiy <[email protected]>

Note: you need *either* off-by-one-reversed-condition.patch, *or* this patch;
DO NOT APPLY BOTH! (it won't break, but would unnecessarily clutter code)

Index: imlib2-1.4.6/src/lib/updates.c
===================================================================
--- imlib2-1.4.6.orig/src/lib/updates.c
+++ imlib2-1.4.6/src/lib/updates.c
@@ -34,13 +34,14 @@ __imlib_MergeUpdate(ImlibUpdate * u, int
    th = h >> TB;
    if (h & TM)
       th++;
-   t = malloc(tw * th * sizeof(struct _tile));
+   t = malloc((tw * th + 1) * sizeof(struct _tile));
    /* fill in tiles to be all not used */
    for (i = 0, y = 0; y < th; y++)
      {
         for (x = 0; x < tw; x++)
            t[i++].used = T_UNUSED;
      }
+   t[i].used = T_UNUSED; /* guard OOB */
    /* fill in all tiles */
    for (uu = u; uu; uu = uu->next)
      {


--- End Message ---
--- Begin Message ---
Source: imlib2
Source-Version: 1.4.5-1+deb7u2

We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Alessandro Ghedini <[email protected]> (supplier of updated imlib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 23 Apr 2016 17:45:34 +0100
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source amd64
Version: 1.4.5-1+deb7u2
Distribution: wheezy-security
Urgency: high
Maintainer: Laurence J. Lane <[email protected]>
Changed-By: Alessandro Ghedini <[email protected]>
Description: 
 libimlib2  - powerful image loading and rendering library
 libimlib2-dev - Imlib2 development files
Closes: 639414 785369 819818 820206 821732
Changes: 
 imlib2 (1.4.5-1+deb7u2) wheezy-security; urgency=high
 .
   * Fix divide-by-zero on 2x1 ellipse as per CVE-2011-5326 (Closes: #639414)
   * Fix integer overflow as per CVE-2014-9771 (Closes: #820206)
   * Fix off-by-one OOB read as per CVE-2016-3993 (Closes: #819818)
   * Fix out-of-bounds read in the GIF loader as per CVE-2016-3994
     (Closes: #785369)
   * Fix integer overflow as per CVE-2016-4024 (Closes: #821732)
Checksums-Sha1: 
 cad4c183388f29468d5c49fe1c814398fef0522a 1905 imlib2_1.4.5-1+deb7u2.dsc
 e425aecfda30d1560c6f3d4ae54b219d1e2308ad 13141 
imlib2_1.4.5-1+deb7u2.debian.tar.gz
 87075df86ab13c6110a76e7352c467218e09e3d5 258882 
libimlib2_1.4.5-1+deb7u2_amd64.deb
 04c7f1cdb10162a479d4a5b7f8ddb76ec20c921c 253156 
libimlib2-dev_1.4.5-1+deb7u2_amd64.deb
Checksums-Sha256: 
 5ec1bcaa808ef24b09e5a8bf68ad4fbf336b078c9dfc019b49c6ce619a0bd74a 1905 
imlib2_1.4.5-1+deb7u2.dsc
 a9bb6851b54b6c295718f44c9a16f0b7a6b1291c9fc6bc2b2f97454ff14d21c4 13141 
imlib2_1.4.5-1+deb7u2.debian.tar.gz
 5719f093cdd785903c349b1dd129705a7accff210fd842da548d265c9c9ca66f 258882 
libimlib2_1.4.5-1+deb7u2_amd64.deb
 a483fb6c50178dff14fe5be8bbbb69d69cc0d997c8ad1a03871d997ccc0e0316 253156 
libimlib2-dev_1.4.5-1+deb7u2_amd64.deb
Files: 
 8068c0cdaac9bc87c1932d4a6cbc5621 1905 libs optional imlib2_1.4.5-1+deb7u2.dsc
 4aff721f0fbc1addbe68949812566e85 13141 libs optional 
imlib2_1.4.5-1+deb7u2.debian.tar.gz
 0b507f3301d223dd0f17328981c385e7 258882 libs optional 
libimlib2_1.4.5-1+deb7u2_amd64.deb
 667e42ae4ce9b18cd88a3bff421ef96f 253156 libdevel optional 
libimlib2-dev_1.4.5-1+deb7u2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJXG6e8AAoJEK+lG9bN5XPLDRsP/11g/hzTfo//OJKJeXH0ATG7
LKy/YhGKFoeOog+mSSTI+NEd7mNO4uUMFLw2zhWwnzyQiMrYUm1sZbPOrzscbqGV
OqXulb+T4xOYtVB1/twZRUr4jVroAFB1yM1kV6Uc/yzVIciY5f5WA0GGRZ3KwECH
D9bYZTjtvVlFeOdA3EkS/ML02S9RNNXQu0HvM0JF5XID4p3kBeVpOZO1C08gNCCZ
O52BBNTcYWVPumzWkp6kZnc+6iyecH8UKcVavKqejtdulLabeVUyi6gT2CRDdWy8
NN8CRDKa+CqiXyveroLDa6RoNkXZwIOEWHL+4rEM4Hf2zyGvZFbLvkBK9bQZhXSj
WcXl2Cn8QU1ENvvkiRU8JG/L8NoDwjfzetxLwjV3izJ0w9gNbYjTsjPCDiCE9Pi+
lilxfc23FXhCLkC1RzIxSNpkx+xk6EW5mXZlN1aGcfdcL1Ni4LvwPFl3X4yXyzYN
kvKgQWjmSgn/N1oCtkEcxdluPr4Q77M0Qb5KV5SGoqhl2/zT2fmk6QSoNiHFUTAI
OoGiSiJ87flXmMznp/eF6haL7Qo4818xYq5gg4pzJBVZ8JzE2OgIa8lNbkI5E9ZI
YgtHP2S5ElJhpqqoJ6GvNPEz0pGENRDDij0D03dSQ7avR+a3jNBexfiGpWgWMgOr
sFlOaCiPH7gtjVb4PYCa
=fXu6
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to