Bug#890015: marked as done (fig2dev: global buffer overflow while running fig2dev)

Debian Bug Tracking System Sat, 14 Apr 2018 10:39:49 -0700

Your message dated Sat, 14 Apr 2018 17:35:25 +0000
with message-id <[email protected]>
and subject line Bug#890015: fixed in fig2dev 1:3.2.7-1
has caused the Debian Bug report #890015,
regarding fig2dev: global buffer overflow while running fig2dev
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
890015: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890015
Debian Bug Tracking System
Contact [email protected] with problems

--- Begin Message ---

Package: fig2dev
Version: 1:3.2.6a-6
Severity: important
Tags: security

global buffer overflow running fig2dev with "-L pdf poc" option

Running 'fig2dev -L pdf poc' with the attached file raises global buffer 
overflow
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/fig2dev/global$ 
../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc
=================================================================
==16175==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x555555826e40 at pc 0x55555557da29 bp 0x7fffffffdcd0 sp 0x7fffffffdcc8
READ of size 8 at 0x555555826e40 thread T0
    #0 0x55555557da28 in save_comment 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425
    #1 0x55555557da28 in get_line 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1404
    #2 0x555555581d52 in read_objects 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:325
    #3 0x555555581d52 in readfp_fig 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:185
    #4 0x55555556eb70 in main 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412
    #5 0x7ffff63762b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #6 0x55555556f259 in _start 
(/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259)

0x555555826e40 is located 32 bytes to the left of global variable 'line_no' 
defined in 'read.c:88:13' (0x555555826e60) of size 4
0x555555826e40 is located 0 bytes to the right of global variable 'comments' 
defined in 'read.c:95:14' (0x555555826b20) of size 800
SUMMARY: AddressSanitizer: global-buffer-overflow 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425 in save_comment
Shadow bytes around the buggy address:
  0x0aab2aafcd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aab2aafcdc0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
  0x0aab2aafcdd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafce10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16175==ABORTING

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk         1:4.1.4+dfsg-1
ii  libc6        2.24-11+deb9u1
ii  libpng16-16  1.6.28-1
ii  libxpm4      1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm       2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  <none>

-- no debconf information

poc
Description: Binary data

--- End Message ---

--- Begin Message ---

Source: fig2dev
Source-Version: 1:3.2.7-1

We believe that the bug you reported is fixed in the latest version of
fig2dev, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Rosenfeld <[email protected]> (supplier of updated fig2dev package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sat, 14 Apr 2018 19:03:37 +0200
Source: fig2dev
Binary: fig2dev
Architecture: source amd64
Version: 1:3.2.7-1
Distribution: unstable
Urgency: medium
Maintainer: Roland Rosenfeld <[email protected]>
Changed-By: Roland Rosenfeld <[email protected]>
Description:
 fig2dev    - Utilities for converting XFig figure files
Closes: 248807 882021 882022 890015 890016
Changes:
 fig2dev (1:3.2.7-1) unstable; urgency=medium
 .
   * New upstream version 3.2.7.
   * This sanitizes input (Closes: #882021, #882022, #890015, #890016).
   * This correctly embeds eps files with binary preview (Closes: #248807).
   * The following patches are now incorporated upstream:
     31_input_sanitizing, 32_fill-style-overflow.
   * Adapt all other patches to new upstream version.
   * Adapt testsuite to new upstream testsuite.
   * Fix typo in 29_RGBFILE description.
   * Upgrade to debhelper v11.
   * Add Vcs-headers pointing to salsa.
   * Remove symlink CHANGES -> changelog.
   * Remove pgf alternative to texlive-pictures from Build-Deps.
   * Upgrade to Standards-Version 4.1.4 (no changes).
   * Fix debian/watch to handle versions without letters.
   * 30_man_typo: Fix more spelling mistakes.
Checksums-Sha1:
 42d385daa234cc421a477635a97a476c3c4fbeb6 2220 fig2dev_3.2.7-1.dsc
 f3cb70171a683b3a7d5190935be154bde7e81c41 508336 fig2dev_3.2.7.orig.tar.xz
 7f9e2b0e40911dc67897c8079800e52497c345ec 209804 fig2dev_3.2.7-1.debian.tar.xz
 293427b48473a9f8920c1a9fc401e67a4c2ea95b 539244 
fig2dev-dbgsym_3.2.7-1_amd64.deb
 44b6770763a4b98c46e9cc2d15abb11e1413fc4f 9410 fig2dev_3.2.7-1_amd64.buildinfo
 a1b20155c7815d4fb25c8e16c8271473c6d3d41f 662404 fig2dev_3.2.7-1_amd64.deb
Checksums-Sha256:
 eb3f80178f36bb536d35a454ac460a5bde72f4747f63936978163e4a772c518e 2220 
fig2dev_3.2.7-1.dsc
 de45819752f657ab7ebffe4a02fc99038d124a8f36be30550b21ef4fa03aa3a5 508336 
fig2dev_3.2.7.orig.tar.xz
 041d2e1a5f126649d24fc84e651d0618f0bcc3bc019c8564c925c1feaebd57fe 209804 
fig2dev_3.2.7-1.debian.tar.xz
 5e8c51702b23c4ab5608dc9ea8d0e1fff62d972b4cd7dd429ff99bca7828ccd9 539244 
fig2dev-dbgsym_3.2.7-1_amd64.deb
 b1bf468b0e4b754718a870bfa1ebd604e79e6585051b1e69fd776b91a3d10cb0 9410 
fig2dev_3.2.7-1_amd64.buildinfo
 9e4d68ae86d0be738e26029a330d036850333423c425181c78cbe9a1253f871d 662404 
fig2dev_3.2.7-1_amd64.deb
Files:
 b1234e83e42d66cfaabc7c306360e217 2220 graphics optional fig2dev_3.2.7-1.dsc
 5573316dee5ad055d040aa3eb2e685ab 508336 graphics optional 
fig2dev_3.2.7.orig.tar.xz
 8f33c99f4c671e62a026bc5bfb7c6c5a 209804 graphics optional 
fig2dev_3.2.7-1.debian.tar.xz
 dda723c1e37e187c877086c07f78001a 539244 debug optional 
fig2dev-dbgsym_3.2.7-1_amd64.deb
 bd09da6ef41aabc87828ac5344214278 9410 graphics optional 
fig2dev_3.2.7-1_amd64.buildinfo
 1266c261d0f54528eb0e705a55dceb88 662404 graphics optional 
fig2dev_3.2.7-1_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAlrSNqIACgkQAnE7z8pU
ELIYPw//ez888Y4/Van4taEzCAWun5KpDMqvSjcSOTB7d6HphigOFKI6h/A3G1iN
DmupVGveJKHdwWwOSyJfjy36GbpWdEwoPM7AmXvgF6vjAzEyvLzo5b3mrqgI3hR4
0TPdiyHEzzzuod8TpdcjCU6nFPjSWI1SPjXbHb7EvO3cL05IT2SKU1UZWGhmfpxE
3+Tp/xlYthDNoYMr4GHJIxvEN8KsPLrPk/8JX613B5Zc3BpA8v53+LIgeAtyhFB0
UsjTPGuaOLpagjPMBNsLWRkn5T378WRZQzQcQZ/zMFV0r4o3osRUE5cqoUvp/xbt
UeQ9pnZPZxTmHAtczVX5dlHcu6KmQyD4LorcHAhcf3527WPgEeik+M63LSXmVrPS
waB2VqS3ML6wgMfqXcSbbC+ldUCrOiaPrkIEmQ/vnWAR00MopAEEc36e52u6Ajjc
ditv0QRkWe3B8bSDuGocGL66fw0hoDvCYDsxUuY0IMUVaTq/8dwt436xuXr/9eyO
ki2XqtN6oYz+uIkrFrHcBb76BCEJW5sCuQMCg/NNEKhqyPC0ZN1XvQTWW/fpjFqI
NdMp8UP/DbRJ1nt4w5DsUjQDMN1/OkGktj0448KaiQvXFVWEyP+rOMg8zVaQK2cv
R21iDCQJPeIciOjrd4zpOSok9I8WNfrvExf1667WOpxlrOYmarg=
=u48c
-----END PGP SIGNATURE-----

--- End Message ---

Bug#890015: marked as done (fig2dev: global buffer overflow while running fig2dev)

Reply via email to