Your message dated Tue, 21 Aug 2018 18:04:05 +0000 with message-id <[email protected]> and subject line Bug#906740: fixed in fig2dev 1:3.2.7a-2 has caused the Debian Bug report #906740, regarding fig2dev: global buffer overflow while running with '-L pdf' option to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 906740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906740 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: fig2dev Version: 1:3.2.6a-2+deb9u1 Severity: normal Dear Maintainer, Running the attached test input with fig2dev with '-L pdf' option raises a global buffer overflow error. Judging from the stack trace, this bug seems similar to previous bug #890015, but this test input also crashes the latest upstream version (3.2.7a) of fig2dev, where #890015 is supposed to be fixed. The bug fix could have been incomplete, or this may be a distinct bug. Below is the gdb log. I used latest upstream version 3.2.7a here, but I confirmed that current stable version 3.2.6a is also affected. jason@debian-amd64-stretch:~/report/source-latest/fig2dev$ gdb -q ./fig2dev-3.2.7a/fig2dev/fig2dev Reading symbols from ./fig2dev-3.2.7a/fig2dev/fig2dev...done. (gdb) run -L pdf ./poc-bof Starting program: /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a/fig2dev/fig2dev -L pdf ./poc-bof [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. __GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966 2966 malloc.c: No such file or directory. (gdb) where #0 __GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966 #1 0x000000000040b156 in save_comment () at read.c:1487 #2 get_line (fp=<optimized out>) at read.c:1465 #3 0x000000000040ac08 in read_objects (fp=0x6a3f20, obj=<optimized out>) at read.c:320 #4 readfp_fig (fp=0x6a3f20, obj=0x7fffffffe3c0) at read.c:172 #5 0x0000000000408bac in main (argc=<optimized out>, argv=<optimized out>) at fig2dev.c:424 (gdb) x/i $rip => 0x7ffff736c524 <__GI___libc_free+20>: mov -0x8(%rdi),%rax (gdb) info reg rdi rdi 0x2323232323000a23 2531906049330383395 And running with Address Sanitizer gives the following result. jason@debian-amd64-stretch:~/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize$ ./fig2dev/fig2dev -L pdf ../poc-bof ================================================================= ==31296==ERROR: AddressSanitizer: global-buffer-overflow on address 0x0000015f1ba0 at pc 0x00000051dffb bp 0x7fffffffdde0 sp 0x7fffffffddd8 READ of size 8 at 0x0000015f1ba0 thread T0 #0 0x51dffa in save_comment /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9 #1 0x5112f3 in get_line /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1465:8 #2 0x510123 in read_objects /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:320:6 #3 0x50eda6 in readfp_fig /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:172:12 #4 0x50ebc2 in read_fig /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:142:13 #5 0x504baa in main /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev.c:424:12 #6 0x7ffff6ad12e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0) #7 0x41c629 in _start (/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev+0x41c629) 0x0000015f1ba0 is located 0 bytes to the right of global variable 'comments' defined in 'read.c:83:14' (0x15f1880) of size 800 SUMMARY: AddressSanitizer: global-buffer-overflow /home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9 in save_comment Shadow bytes around the buggy address: 0x0000802b6320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000802b6330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000802b6340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000802b6350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000802b6360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0000802b6370: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x0000802b6380: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00 0x0000802b6390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000802b63a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000802b63b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0000802b63c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Thank you. -- System Information: Debian Release: 9.1 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages fig2dev depends on: ii gawk 1:4.1.4+dfsg-1 ii libc6 2.24-11+deb9u3 ii libpng16-16 1.6.28-1 ii libxpm4 1:3.5.12-1 ii x11-common 1:7.7+19 Versions of packages fig2dev recommends: ii ghostscript 9.20~dfsg-3.2+deb9u1 ii netpbm 2:10.0-15.3+b2 Versions of packages fig2dev suggests: pn xfig <none> -- no debconf information
poc-bof
Description: Binary data
--- End Message ---
--- Begin Message ---Source: fig2dev Source-Version: 1:3.2.7a-2 We believe that the bug you reported is fixed in the latest version of fig2dev, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Roland Rosenfeld <[email protected]> (supplier of updated fig2dev package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Format: 1.8 Date: Tue, 21 Aug 2018 19:46:22 +0200 Source: fig2dev Binary: fig2dev Architecture: source amd64 Version: 1:3.2.7a-2 Distribution: unstable Urgency: medium Maintainer: Roland Rosenfeld <[email protected]> Changed-By: Roland Rosenfeld <[email protected]> Description: fig2dev - Utilities for converting XFig figure files Closes: 906740 906743 Changes: fig2dev (1:3.2.7a-2) unstable; urgency=medium . * Upgrade to Standards-Version 4.2.0 (Declare Rules-Requires-Root: no). * 31_maxcomments: Ignore more than MAXCOMMENTS comment lines (Closes: #906740). * 32_freelinestorage: Correctly free line-storage (Closes: #906743). Checksums-Sha1: 75bef1e104760e2b328532ec387ad23f87bf5e1e 2227 fig2dev_3.2.7a-2.dsc fbc39044e506f54b1f9a29a05a9b3b237c0f540e 210528 fig2dev_3.2.7a-2.debian.tar.xz 7fc29ad8c9d8342b7d919dc70bb3d6e70d52eb63 679548 fig2dev-dbgsym_3.2.7a-2_amd64.deb da6a28d84223ee68420ffadfea3fc908e4387fef 9582 fig2dev_3.2.7a-2_amd64.buildinfo fec5ca788a2d7b664f605782d865d0fa6cc5b8de 699368 fig2dev_3.2.7a-2_amd64.deb Checksums-Sha256: 64f8a1916a687e73d8d7c33867275ee46a9d0f40ec84f4e268aa588e07aad74e 2227 fig2dev_3.2.7a-2.dsc 3e1e18f0d7adcdf4466b4e62824a5b62ba58848acde28573395fa20bdd8c12fc 210528 fig2dev_3.2.7a-2.debian.tar.xz 2036e6bab42c46190f0cfbd5e53074e658bf8f629afab95f2b829b9f1f5dbdec 679548 fig2dev-dbgsym_3.2.7a-2_amd64.deb 779cf612860b1142e6da0f079a16387197c69d91af733bf8e77bdaf88c914b79 9582 fig2dev_3.2.7a-2_amd64.buildinfo 8a50ee40b43e97c472e9810bb67eac150c47568d45e0c8ad3211f0e8564a02cc 699368 fig2dev_3.2.7a-2_amd64.deb Files: cbf10d80dda2762913aee56e6c125794 2227 graphics optional fig2dev_3.2.7a-2.dsc d5b909a6e0574b4d63d406ae5c90ae53 210528 graphics optional fig2dev_3.2.7a-2.debian.tar.xz 55793382b0b6a594761605f569104d38 679548 debug optional fig2dev-dbgsym_3.2.7a-2_amd64.deb 06d6c8083372d4c98b32f0f1e88feb07 9582 graphics optional fig2dev_3.2.7a-2_amd64.buildinfo b3db72e7383a5ee1204019630f00f465 699368 graphics optional fig2dev_3.2.7a-2_amd64.deb -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAlt8UG4ACgkQAnE7z8pU ELJhgQ/5ASTERAjXg/5glAJfg8TASYvVxfzLiFkHByDifIDHrSCHNvoddzAVY4Ly C8BPTbw/6TPI/oLxESwa2BbdeG9Eija7QINaNg+Vd3QzclKSjtPQ+op+K0NqohlC udx8nv+MBCzU76dIVINPrHFc1jgdVT8U5CDe5NPvkKMgQrcZlE6LSBhJ9AFcLCop 49NuAjoDdxxmvng9EfL/x5oj3ofhYGk9wEHvmPI2Irm89U+fg2FxTVrUSHfTLMDS EanJKzKyVO3QQyT/P47mMn5iKtwZNRrDmaXzZZ1ysiaKN8tw/LFTrTk63u3OQumj 6WcATXTq1fu/dbzd7jDPJ9Wf8v/F5tc+uiXa/Tt6CHAnvKd9eV3Sj4p0AhsU/mEd w3YHIs8RLc0FcdXt4T7Bx+RHET2ssip6U00DpxZFrfeXQZejuI9VshXWY/UhGvjO zKEJ4zxso7JPvmh/aI1UqMDT6fQsZxWRigIBF39qampEuMW2ELRA5O7vRLJTZFkK aXtT7HmKgkgVsaxvYudo8ECX2qSTLmxSFAxDuRl4DvHkySBNhAGbjWdqtm6i1x7s g8A9GT9VNrU7cApv1j04d6kOBH2zHcnaSMGAdlobY34G44ac4E+QnATSzEwffI8V ZqyugjkUd3GMGkO4SLGycfn1yWhFe5kZM1vFqItKbUxmXgjoPg8= =ndqD -----END PGP SIGNATURE-----
--- End Message ---

