Your message dated Tue, 21 Aug 2018 18:04:05 +0000
with message-id <[email protected]>
and subject line Bug#906740: fixed in fig2dev 1:3.2.7a-2
has caused the Debian Bug report #906740,
regarding fig2dev: global buffer overflow while running with '-L pdf' option
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
906740: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=906740
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: fig2dev
Version: 1:3.2.6a-2+deb9u1
Severity: normal

Dear Maintainer,

Running the attached test input with fig2dev with '-L pdf' option raises a
global buffer overflow error. Judging from the stack trace, this bug seems
similar to previous bug #890015, but this test input also crashes the
latest upstream version (3.2.7a) of fig2dev, where #890015 is supposed to
be fixed. The bug fix could have been incomplete, or this may be a distinct
bug.

Below is the gdb log. I used latest upstream version 3.2.7a here, but I
confirmed that current stable version 3.2.6a is also affected.

jason@debian-amd64-stretch:~/report/source-latest/fig2dev$ gdb -q
./fig2dev-3.2.7a/fig2dev/fig2dev
Reading symbols from ./fig2dev-3.2.7a/fig2dev/fig2dev...done.
(gdb) run -L pdf ./poc-bof
Starting program:
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a/fig2dev/fig2dev -L
pdf ./poc-bof
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
__GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966
2966    malloc.c: No such file or directory.
(gdb) where
#0  __GI___libc_free (mem=0x2323232323000a23) at malloc.c:2966
#1  0x000000000040b156 in save_comment () at read.c:1487
#2  get_line (fp=<optimized out>) at read.c:1465
#3  0x000000000040ac08 in read_objects (fp=0x6a3f20, obj=<optimized out>)
at read.c:320
#4  readfp_fig (fp=0x6a3f20, obj=0x7fffffffe3c0) at read.c:172
#5  0x0000000000408bac in main (argc=<optimized out>, argv=<optimized out>)
at fig2dev.c:424
(gdb) x/i $rip
=> 0x7ffff736c524 <__GI___libc_free+20>:        mov    -0x8(%rdi),%rax
(gdb) info reg rdi
rdi            0x2323232323000a23       2531906049330383395

And running with Address Sanitizer gives the following result.

jason@debian-amd64-stretch:~/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize$
./fig2dev/fig2dev -L pdf ../poc-bof
=================================================================
==31296==ERROR: AddressSanitizer: global-buffer-overflow on address
0x0000015f1ba0 at pc 0x00000051dffb bp 0x7fffffffdde0 sp 0x7fffffffddd8
READ of size 8 at 0x0000015f1ba0 thread T0
    #0 0x51dffa in save_comment
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9
    #1 0x5112f3 in get_line
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1465:8
    #2 0x510123 in read_objects
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:320:6
    #3 0x50eda6 in readfp_fig
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:172:12
    #4 0x50ebc2 in read_fig
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:142:13
    #5 0x504baa in main
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev.c:424:12
    #6 0x7ffff6ad12e0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
    #7 0x41c629 in _start
(/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/fig2dev+0x41c629)

0x0000015f1ba0 is located 0 bytes to the right of global variable
'comments' defined in 'read.c:83:14' (0x15f1880) of size 800
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/jason/report/source-latest/fig2dev/fig2dev-3.2.7a-sanitize/fig2dev/read.c:1486:9
in save_comment
Shadow bytes around the buggy address:
  0x0000802b6320: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b6330: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b6340: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b6350: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b6360: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0000802b6370: 00 00 00 00[f9]f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x0000802b6380: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0000802b6390: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b63a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b63b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0000802b63c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Thank you.


-- System Information:
Debian Release: 9.1
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk         1:4.1.4+dfsg-1
ii  libc6        2.24-11+deb9u3
ii  libpng16-16  1.6.28-1
ii  libxpm4      1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm       2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  <none>

-- no debconf information

Attachment: poc-bof
Description: Binary data


--- End Message ---
--- Begin Message ---
Source: fig2dev
Source-Version: 1:3.2.7a-2

We believe that the bug you reported is fixed in the latest version of
fig2dev, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Roland Rosenfeld <[email protected]> (supplier of updated fig2dev package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 21 Aug 2018 19:46:22 +0200
Source: fig2dev
Binary: fig2dev
Architecture: source amd64
Version: 1:3.2.7a-2
Distribution: unstable
Urgency: medium
Maintainer: Roland Rosenfeld <[email protected]>
Changed-By: Roland Rosenfeld <[email protected]>
Description:
 fig2dev    - Utilities for converting XFig figure files
Closes: 906740 906743
Changes:
 fig2dev (1:3.2.7a-2) unstable; urgency=medium
 .
   * Upgrade to Standards-Version 4.2.0 (Declare Rules-Requires-Root: no).
   * 31_maxcomments: Ignore more than MAXCOMMENTS comment lines
     (Closes: #906740).
   * 32_freelinestorage: Correctly free line-storage (Closes: #906743).
Checksums-Sha1:
 75bef1e104760e2b328532ec387ad23f87bf5e1e 2227 fig2dev_3.2.7a-2.dsc
 fbc39044e506f54b1f9a29a05a9b3b237c0f540e 210528 fig2dev_3.2.7a-2.debian.tar.xz
 7fc29ad8c9d8342b7d919dc70bb3d6e70d52eb63 679548 
fig2dev-dbgsym_3.2.7a-2_amd64.deb
 da6a28d84223ee68420ffadfea3fc908e4387fef 9582 fig2dev_3.2.7a-2_amd64.buildinfo
 fec5ca788a2d7b664f605782d865d0fa6cc5b8de 699368 fig2dev_3.2.7a-2_amd64.deb
Checksums-Sha256:
 64f8a1916a687e73d8d7c33867275ee46a9d0f40ec84f4e268aa588e07aad74e 2227 
fig2dev_3.2.7a-2.dsc
 3e1e18f0d7adcdf4466b4e62824a5b62ba58848acde28573395fa20bdd8c12fc 210528 
fig2dev_3.2.7a-2.debian.tar.xz
 2036e6bab42c46190f0cfbd5e53074e658bf8f629afab95f2b829b9f1f5dbdec 679548 
fig2dev-dbgsym_3.2.7a-2_amd64.deb
 779cf612860b1142e6da0f079a16387197c69d91af733bf8e77bdaf88c914b79 9582 
fig2dev_3.2.7a-2_amd64.buildinfo
 8a50ee40b43e97c472e9810bb67eac150c47568d45e0c8ad3211f0e8564a02cc 699368 
fig2dev_3.2.7a-2_amd64.deb
Files:
 cbf10d80dda2762913aee56e6c125794 2227 graphics optional fig2dev_3.2.7a-2.dsc
 d5b909a6e0574b4d63d406ae5c90ae53 210528 graphics optional 
fig2dev_3.2.7a-2.debian.tar.xz
 55793382b0b6a594761605f569104d38 679548 debug optional 
fig2dev-dbgsym_3.2.7a-2_amd64.deb
 06d6c8083372d4c98b32f0f1e88feb07 9582 graphics optional 
fig2dev_3.2.7a-2_amd64.buildinfo
 b3db72e7383a5ee1204019630f00f465 699368 graphics optional 
fig2dev_3.2.7a-2_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEErC+9sQSUPYpEoCEdAnE7z8pUELIFAlt8UG4ACgkQAnE7z8pU
ELJhgQ/5ASTERAjXg/5glAJfg8TASYvVxfzLiFkHByDifIDHrSCHNvoddzAVY4Ly
C8BPTbw/6TPI/oLxESwa2BbdeG9Eija7QINaNg+Vd3QzclKSjtPQ+op+K0NqohlC
udx8nv+MBCzU76dIVINPrHFc1jgdVT8U5CDe5NPvkKMgQrcZlE6LSBhJ9AFcLCop
49NuAjoDdxxmvng9EfL/x5oj3ofhYGk9wEHvmPI2Irm89U+fg2FxTVrUSHfTLMDS
EanJKzKyVO3QQyT/P47mMn5iKtwZNRrDmaXzZZ1ysiaKN8tw/LFTrTk63u3OQumj
6WcATXTq1fu/dbzd7jDPJ9Wf8v/F5tc+uiXa/Tt6CHAnvKd9eV3Sj4p0AhsU/mEd
w3YHIs8RLc0FcdXt4T7Bx+RHET2ssip6U00DpxZFrfeXQZejuI9VshXWY/UhGvjO
zKEJ4zxso7JPvmh/aI1UqMDT6fQsZxWRigIBF39qampEuMW2ELRA5O7vRLJTZFkK
aXtT7HmKgkgVsaxvYudo8ECX2qSTLmxSFAxDuRl4DvHkySBNhAGbjWdqtm6i1x7s
g8A9GT9VNrU7cApv1j04d6kOBH2zHcnaSMGAdlobY34G44ac4E+QnATSzEwffI8V
ZqyugjkUd3GMGkO4SLGycfn1yWhFe5kZM1vFqItKbUxmXgjoPg8=
=ndqD
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to