forwarded 878739 https://github.com/kohler/gifsicle/issues/117 thanks
Em 16-10-2017 09:12, Joonun Jang escreveu: > Package: gifsicle > Version: 1.90-1 > Severity: normal > > Dear Maintainer, > > Running 'gifdiff poc poc' with the attached file raises double-free bug, > which may allow a remote attacker to cause a denial-of-service attack or > other unspecified impact with a crafted file. > > I expected the program to terminate without segfault, but the program > crashes as follow > > ---------------------------- > > june@june:~/project/analyze/poc/gifdiff/crash2$ > ~/project/analyze/bins/gifsicle-1.90/src/gifdiff poc poc > ================================================================= > > ==22514==ERROR: AddressSanitizer: attempting double-free on > 0x611000009c80 in thread T0: > #0 0x7f3b19570090 in realloc > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) > #1 0x56146456d6f3 in Gif_Realloc > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3) > #2 0x561464577ed3 in suck_data > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3) > #3 0x561464579219 in read_gif > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219) > #4 0x561464579825 in Gif_FullReadFile > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) > #5 0x56146457e4eb in read_stream > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) > #6 0x56146457e96f in main > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2596f) > #7 0x7f3b18e2b2b0 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) > #8 0x56146455dde9 in _start > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x4de9) > > 0x611000009c80 is located 0 bytes inside of 253-byte region > [0x611000009c80,0x611000009d7d) > freed by thread T0 here: > #0 0x7f3b1956fa10 in free > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) > #1 0x56146457952d in read_gif > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2052d) > #2 0x561464579825 in Gif_FullReadFile > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) > #3 0x56146457e4eb in read_stream > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) > #4 0x56146457e95f in main > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f) > #5 0x7f3b18e2b2b0 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) > > previously allocated by thread T0 here: > #0 0x7f3b19570090 in realloc > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) > #1 0x56146456d6f3 in Gif_Realloc > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3) > #2 0x561464577ed3 in suck_data > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3) > #3 0x561464579219 in read_gif > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219) > #4 0x561464579825 in Gif_FullReadFile > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) > #5 0x56146457e4eb in read_stream > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) > #6 0x56146457e95f in main > (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f) > #7 0x7f3b18e2b2b0 in __libc_start_main > (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) > > SUMMARY: AddressSanitizer: double-free > (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) in realloc > ==22514==ABORTING > > ----------------------------- > > The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. > > -- System Information: > Debian Release: 9.2 > APT prefers stable-updates > APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') > Architecture: amd64 (x86_64) > > Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_US.UTF-8 (charmap=UTF-8) > Shell: /bin/sh linked to /bin/dash > Init: systemd (via /run/systemd/system) > > Versions of packages gifsicle depends on: > ii libc6 2.24-11+deb9u1 > ii libx11-6 2:1.6.4-3 > > gifsicle recommends no packages. > > gifsicle suggests no packages. > > -- no debconf information >
