Your message dated Wed, 8 Nov 2017 08:56:58 +0100
with message-id <[email protected]>
has caused the report #881143,
regarding fig2dev: out of bound read while running fig2dev with -L tikz
to be marked as having been forwarded to the upstream software
author(s) Thomas Loimer <[email protected]>
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
881143: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881143
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Hi Thomas!
I received the following bug report against fig2dev, which I can
reproduce here in the same same way. If you like, I can send you a
"bt full" or doe some more testing...
It seems that the FIG file parser of fig2dev should be somewhat
hardened, so it doesn't accept all input as valid.
Since some printer drivers internally run fig2dev, I have to admit
that this may be security relevant.
Greetings
Roland
--- Begin Message ---
Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security
out of bound read while running fig2dev with -L tikz option
Running 'fig2dev -L tikz poc' with the attached file raises out of bound read
bug
which may allow a remote attack to cause a denial-of-service attack or
information
disclosure with a crafted file.
I expected the program to terminate without segfault, but the program crashes
as follow
I sent this to debian security team before, but I didn't get any response.
So I send this to public.
=======================================================
june@june:~/project/analyze/poc/fig2dev/crash1$ fig2dev -L tikz poc
\ifx\XFigwidth\undefined\dimen1=0pt\else\dimen1\XFigwidth\fi
\divide\dimen1 by 1
\ifx\XFigheight\undefined\dimen3=0pt\else\dimen3\XFigheight\fi
\divide\dimen3 by 5
\ifdim\dimen1=0pt\ifdim\dimen3=0pt\dimen1=-9223372036854775808sp\dimen3\dimen1
\else\dimen1\dimen3\fi\else\ifdim\dimen3=0pt\dimen3\dimen1\fi\fi
\tikzpicture[x=+\dimen1, y=+\dimen3]
{\ifx\XFigu\undefined\catcode`\@11
\def\temp{\alloc@1\dimen\dimendef\insc@unt}\temp\XFigu\catcode`\@12\fi}
\XFigu-9223372036854775808sp
% Uncomment to scale line thicknesses with the same
% factor as width of the drawing.
%\pgfextractx\XFigu{\pgfqpointxy{1}{1}}
\ifdim\XFigu<0pt\XFigu-\XFigu\fi
\clip(91,-1) rectangle (92,4);
\tikzset{inner sep=+0pt, outer sep=+0pt}
Segmentation fault
[debugging]
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0 strlen () at ../sysdeps/x86_64/strlen.S:106
#1 0x00007ffff7339d78 in _IO_vfprintf_internal (s=0x7ffff768b600
<_IO_2_1_stdout_>,
format=<optimized out>, ap=ap@entry=0x7fffffffde88) at vfprintf.c:1637
#2 0x00007ffff7340157 in __fprintf (stream=<optimized out>,
format=format@entry=0x5555555cc7e5 "\\normalfont%s ") at fprintf.c:32
#3 0x00005555555b4615 in put_font (t=0x555555810160) at gentikz.c:1725
#4 gentikz_text (t=0x555555810160) at gentikz.c:1769
#5 0x00005555555618cd in gendev_objects (dev=0x5555557f8ec0 <dev_tikz>,
objects=0x7fffffffdfa0)
at fig2dev.c:833
#6 main (argc=<optimized out>, argv=<optimized out>) at fig2dev.c:467
(gdb) x/i $rip
=> 0x7ffff7371646 <strlen+38>: movdqu (%rax),%xmm4
(gdb) i r rax
rax 0x29292922 690563362
(gdb) f 3
#3 0x00005555555b4615 in put_font (t=0x555555810160) at gentikz.c:1725
1725 fprintf(tfp, "\\normalfont%s ",
(gdb) p t->font
$1 = -51
(gdb) p texfonts[-51]
$3 = 0x29292922 <error: Cannot access memory at address 0x29292922>
with attached file, t->font can be set to negative value which causes this bug
[fig2dev/dev/gentikz.c]
1724 else
1725 fprintf(tfp, "\\normalfont%s ",
1726 texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);
=======================================================
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fig2dev depends on:
ii gawk 1:4.1.4+dfsg-1
ii libc6 2.24-17
ii libpng16-16 1.6.34-1
ii libxpm4 1:3.5.12-1
ii x11-common 1:7.7+19
Versions of packages fig2dev recommends:
ii ghostscript 9.22~dfsg-1
ii netpbm 2:10.0-15.3+b2
Versions of packages fig2dev suggests:
pn xfig <none>
-- no debconf information
1 1
1
11 4-51
11 0 5�
1
91
1
c!!!!
--- End Message ---
--- End Message ---
