Your message dated Wed, 8 Nov 2017 09:00:18 +0100
with message-id <[email protected]>
has caused the report #881144,
regarding fig2dev: out of bound read while running fig2dev with -L pic option
to be marked as having been forwarded to the upstream software
author(s) Thomas Loimer <[email protected]>
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
881144: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=881144
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Hi Thomas!
Here's a second security bug agains fig2dev, this time in the pic
driver. This one is also reproducible on my system, so I can provide
more debug output if needed.
It's quite similar to #881143.
Greetings
Roland
--- Begin Message ---
Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security
out of bound read while running fig2dev with -L pic option
Running 'fig2dev -L pic poc' with the attached file raises out of bound read bug
which may allow a remote attack to cause a denial-of-service attack or
information
disclosure with a crafted file.
I expected the program to terminate without segfault, but the program crashes
as follow
=======================================================
june@yuweol:~/poc/fig2dev/crash2$ fig2dev -L pic ./poc
.PS
.ps 11
Segmentation fault
=======================================================
Program received signal SIGSEGV, Segmentation fault.
0x0000555555567960 in unpsfont (t=t@entry=0x555555810160) at psfonts.c:194
194 if (PSmapwarn[t->font+1])
(gdb) p t->font
$1 = 71111111
(gdb) bt
#0 0x0000555555567960 in unpsfont (t=t@entry=0x555555810160) at psfonts.c:194
#1 0x000055555558e282 in genpic_text (t=0x555555810160) at genpic.c:443
#2 0x00005555555615d2 in gendev_objects (dev=0x5555557ef200 <dev_pic>,
objects=0x7fffffffe0f0)
at fig2dev.c:833
#3 main (argc=<optimized out>, argv=<optimized out>) at fig2dev.c:467
(gdb) x/i $rip
=> 0x555555567960 <unpsfont+32>: mov (%rcx,%rdx,4),%ecx
(gdb) i r rcx rdx
rcx 0x5555555c3f60 93824992690016
rdx 0x43d11c8 71111112
=======================================================
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500,
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fig2dev depends on:
ii gawk 1:4.1.4+dfsg-1
ii libc6 2.24-17
ii libpng16-16 1.6.34-1
ii libxpm4 1:3.5.12-1
ii x11-common 1:7.7+19
Versions of packages fig2dev recommends:
ii ghostscript 9.22~dfsg-1
ii netpbm 2:10.0-15.3+b2
Versions of packages fig2dev suggests:
pn xfig <none>
-- no debconf information
poc
Description: Binary data
--- End Message ---
--- End Message ---
