Hi there. I am Heewon, and I am writing to you regarding the recent vulnerabilities that our security team identified in Hugin. I appreciate your prompt attention to these matters, and I am pleased that the vulnerabilities have been confirmed and successfully patched by your development team.
To provide a standardized reference for these vulnerabilities within the cybersecurity community, we would like to request the assignment of Common Vulnerabilities and Exposures (CVE) identifiers. These identifiers will help streamline communication and information sharing among security professionals. Below is a brief summary of the vulnerabilities along with the relevant details: ### CVE-2023-XXX1: [Description of Vulnerability 1] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: https://bugs.launchpad.net/hugin/+bug/2025032 ### CVE-2023-XXX2: [Description of Vulnerability 2] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)5 ### CVE-2023-XXX3: [Description of Vulnerability 3] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)6 ### CVE-2023-XXX4: [Description of Vulnerability 4] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)7 ### CVE-2023-XXX5: [Description of Vulnerability 5] - Confirmation: Fixed in Hugin 2022.0.0 - Patch: 2023.0beta1 on 2023-06-29 by tmodes user - url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)8 We kindly request that you forward this information to the appropriate party responsible for CVE assignments within your organization. If your organization has a designated CVE Numbering Authority (CNA), please let us know the preferred process for CVE assignment. Additionally, we have submitted the same request to MITRE Corporation and CERT/CC, the primary CVE Numbering Authority, for their consideration. However, CERT/CC asked us to refer to you for CVE assignments. Please work on this case and let us know which steps to take. Thank you for your cooperation and commitment to addressing security issues promptly. If you require any further information or clarification, please do not hesitate to reach out. We look forward to continuing a collaborative approach to enhancing the security of Hugin and appreciate your ongoing dedication to the security and well-being of your users. -- You received this bug notification because you are a member of Hugin Developers, which is subscribed to Hugin. https://bugs.launchpad.net/bugs/2025037 Title: Heap-buffer-overflow when adding an image in HuginBase::PTools::setDestImage Status in Hugin: Fix Released Bug description: Hi there We want to share that the latest version (2022.0.0) of pto_merge causes another heap-buffer-overflow bug in the function HuginBase::PTools::setDestImage as well as in the function HuginBase::PanoramaMemento::loadPTScript. The invalid memory allocation may attribute to the malformed values as parameters to the HuginBase::PTools::setDestImage . Here is the output of program with address sanitizer attached. Bug Report ERROR: 13:28:41.047604 (/home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:357) setDestImage(): unsupported projection ================================================================= ==4011==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x603000009808 at pc 0x7f973bddfdeb bp 0x7fff0426e670 sp 0x7fff0426e660 READ of size 8 at 0x603000009808 thread T0 #0 0x7f973bddfdea in HuginBase::PTools::setDestImage(Image&, vigra::Diff2D, unsigned char*, HuginBase::PanoramaOptions::ProjectionFormat const&, std::vector<double, std::allocator<double> > const&, double) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:362 #1 0x7f973bde173e in HuginBase::PTools::Transform::updatePTData(vigra::Diff2D const&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, HuginBase::Variable, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, HuginBase::Variable> > > const&, HuginBase::BaseSrcPanoImage::Projection&, vigra::Diff2D const&, HuginBase::PanoramaOptions::ProjectionFormat&, std::vector<double, std::allocator<double> > const&, double) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:66 #2 0x7f973bde1b53 in HuginBase::PTools::Transform::createTransform(vigra::Diff2D const&, std::map<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, HuginBase::Variable, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::pair<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const, HuginBase::Variable> > >, HuginBase::BaseSrcPanoImage::Projection, vigra::Diff2D const&, HuginBase::PanoramaOptions::ProjectionFormat, std::vector<double, std::allocator<double> > const&, double, vigra::Diff2D const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:181 #3 0x7f973bded5d8 in HuginBase::PTools::Transform::createTransform(HuginBase::SrcPanoImage const&, HuginBase::PanoramaOptions const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:147 #4 0x7f973bcef22b in HuginBase::PanoramaOptions::getVFOV() const /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:358 #5 0x7f973bcf131d in HuginBase::PanoramaOptions::setProjectionParameters(std::vector<double, std::allocator<double> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:190 #6 0x7f973bcf1858 in HuginBase::PanoramaOptions::resetProjectionParameters() /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:200 #7 0x7f973bc722b9 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2492 #8 0x7f973bc9c618 in HuginBase::Panorama::readData(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2178 #9 0x555e5c6e1975 in main /home/ubuntu/targets/hugin-2022.0.0_original/src/tools/pto_merge.cpp:99 #10 0x7f9739390082 in __libc_start_main ../csu/libc-start.c:308 #11 0x555e5c6e2c5d in _start (/home/ubuntu/targets/hugin-2022.0.0_original/build/src/tools/pto_merge+0xbc5d) 0x603000009808 is located 0 bytes to the right of 24-byte region [0x6030000097f0,0x603000009808) allocated by thread T0 here: #0 0x7f973c13a587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104 #1 0x7f973ac7c9a5 in __gnu_cxx::new_allocator<double>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114 #2 0x7f973ac7c9a5 in std::allocator_traits<std::allocator<double> >::allocate(std::allocator<double>&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:443 #3 0x7f973ac7c9a5 in std::_Vector_base<double, std::allocator<double> >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343 #4 0x7f973ac7c9a5 in std::vector<double, std::allocator<double> >::_M_default_append(unsigned long) /usr/include/c++/9/bits/vector.tcc:635 #5 0x7f973bcf1ab7 in std::vector<double, std::allocator<double> >::resize(unsigned long) /usr/include/c++/9/bits/stl_vector.h:937 #6 0x7f973bcf1ab7 in HuginBase::PanoramaOptions::setProjection(HuginBase::PanoramaOptions::ProjectionFormat) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/PanoramaOptions.cpp:154 #7 0x7f973bc722b9 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2492 #8 0x7f973bc9c618 in HuginBase::Panorama::readData(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2178 #9 0x555e5c6e1975 in main /home/ubuntu/targets/hugin-2022.0.0_original/src/tools/pto_merge.cpp:99 #10 0x7f9739390082 in __libc_start_main ../csu/libc-start.c:308 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panotools/PanoToolsInterface.cpp:362 in HuginBase::PTools::setDestImage(Image&, vigra::Diff2D, unsigned char*, HuginBase::PanoramaOptions::ProjectionFormat const&, std::vector<double, std::allocator<double> > const&, double) Shadow bytes around the buggy address: 0x0c067fff92b0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 0x0c067fff92c0: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c067fff92d0: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa 0x0c067fff92e0: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fd 0x0c067fff92f0: fa fa fd fd fd fd fa fa fd fd fd fd fa fa 00 00 =>0x0c067fff9300: 00[fa]fa fa fd fd fd fa fa fa fd fd fd fd fa fa 0x0c067fff9310: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 0x0c067fff9320: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd 0x0c067fff9330: fd fa fa fa fd fd fd fa fa fa fd fd fd fa fa fa 0x0c067fff9340: fd fd fd fa fa fa fd fd fd fa fa fa fd fd fd fa 0x0c067fff9350: fa fa fd fd fd fa fa fa fd fd fd fa fa fa fd fd Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb Shadow gap: cc ==4011==ABORTING ### Envionment OS: Ubuntu 20.04.5 LTS x86_64 Release: hugin 2022.0.0 Program: pto_merge libhuginbase: 2020.0.0 (retrieved and compiled from source code) libpano13: 2.9.19 To reproduce the problem, we need to build hugin: sudo cmake -DCMAKE_C_FLAGS="-g" -DCMAKE_CXX_FLAGS="-g" .. ### How to reproduce $ pto_merge poc-file *.jpg (*.jpg any name of jpg file including asterisk(*)) poc-file is attached. To manage notifications about this bug go to: https://bugs.launchpad.net/hugin/+bug/2025037/+subscriptions _______________________________________________ Mailing list: https://launchpad.net/~hugin-devs Post to : hugin-devs@lists.launchpad.net Unsubscribe : https://launchpad.net/~hugin-devs More help : https://help.launchpad.net/ListHelp
