from:"Joonun Jang"

Bug#890086: ufraw-batch: stack buffer overflow while running ufraw-batch

2018-02-10 Thread Joonun Jang

Package: ufraw-batch
Version: 0.22-2
Severity: important
Tags: security

stack buffer overflow running ufraw-batch with "--overwrite poc" option

Running 'ufraw-batch --overwrite poc' with the attached file raises stack 
buffer overflow
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/ufraw-batch/unknown$ ufraw-batch poc
*** stack smashing detected ***: ufraw-batch terminated
Segmentation fault

Below is debugging information about this bug

0. poc file

: 0001 0001 0040 2020  0020 2020 4b41  .@  ...   KA
0010: 492d 3033 3430 200f 4343 4343 4343 4343  I-0340 .
0020: 4343 4343 4343 4343 4343 [4141] 6565   CCAAee

1. Above two bytes [4141] was stored in the variable 'raw_width'
   in DCRaw::identify function at dcraw.cc

 8871   } else if (!memcmp (head,"\0\001\0\001\0@",6)) {
 8872 fseek (ifp, 6, SEEK_SET);
 8873 fread (make, 1, 8, ifp);
 8874 fread (model, 1, 8, ifp);
 8875 fread (model2, 1, 16, ifp);
 8876 data_offset = get2();
 8877 get2();
 8878 raw_width = get2(); // HERE
 8879 raw_height = get2();
 8880 load_raw =  nokia_load_raw;
 8881 filters = 0x61616161;

--gdb--
8878  raw_width = get2();
(gdb) n
8879  raw_height = get2();
(gdb) p/x raw_width
$21 = 0x4141
---

2. And then it stored in the varaible 'width' in the same function

 9008   desc[511] = artist[63] = make[63] = model[63] = model2[63] = 0;
 9009   if (!is_raw) goto notraw;
 9010
 9011   if (!height) height = raw_height;
 9012   if (!width)  width  = raw_width; // HERE
 9013   if (height == 2624 && width == 3936)  /* Pentax K10D and Samsung GX10 */
 9014 { height  = 2616;   width  = 3896; }
 9015   if (height == 3136 && width == 4864)  /* Pentax K20D and Samsung GX20 */

--gdb--
Breakpoint 9, DCRaw::identify (this=this@entry=0x748b2010) at dcraw.cc:9012
9012if (!width)  width  = raw_width;
$24 = 0
(gdb) n
9013if (height == 2624 && width == 3936)  /* Pentax K10D and Samsung GX10 */
(gdb) p/x width
$25 = 0x4141


3. This 'width' was used in the below loop
   in the function DCRaw::find_green at the same file.

 8504 float CLASS find_green (int bps, int bite, int off0, int off1)
 8505 {
 8506   UINT64 bitbuf=0;
 8507   int vbits, col, i, c;
 8508   ushort img[2][2064];
 8509   double sum[]={0,0};
 8510
 8511   FORC(2) {
 8512 fseek (ifp, c ? off1:off0, SEEK_SET);
 8513 for (vbits=col=0; col < width; col++) { // HERE(1), width was used
 8514   for (vbits -= bps; vbits < 0; vbits += bite) {
 8515   bitbuf <<= bite;
 8516   for (i=0; i < bite; i+=8)
 8517 bitbuf |= (unsigned) (fgetc(ifp) << i);
 8518   }
 8519   img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); // HERE(2), col 
is index of img buffer
 8520 }
 8521   }
 8522   FORC(width-1) {
 8523 sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
 8524 sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
 8525   }
 8526   return 100 * log(sum[0]/sum[1]);
 8527 }

At HERE(2) because local variable 'col' increased until being same as variable 
'width'
which can be easily modified by input file and can have big enough value to 
overwrite local buffer img.

=

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufraw-batch depends on:
ii  libbz2-1.0   1.0.6-8.1
ii  libc62.24-11+deb9u1
ii  libexiv2-14  0.25-3.1
ii  libgcc1  1:6.3.0-18
ii  libglib2.0-0 2.50.3-2
ii  libgomp1 6.3.0-18
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4
ii  liblensfun1  0.3.2-3
ii  libpng16-16  1.6.28-1
ii  libstdc++6   6.3.0-18
ii  libtiff5 4.0.8-2+deb9u2
ii  zlib1g   1:1.2.8.dfsg-5

ufraw-batch recommends no packages.

Versions of packages ufraw-batch suggests:
pn  ufraw  

-- no debconf information


poc
Description: Binary data

Bug#890016: fig2dev: null dereference while running fig2dev

2018-02-09 Thread Joonun Jang

Package: fig2dev
Version: 1:3.2.6a-6
Severity: important
Tags: security

null dereference running fig2dev with "-L pdf poc" option

Running 'fig2dev -L pdf poc' with the attached file raises null dereference
which may allow a remote attacker to cause denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/fig2dev/null$ 
../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc
incomplete spline object
ASAN:DEADLYSIGNAL
=
==16804==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 
0x5557911b bp 0x6080bf20 sp 0x7fffd8d0 T0)
#0 0x5557911a in free_splinestorage 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122
#1 0x5557ad0d in read_splineobject 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:430
#2 0x5557bef7 in read_1_3_objects 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:102
#3 0x55581ad4 in readfp_fig 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:187
#4 0x5556eb70 in main 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412
#5 0x763762b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x5556f259 in _start 
(/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122 in 
free_splinestorage
==16804==ABORTING

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-11+deb9u1
ii  libpng16-16  1.6.28-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information
71


0
1
16 3

16 6

0

16 6

0
1
1 6
1=6

Bug#890015: fig2dev: global buffer overflow while running fig2dev

2018-02-09 Thread Joonun Jang

Package: fig2dev
Version: 1:3.2.6a-6
Severity: important
Tags: security

global buffer overflow running fig2dev with "-L pdf poc" option

Running 'fig2dev -L pdf poc' with the attached file raises global buffer 
overflow
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/fig2dev/global$ 
../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc
=
==16175==ERROR: AddressSanitizer: global-buffer-overflow on address 
0x55826e40 at pc 0x5557da29 bp 0x7fffdcd0 sp 0x7fffdcc8
READ of size 8 at 0x55826e40 thread T0
#0 0x5557da28 in save_comment 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425
#1 0x5557da28 in get_line 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1404
#2 0x55581d52 in read_objects 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:325
#3 0x55581d52 in readfp_fig 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:185
#4 0x5556eb70 in main 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412
#5 0x763762b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x5556f259 in _start 
(/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259)

0x55826e40 is located 32 bytes to the left of global variable 'line_no' 
defined in 'read.c:88:13' (0x55826e60) of size 4
0x55826e40 is located 0 bytes to the right of global variable 'comments' 
defined in 'read.c:95:14' (0x55826b20) of size 800
SUMMARY: AddressSanitizer: global-buffer-overflow 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425 in save_comment
Shadow bytes around the buggy address:
  0x0aab2aafcd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aab2aafcdc0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
  0x0aab2aafcdd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafce10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==16175==ABORTING

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-11+deb9u1
ii  libpng16-16  1.6.28-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information


poc
Description: Binary data

Bug#889272: jhead: heap buffer overflow while running jhead

2018-02-02 Thread Joonun Jang

Package: jhead
Version: 1:3.00-5
Severity: important
Tags: security

heap buffer overflow running jhead with "poc" option

Running 'jhead poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/jhead/00013658$ ../../binary/jhead-3.00/jhead ./poc
=
==10024==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x6020efff at pc 0x55570af5 bp 0x7ffef920 sp 0x7ffef918
READ of size 1 at 0x6020efff thread T0
#0 0x55570af4 in Get32s exif.c:337
#1 0x55570af4 in Get32u exif.c:365
#2 0x55570af4 in process_EXIF exif.c:1021
#3 0x55568506 in ReadJpegSections jpgfile.c:287
#4 0x55568a05 in ReadJpegSections jpgfile.c:126
#5 0x55568a05 in ReadJpegFile jpgfile.c:375
#6 0x55564af3 in ProcessFile jhead.c:896
#7 0x55562608 in main jhead.c:1729
#8 0x767bb2b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#9 0x55563a19 in _start 
(/home/june/temp/report/binary/jhead-3.00/jhead+0xfa19)

0x6020efff is located 0 bytes to the right of 15-byte region 
[0x6020eff0,0x6020efff)
allocated by thread T0 here:
#0 0x76effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55567b36 in ReadJpegSections jpgfile.c:173

SUMMARY: AddressSanitizer: heap-buffer-overflow exif.c:337 in Get32s
Shadow bytes around the buggy address:
  0x0c047fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c047fff9df0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa 00[07]
  0x0c047fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c047fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==10024==ABORTING

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages jhead depends on:
ii  libc62.24-11+deb9u1
ii  libjpeg-turbo-progs  1:1.5.1-2

jhead recommends no packages.

Versions of packages jhead suggests:
ii  imagemagick  8:6.9.7.4+dfsg-11+deb9u4
ii  imagemagick-6.q16 [imagemagick]  8:6.9.7.4+dfsg-11+deb9u4

-- no debconf information

Bug#889270: advancecomp: heap buffer overflow while running advzip

2018-02-02 Thread Joonun Jang

Package: advancecomp
Version: 2.0-1
Severity: important
Tags: security

heap buffer overflow running advzip with "-l poc" option

Running 'advzip -l poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/advzip/00030552$ ../../binary/advancecomp-2.0/advzip -l 
./poc
=
==9858==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6060effd 
at pc 0x76e9af7f bp 0x7fffd6c0 sp 0x7fffce70
READ of size 2020 at 0x6060effd thread T0
#0 0x76e9af7e  (/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
#1 0x55579c2a in zip_entry::load_cent(unsigned char const*, unsigned 
int&) /home/june/temp/report/binary/advancecomp-2.0/zip.cc:722
#2 0x5557b56f in zip::open() 
/home/june/temp/report/binary/advancecomp-2.0/zip.cc:867
#3 0x5556e7a6 in list_single(std::__cxx11::basic_string const&, bool) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:122
#4 0x5556f8b2 in list_all(int, char**, bool) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:261
#5 0x5557214c in process(int, char**) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:613
#6 0x55572446 in main 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:623
#7 0x760082b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x5556daf9 in _start 
(/home/june/temp/report/binary/advancecomp-2.0/advzip+0x19af9)

0x6060effd is located 0 bytes to the right of 61-byte region 
[0x6060efc0,0x6060effd)
allocated by thread T0 here:
#0 0x76effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55583a4a in data_alloc(unsigned int) 
/home/june/temp/report/binary/advancecomp-2.0/data.cc:51
#2 0x55573af2 in cent_read(_IO_FILE*, unsigned int, unsigned char*&, 
unsigned int&) /home/june/temp/report/binary/advancecomp-2.0/zip.cc:113
#3 0x5557b3c5 in zip::open() 
/home/june/temp/report/binary/advancecomp-2.0/zip.cc:847
#4 0x5556e7a6 in list_single(std::__cxx11::basic_string const&, bool) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:122
#5 0x5556f8b2 in list_all(int, char**, bool) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:261
#6 0x5557214c in process(int, char**) 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:613
#7 0x55572446 in main 
/home/june/temp/report/binary/advancecomp-2.0/rezip.cc:623
#8 0x760082b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0x5cf7e)
Shadow bytes around the buggy address:
  0x0c0c7fff9da0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9db0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9dd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9de0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c0c7fff9df0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00[05]
  0x0c0c7fff9e00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9e40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==9858==ABORTING

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages advancecomp depends on:
ii  libc6   2.24-11+deb9u1
ii  libgcc1

Bug#889224: gocr: heap buffer overflow while running gocr

2018-02-02 Thread Joonun Jang

Package: gocr
Version: 0.49-2+b1
Severity: important
Tags: security

heap buffer overflow running gocr with "poc" option

Running 'gocr poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/gocr/4223$ ../../binary/gocr-0.49/src/gocr poc
=
==5380==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6140ffc1 
at pc 0x5562c95f bp 0x7fff4da0 sp 0x7fff4d98
READ of size 1 at 0x6140ffc1 thread T0
#0 0x5562c95e in thresholding 
/home/june/temp/report/binary/gocr-0.49/src/otsu.c:255
#1 0x5558bf0c in pgm2asc 
/home/june/temp/report/binary/gocr-0.49/src/pgm2asc.c:2790
#2 0x5556a1d8 in main 
/home/june/temp/report/binary/gocr-0.49/src/gocr.c:368
#3 0x765972b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#4 0x55568149 in _start 
(/home/june/temp/report/binary/gocr-0.49/src/gocr+0x14149)

0x6140ffc1 is located 0 bytes to the right of 385-byte region 
[0x6140fe40,0x6140ffc1)
allocated by thread T0 here:
#0 0x76effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x55642c50 in readpgm 
/home/june/temp/report/binary/gocr-0.49/src/pnm.c:225
#2 0x55569e93 in read_picture 
/home/june/temp/report/binary/gocr-0.49/src/gocr.c:310
#3 0x5556a1ba in main 
/home/june/temp/report/binary/gocr-0.49/src/gocr.c:361
#4 0x765972b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: heap-buffer-overflow 
/home/june/temp/report/binary/gocr-0.49/src/otsu.c:255 in thresholding
Shadow bytes around the buggy address:
  0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9ff0: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
  0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Heap right redzone:  fb
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack partial redzone:   f4
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==5380==ABORTING

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gocr depends on:
ii  libc6  2.24-11+deb9u1

Versions of packages gocr recommends:
ii  bzip21.0.6-8.1
ii  fig2dev [transfig]   1:3.2.6a-2+deb9u1
ii  libjpeg-turbo-progs [libjpeg-progs]  1:1.5.1-2
ii  netpbm   2:10.0-15.3+b2
ii  transfig 1:3.2.6a-2+deb9u1

gocr suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#883200: ffmpeg2theora: null pointer dereference while running ffmpege2theora

2017-11-30 Thread Joonun Jang

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack

I expected the program to terminate without segfault, but the program crashes 
as follow

===

(gdb) r poc
Starting program: 
/home/june/project/analyze/bins/ffmpeg2theora-0.30/ffmpeg2theora poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] Lr-middle is not implemented. Update your FFmpeg version 
to the newest one from Git. If the problem still occurs, it means that your 
file has a feature which has not been implemented.
[wsd @ 0x61b00080] If you want to help, upload a sample of this file to 
ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. 
(ffmpeg-de...@ffmpeg.org)
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] reserved channel assignment
[wsd @ 0x61b00080] emphasis is not implemented. Update your FFmpeg version 
to the newest one from Git. If the problem still occurs, it means that your 
file has a feature which has not been implemented.
[wsd @ 0x61b00080] If you want to help, upload a sample of this file to 
ftp://upload.ffmpeg.org/incoming/ and contact the ffmpeg-devel mailing list. 
(ffmpeg-de...@ffmpeg.org)
[dsd_msbf @ 0x61900580] Channel layout '5 channels (FL+FR+BL+BR+FLC)' with 
5 channels does not match specified number of channels 6: ignoring specified 
channel layout
[wsd @ 0x61b00080] Estimating duration from bitrate, this may be inaccurate
Input #0, wsd, from 'poc':
  Metadata:
playback_time   : 00:00:00:00
  Duration: 00:00:00.00, bitrate: 118545 kb/s
Stream #0:0: Audio: dsd_msbf, 198656 Hz, 6 channels, fltp, 9535 kb/s
[dsd_msbf @ 0x61900080] Multiple frames in a packet.
[dsd_msbf @ 0x61900080] get_buffer() failed

Program received signal SIGSEGV, Segmentation fault.
0x555883a7 in oggmux_add_audio (info=0x557cd060 , 
buffer=0x61603380, samples=1, e_o_s=1) at src/theorautils.c:1254
1254  vorbis_buffer[k][i] = ((const float  *)buffer[j])[i];
(gdb) bt
#0  0x555883a7 in oggmux_add_audio (info=0x557cd060 , 
buffer=0x61603380, samples=1, e_o_s=1) at src/theorautils.c:1254
#1  0x555792c5 in ff2theora_output (this=0x61a00080) at 
src/ffmpeg2theora.c:1688
#2  0x55580ad9 in main (argc=2, argv=0x7fffe0c8) at 
src/ffmpeg2theora.c:3095
(gdb) x/i $rip
=> 0x555883a7 : movss  (%rsi),%xmm0
(gdb) i r rsi
rsi0x0  0
(gdb)

===

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec577:3.4-3
ii  libavdevice57   7:3.4-3
ii  libavfilter67:3.4-3
ii  libavformat57   7:3.4-3
ii  libavutil55 7:3.4-3
ii  libc6   2.24-17
ii  libkate10.4.1-7+b1
ii  libogg0 1.3.2-1+b1
ii  liboggkate1 0.4.1-7+b1
ii  libpostproc54   7:3.4-3
ii  libswresample2  7:3.4-3
ii  libswscale4 7:3.4-3
ii  libtheora0  1.1.1+dfsg.1-14+b1
ii  libvorbis0a 1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#883198: bs1770gain: use after free while running bs1770gain with "poc output" option

2017-11-30 Thread Joonun Jang

Package: bs1770gain
Version: 0.4.12-2+b1
Severity: important
Tags: security

use after free while running bs1770gain with "poc output" option

Running 'bs1770gain poc output' with the attached file raises use after free
which may allow a remote attack to cause a denial-of-service attack or other 
unspecified
impace with a crafted file
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/workspace/bugre/poc/bs1770gain/1$ 
~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc output
analyzing ...
  [1/1] "poc": Error finding decoder: ffsox_frame_reader_create(), 
"ffsox_frame_reader.c" (41).
Error creating frame reader: ffsox_frame_reader_new(), "ffsox_frame_reader.c" 
(92).
Error creating frame reader: ffsox_analyze(), "ffsox_analyze.c" (68).
=
==10074==ERROR: AddressSanitizer: heap-use-after-free on address 0x61000640 
at pc 0x55582800 bp 0x7fffda60 sp 0x7fffda58
READ of size 8 at 0x61000640 thread T0
#0 0x555827ff in ffsox_packet_consumer_list_free 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff)
#1 0x5559b91a in pbu_list_free_full 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x4791a)
#2 0x555773fe in ffsox_source_link_cleanup 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x233fe)
#3 0x555762b5 in source_cleanup 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x222b5)
#4 0x55570a2f in ffsox_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1ca2f)
#5 0x555689fd in bs1770gain_tree_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#6 0x5556514e in main 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#7 0x744ec2e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#8 0x555614e9 in _start 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9)

0x61000640 is located 0 bytes inside of 184-byte region 
[0x61000640,0x610006f8)
freed by thread T0 here:
#0 0x76eff8c8 in __interceptor_free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x5557393b in ffsox_frame_reader_new 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f93b)
#2 0x5556fdf7 in ffsox_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7)
#3 0x555689fd in bs1770gain_tree_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#4 0x5556514e in main 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#5 0x744ec2e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
#0 0x76effc20 in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x55573841 in ffsox_frame_reader_new 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1f841)
#2 0x5556fdf7 in ffsox_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1bdf7)
#3 0x555689fd in bs1770gain_tree_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#4 0x5556514e in main 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#5 0x744ec2e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: heap-use-after-free 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2e7ff)
 in ffsox_packet_consumer_list_free
Shadow bytes around the buggy address:
  0x0c207fff8070: fd fd fd fd fd fd fd fd fd fd fa fa fa fa fa fa
0x0c207fff8080: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff8090: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
  0x0c207fff80a0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c207fff80b0: 00 00 00 00 00 00 00 00 00 00 fa fa fa fa fa fa
=>0x0c207fff80c0: fa fa fa fa fa fa fa fa[fd]fd fd fd fd fd fd fd
  0x0c207fff80d0: fd fd fd fd fd fd fd fd fd fd fd fd fd fd fd fa
  0x0c207fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c207fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:

Bug#881145: sox: null pointer dereference while running play

2017-11-07 Thread Joonun Jang

Package: sox
Version: 14.4.1-5+b2
Severity: normal
Tags: security

null pointer dereference while running play with "poc bass +3" option

Running 'play poc bass +3' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

I sent this to debian security team before, but I didn't get any response.
So I send this to public.

---

june@yuweol:~/poc/play/crash1$ play poc bass +3

poc:

 File Size: 48Bit Rate: 0.00394
  Encoding: WavPack
  Channels: 2 @ 16-bit
Samplerate: 44100Hz
Replaygain: off
  Duration: 27:03:11.55

In:0.00% 00:00:00.00 [27:03:11.55] Out:0 [  |  ]Clip:0
Segmentation fault

---

Thread 1 "play" received signal SIGSEGV, Segmentation fault.
0x7fffed796f34 in WavpackUnpackSamples () from 
/usr/lib/x86_64-linux-gnu/libwavpack.so.1
(gdb) x/i $rip
=> 0x7fffed796f34 :  mov0x1e0(%rdi),%rax
(gdb) i r rdi
rdi0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sox depends on:
ii  libc6 2.24-17
ii  libgomp1  7.2.0-12
ii  libsox-fmt-alsa   14.4.1-5+b2
ii  libsox-fmt-ao 14.4.1-5+b2
ii  libsox-fmt-base   14.4.1-5+b2
ii  libsox-fmt-oss14.4.1-5+b2
ii  libsox-fmt-pulse  14.4.1-5+b2
ii  libsox2   14.4.1-5+b2

sox recommends no packages.

Versions of packages sox suggests:
ii  libsox-fmt-all  14.4.1-5+b2

-- no debconf information
wvpk

Bug#881144: fig2dev: out of bound read while running fig2dev with -L pic option

2017-11-07 Thread Joonun Jang

Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security

out of bound read while running fig2dev with -L pic option

Running 'fig2dev -L pic poc' with the attached file raises out of bound read bug
which may allow a remote attack to cause a denial-of-service attack or 
information
disclosure with a crafted file.

I expected the program to terminate without segfault, but the program crashes 
as follow

===

june@yuweol:~/poc/fig2dev/crash2$ fig2dev -L pic ./poc
.PS
.ps 11
Segmentation fault

===

Program received signal SIGSEGV, Segmentation fault.
0x55567960 in unpsfont (t=t@entry=0x55810160) at psfonts.c:194
194   if (PSmapwarn[t->font+1])
(gdb) p t->font
$1 = 7111
(gdb) bt
#0  0x55567960 in unpsfont (t=t@entry=0x55810160) at psfonts.c:194
#1  0x5558e282 in genpic_text (t=0x55810160) at genpic.c:443
#2  0x555615d2 in gendev_objects (dev=0x557ef200 , 
objects=0x7fffe0f0)
at fig2dev.c:833
#3  main (argc=, argv=) at fig2dev.c:467
(gdb) x/i $rip
=> 0x55567960 :  mov(%rcx,%rdx,4),%ecx
(gdb) i r rcx rdx
rcx0x555c3f60 93824992690016
rdx0x43d11c8  7112

===

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-17
ii  libpng16-16  1.6.34-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.22~dfsg-1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information


poc
Description: Binary data

Bug#881143: fig2dev: out of bound read while running fig2dev with -L tikz

2017-11-07 Thread Joonun Jang

Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security

out of bound read while running fig2dev with -L tikz option

Running 'fig2dev -L tikz poc' with the attached file raises out of bound read 
bug
which may allow a remote attack to cause a denial-of-service attack or 
information
disclosure with a crafted file.

I expected the program to terminate without segfault, but the program crashes 
as follow

I sent this to debian security team before, but I didn't get any response.
So I send this to public.

===
june@june:~/project/analyze/poc/fig2dev/crash1$ fig2dev -L tikz poc
\ifx\XFigwidth\undefined\dimen1=0pt\else\dimen1\XFigwidth\fi
\divide\dimen1 by 1
\ifx\XFigheight\undefined\dimen3=0pt\else\dimen3\XFigheight\fi
\divide\dimen3 by 5
\ifdim\dimen1=0pt\ifdim\dimen3=0pt\dimen1=-9223372036854775808sp\dimen3\dimen1
\else\dimen1\dimen3\fi\else\ifdim\dimen3=0pt\dimen3\dimen1\fi\fi
\tikzpicture[x=+\dimen1, y=+\dimen3]
{\ifx\XFigu\undefined\catcode`\@11
\def\temp{\alloc@1\dimen\dimendef\insc@unt}\temp\XFigu\catcode`\@12\fi}
\XFigu-9223372036854775808sp
% Uncomment to scale line thicknesses with the same
% factor as width of the drawing.
%\pgfextractx\XFigu{\pgfqpointxy{1}{1}}
\ifdim\XFigu<0pt\XFigu-\XFigu\fi
\clip(91,-1) rectangle (92,4);
\tikzset{inner sep=+0pt, outer sep=+0pt}
Segmentation fault

[debugging]
Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) bt
#0  strlen () at ../sysdeps/x86_64/strlen.S:106
#1  0x77339d78 in _IO_vfprintf_internal (s=0x7768b600 
<_IO_2_1_stdout_>,
format=, ap=ap@entry=0x7fffde88) at vfprintf.c:1637
#2  0x77340157 in __fprintf (stream=,
format=format@entry=0x555cc7e5 "\\normalfont%s ") at fprintf.c:32
#3  0x555b4615 in put_font (t=0x55810160) at gentikz.c:1725
#4  gentikz_text (t=0x55810160) at gentikz.c:1769
#5  0x555618cd in gendev_objects (dev=0x557f8ec0 , 
objects=0x7fffdfa0)
at fig2dev.c:833
#6  main (argc=, argv=) at fig2dev.c:467
(gdb) x/i $rip
=> 0x77371646 :  movdqu (%rax),%xmm4
(gdb) i r rax
rax0x29292922 690563362
(gdb) f 3
#3  0x555b4615 in put_font (t=0x55810160) at gentikz.c:1725
1725fprintf(tfp, "\\normalfont%s ",
(gdb) p t->font
$1 = -51
(gdb) p texfonts[-51]
$3 = 0x29292922 

with attached file, t->font can be set to negative value which causes this bug
[fig2dev/dev/gentikz.c]
1724   else
1725   fprintf(tfp, "\\normalfont%s ",
1726 texfonts[t->font <= MAX_FONT ? t->font : MAX_FONT - 1]);

===

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-17
ii  libpng16-16  1.6.34-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.22~dfsg-1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information

 1  1

1

11 4-51

11 0 5
1
91
1 
c

Bug#881141: gifsicle: out of bound read while running gifsicle

2017-11-07 Thread Joonun Jang

Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security

out of bound read while running gifsicle with "gifsicle --dither --use-col=bw 
poc -o output" option

Running 'gifsicle --dither --use-col=bw poc -o output' with the attached file 
raises out of bound read
which may allow a remote attack to cause a denial-of-service attack or 
information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/gifsicle/crash2$ gifsicle --dither --use-col=bw poc -o output
gifsicle:poc:#0: read error: unknown block type 114 at file offset 25
gifsicle:poc: read error: image corrupted, min_code_size too big
gifsicle:poc: read error: image corrupted, code out of range (13 times)
gifsicle:poc: read error: missing 82455 pixels of image data
Segmentation fault

---

Breakpoint 2, colormap_image_floyd_steinberg (gfi=0x55790c50, 
all_new_data=0x55792520 "",
old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0) at 
quantize.c:1149
1149if (kc_distance(>ks[e], ) < kd3->xradius[e])
(gdb) p/x old_cm->col[*data].pixel
$83 = 0xdeadbeef
(gdb) list
1144+ (err[x+1].a[k] & ~(DITHER_ITEM2ERR-1)) / DITHER_ITEM2ERR;
1145use.a[k] = KC_CLAMPV(v);
1146}
1147
1148e = old_cm->col[*data].pixel;
1149if (kc_distance(>ks[e], ) < kd3->xradius[e])
1150*new_data = e;
1151else
1152*new_data = kd3_closest_transformed(kd3, , NULL);
1153histogram[*new_data]++;

* At 1148, e was set to 0xdeadbeef which was manipulated.
* This value used to reference the array kd3->ks as an index at 1149 which cause
* segmentation faule in this case

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x55568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffda02) at 
kcolor.h:110
110 int32_t d0 = x->a[0] - y->a[0], d1 = x->a[1] - y->a[1],

(gdb) bt
#0  0x55568b2f in kc_distance (x=0x55548d8b909a, y=0x7fffda02) at 
kcolor.h:110
#1  0x5556ca0e in colormap_image_floyd_steinberg (gfi=0x55790c50,
all_new_data=0x55792520 "", old_cm=0x55790390, kd3=0x7fffdef0,
histogram=0x7fffdae0) at quantize.c:1149
#2  0x5556e19a in dither (gfi=0x55790c50, new_data=0x55792520 
"",
old_cm=0x55790390, kd3=0x7fffdef0, histogram=0x7fffdae0,
od=0x5578dbc0 ) at quantize.c:1488
#3  0x5556e83f in colormap_stream (gfs=0x55790330, 
new_cm=0x5578e890,
od=0x5578dbc0 ) at quantize.c:1613
#4  0x5557bdd8 in do_colormap_change (gfs=0x55790330) at 
gifsicle.c:904
#5  0x5557c1db in merge_and_write_frames (outfile=0x7fffe52d 
"output", f1=0, f2=-1)
at gifsicle.c:1030
#6  0x5557c54d in output_frames () at gifsicle.c:1105
#7  0x5557f212 in main (argc=6, argv=0x7fffe1e8) at gifsicle.c:2173

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6 2.24-17
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#881139: ffmpeg2theora: heap buffer overflow while running ffmpeg2theora

2017-11-07 Thread Joonun Jang

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: important
Tags: security

heap buffer overflow running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash7$ ffmpeg2theora poc
[h263 @ 0x5642844b4840] Format h263 detected only with low score of 25, 
misdetection possible!
[h263 @ 0x5642844b5d60] Independent Segment Decoding not supported
Input #0, h263, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Video: h263, yuv420p, 40x1732 [SAR 1:1 DAR 10:433], 599.40 
tbr, 1200k tbn, 599.40 tbc
  Pixel Aspect Ratio: 1.00/1   Frame Aspect Ratio: 0.02/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x5642844b5880] Independent Segment Decoding not supported
[h263 @ 0x5642844b5880] warning: first frame is no keyframe
[h263 @ 0x5642844b5880] illegal ac vlc code at 0x0
[h263 @ 0x5642844b5880] Error at MB: 0
[h263 @ 0x5642844b5880] concealing 327 DC, 327 AC, 327 MV errors in P frame
[h263 @ 0x5642844b5880] warning: first frame is no keyframe
[h263 @ 0x5642844b5880] illegal ac vlc code at 7x0
[h263 @ 0x5642844b5880] Error at MB: 7
[h263 @ 0x5642844b5880] concealing 396 DC, 396 AC, 396 MV errors in P frame
Segmentation fault

---

[h263 @ 0x61b00080] Format h263 detected only with low score of 25, 
misdetection possible!
[h263 @ 0x61900580] Independent Segment Decoding not supported
Input #0, h263, from '/home/june/poc/ffmpeg2theora/crash7/poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Video: h263, yuv420p, 40x1732 [SAR 1:1 DAR 10:433], 599.40 
tbr, 1200k tbn, 599.40 tbc
  Pixel Aspect Ratio: 1.00/1   Frame Aspect Ratio: 0.02/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x61900080] Independent Segment Decoding not supported
[h263 @ 0x61900080] warning: first frame is no keyframe
[h263 @ 0x61900080] illegal ac vlc code at 0x0
[h263 @ 0x61900080] Error at MB: 0
[h263 @ 0x61900080] concealing 327 DC, 327 AC, 327 MV errors in P frame
[h263 @ 0x61900080] warning: first frame is no keyframe
[h263 @ 0x61900080] illegal ac vlc code at 7x0
[h263 @ 0x61900080] Error at MB: 7
[h263 @ 0x61900080] concealing 396 DC, 396 AC, 396 MV errors in P frame
=
==11538==ERROR: AddressSanitizer: heap-buffer-overflow on address 
0x633a7980 at pc 0x7fb5ce7046c2 bp 0x7ffcb5580080 sp 0x7ffcb557f830
READ of size 40 at 0x633a7980 thread T0
#0 0x7fb5ce7046c1  (/usr/lib/x86_64-linux-gnu/libasan.so.4+0x766c1)
#1 0x7fb5ca6d9c8d in image_copy_plane libavutil/imgutils.c:317
#2 0x7fb5ca6d9c8d in image_copy libavutil/imgutils.c:379
#3 0x7fb5ca6d9c8d in av_image_copy libavutil/imgutils.c:398
#4 0x7fb5cb5879ee in av_picture_copy libavcodec/avpicture.c:78
#5 0x55d20da5cbbf in ff2theora_output src/ffmpeg2theora.c:1538
#6 0x55d20da65ad8 in main src/ffmpeg2theora.c:3095
#7 0x7fb5c9e182e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#8 0x55d20da4ee79 in _start 
(/home/june/project/analyze/bins/ffmpeg2theora-0.30/ffmpeg2theora+0x15e79)

0x633a7980 is located 337 bytes to the right of 110639-byte region 
[0x6338c800,0x633a782f)
allocated by thread T0 here:
#0 0x7fb5ce768758 in __interceptor_posix_memalign 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xda758)
#1 0x7fb5ca6de2b6 in av_malloc libavutil/mem.c:87

SUMMARY: AddressSanitizer: heap-buffer-overflow 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0x766c1)
Shadow bytes around the buggy address:
  0x0c668000cee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c668000cef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c668000cf00: 00 00 00 00 00 07 fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf20: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c668000cf30:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf70: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c668000cf80: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global

Bug#881138: ffmpeg2theora: use uninitialized stack value as a pointer while running ffmpeg2theora

2017-11-07 Thread Joonun Jang

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: important
Tags: security

use uninitialized stack value as a pointer while running ffmpeg2theora with 
"poc" option

Running 'ffmpeg2theora poc' with the attached file uses uninitialized stack 
value as a pointer
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash3$ ffmpeg2theora poc
[h263 @ 0x557eb7fb5840] Format h263 detected only with low score of 25, 
misdetection possible!
Input #0, h263, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 
1200k tbn, 29.97 tbc
  Pixel Aspect Ratio: 1.09/1   Frame Aspect Ratio: 1.33/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x557eb7fb6880] I cbpc damaged at 0 0
[h263 @ 0x557eb7fb6880] Error at MB: 0
[h263 @ 0x557eb7fb6880] concealing 99 DC, 99 AC, 99 MV errors in I frame
  0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:00:00   
Segmentation fault

---

Starting program: /usr/bin/ffmpeg2theora poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
[h263 @ 0x55811820] Format h263 detected only with low score of 25, 
misdetection possible!
Input #0, h263, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Video: h263, yuv420p, 176x144 [SAR 12:11 DAR 4:3], 29.97 tbr, 
1200k tbn, 29.97 tbc


Breakpoint 1, 0x55563ab8 in ?? ()
(gdb) x/2x $rbp - 0x368
0x7fffca18: 0xf493f960  0x7fff

- This is entry point of function,local variable $rbp - 0x368 is 0x7693f960.


(gdb) c
Continuing.
  Pixel Aspect Ratio: 1.09/1   Frame Aspect Ratio: 1.33/1

WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[h263 @ 0x55812860] I cbpc damaged at 0 0
[h263 @ 0x55812860] Error at MB: 0
[h263 @ 0x55812860] concealing 99 DC, 99 AC, 99 MV errors in I frame
  0:00:00.03 audio: 0kbps video: 16kbps, time elapsed: 00:01:55

Program received signal SIGSEGV, Segmentation fault.
clear_context (s=0x7493f960) at libswresample/swresample.c:116
116 s->in_buffer_index= 0;


- the value 7493f960 which is same as the above uninitialized value
  was passed to clear_context function as a parameter.


(gdb) bt
#0  clear_context (s=0x7493f960) at libswresample/swresample.c:116
#1  0x555648e6 in ?? ()
#2  0xc8da in main ()
(gdb) f 1
#1  0x555648e6 in ?? ()
(gdb) x/5i $rip-16
   0x555648d6:  mov-0x368(%rbp),%edi
   0x555648dc:  test   %rdi,%rdi
   0x555648df:  je 0x555648e6
   0x555648e1:  callq  0xb650 
=> 0x555648e6:  mov-0x38(%rbp),%rax
(gdb) x/2x $rbp - 0x368
0x7fffca18: 0xf493f960  0x7fff


- argument %rdi comes from -0x368(%rbp) which is same position
  when we check at the entry point of this function

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter67:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libkate10.4.1-7+b1
ii  libogg0 1.3.2-1+b1
ii  liboggkate1 0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4 7:3.3.4-2+b2
ii  libtheora0  1.1.1+dfsg.1-14+b1
ii  libvorbis0a 1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#881133: x264: out of bound read while running x264

2017-11-07 Thread Joonun Jang

Package: x264
Version: 2:0.148.2795+gitaaa9aa8-1
Severity: important
Tags: security

out of bound read while running x264 with "--crf 24 -o output.264 poc" option

Running 'x264 --crf 24 -o output.264 poc' with the attached file raises out of 
bound read
which may allow a remote attack to cause a denial-of-service attack or 
information disclosure
with a crafted file.
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/x264/crash1$ x264 --crf 24 -o output.264 poc
Segmentation fault

---

Breakpoint 1, Vgm_Emu_Impl::run_commands (this=0x557aafd0, end_time=2205)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:202
warning: Source file is more recent than executable.
202   pcm_pos = pcm_data + pos [3] * 0x100L + pos [2] * 0x1L +
(gdb) l
197   pos += size;
198   break;
199 }
200
201 case cmd_pcm_seek:
202   pcm_pos = pcm_data + pos [3] * 0x100L + pos [2] * 0x1L +
203   pos [1] * 0x100L + pos [0];
204   pos += 4;
205   break;
206
(gdb) x/s [0]
0x557b2d75: "DEAD\235\235\235\235T\302\\", '\302' , 
"TTT}\374\270\337U\020"

* Here pcm_pos was calculated based on the value in pos buffer.
* the values in pos buffer can be manipulated(In this case pos buffer starts 
with DEAD)

(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x77bbcf73 in Vgm_Emu_Impl::run_commands (this=0x557aafd0, 
end_time=2205)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212
212   write_pcm( vgm_time, *pcm_pos++ );
(gdb) l
207 default:
208   int cmd = pos [-1];
209   switch ( cmd & 0xF0 )
210   {
211 case cmd_pcm_delay:
212   write_pcm( vgm_time, *pcm_pos++ );
213   vgm_time += cmd & 0x0F;
214   break;
215
216 case cmd_short_delay:

* Later this manipulated pcm_pos used at 212 line which raises segmentation 
fault in this case.

(gdb) bt
#0  0x77bbcf73 in Vgm_Emu_Impl::run_commands (this=0x557aafd0, 
end_time=2205)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu_Impl.cpp:212
#1  0x77bbc2b8 in Vgm_Emu::run_clocks (this=0x557aafd0, 
time_io=@0x7fffcc34: 178977,
msec=50) at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:403
#2  0x77b7d047 in Classic_Emu::play_ (this=0x557aafd0, count=2048, 
out=0x557b1d10)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Classic_Emu.cpp:113
#3  0x77bbc31f in Vgm_Emu::play_ (this=0x557aafd0, count=2048, 
out=0x557b1d10)
at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Vgm_Emu.cpp:411
#4  0x77b8692b in Music_Emu::emu_play (this=0x557aafd0, count=2048, 
out=0x557b1d10)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:305
#5  0x77b86a4d in Music_Emu::fill_buf (this=0x557aafd0)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:327
#6  0x77b86ecc in Music_Emu::play (this=0x557aafd0, out_count=256, 
out=0x557da6c0)
at 
/home/june/project/analyze/bins/game-music-emu-0.6.1/gme/Music_Emu.cpp:400
#7  0x77b82a1f in gme_play (me=0x557aafd0, n=256, p=0x557da6c0)
at /home/june/project/analyze/bins/game-music-emu-0.6.1/gme/gme.cpp:336
#8  0x767f2e1d in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#9  0x768d870a in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#10 0x768d937c in ?? () from /usr/lib/x86_64-linux-gnu/libavformat.so.57
#11 0x768db320 in avformat_find_stream_info () from 
/usr/lib/x86_64-linux-gnu/libavformat.so.57
#12 0x76b9a0af in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#13 0x76b9620a in ?? () from /usr/lib/x86_64-linux-gnu/libffms2.so.4
#14 0x76b9399c in FFMS_CreateIndexerWithDemuxer () from 
/usr/lib/x86_64-linux-gnu/libffms2.so.4
#15 0x5556b60a in ?? ()
#16 0xc93d in ?? ()
#17 0x7426c2e1 in __libc_start_main (main=0xa030, argc=6, 
argv=0x7fffe208,
init=, fini=, rtld_fini=, 
stack_end=0x7fffe1f8)
at ../csu/libc-start.c:291
#18 0xcb3a in ?? ()

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.



-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Bug#881132: bs1770gain: stack buffer overflow while running bs1770gain

2017-11-07 Thread Joonun Jang

Package: bs1770gain
Version: 0.4.12-2
Severity: important
Tags: security

stack buffer overflow while running bs1770gain with "poc -o output" option

Running 'bs1770gain poc -o output' with the attached file raises stack buffer 
overflow
which may allow a remote attack to cause a denial-of-service attack or 
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/bs1770gain/crash2$ bs1770gain poc -o output
analyzing ...
  [1/1] "poc": Segmentation fault

---

june@yuweol:~/poc/bs1770gain/crash2$ 
~/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain poc -o output
analyzing ...
  [1/1] "poc": =
==5034==ERROR: AddressSanitizer: stack-buffer-overflow on address 
0x7fffded69470 at pc 0x55e89c1c8419 bp 0x7fffded693b0 sp 0x7fffded693a8
WRITE of size 8 at 0x7fffded69470 thread T0
#0 0x55e89c1c8418 in convert_fltp 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418)
#1 0x55e89c1c99af in ffsox_frame_convert_sox 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2c9af)
#2 0x55e89c1c1f29 in sox_reader_run 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x24f29)
#3 0x55e89c1bd686 in ffsox_machine_run 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x20686)
#4 0x55e89c1c19d3 in ffsox_sox_reader_read 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x249d3)
#5 0x55e89c1c2577 in drain 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x25577)
#6 0x7f2434b9db4d in sox_flow_effects 
(/usr/lib/x86_64-linux-gnu/libsox.so.2+0x28b4d)
#7 0x55e89c1b98f2 in ffsox_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1c8f2)
#8 0x55e89c1b19fd in bs1770gain_tree_analyze 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x149fd)
#9 0x55e89c1ae14e in main 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x1114e)
#10 0x7f24347f82e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#11 0x55e89c1aa4e9 in _start 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0xd4e9)

Address 0x7fffded69470 is located in stack of thread T0 at offset 96 in frame
#0 0x55e89c1c81df in convert_fltp 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b1df)

  This frame has 1 object(s):
[32, 96) 'rp' <== Memory access at offset 96 overflows this variable
HINT: this may be a false positive if your program uses some custom stack 
unwind mechanism or swapcontext
  (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow 
(/home/june/project/analyze/bins/bs1770gain-0.4.12/bs1770gain/bs1770gain+0x2b418)
 in convert_fltp
Shadow bytes around the buggy address:
  0x10007bda5230: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5240: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5250: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5260: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda5270: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x10007bda5280: 00 00 f1 f1 f1 f1 00 00 00 00 00 00 00 00[f3]f3
  0x10007bda5290: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 f1 f1
  0x10007bda52a0: f1 f1 00 00 00 00 00 f2 f2 f2 f3 f3 f3 f3 00 00
  0x10007bda52b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x10007bda52c0: 00 00 00 00 00 00 f1 f1 f1 f1 00 00 f2 f2 f3 f3
  0x10007bda52d0: f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:   00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:   fa
  Freed heap region:   fd
  Stack left redzone:  f1
  Stack mid redzone:   f2
  Stack right redzone: f3
  Stack after return:  f5
  Stack use after scope:   f8
  Global redzone:  f9
  Global init order:   f6
  Poisoned by user:f7
  Container overflow:  fc
  Array cookie:ac
  Intra object redzone:bb
  ASan internal:   fe
  Left alloca redzone: ca
  Right alloca redzone:cb
==5034==ABORTING

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via

Bug#881131: bs1770gain: divide by zero while running bs1770gain

2017-11-07 Thread Joonun Jang

Package: bs1770gain
Version: 0.4.12-2
Severity: normal
Tags: security

divide by zero while running bs1770gain with "poc -o output" option

Running 'bs1770gain poc -o output' with the attached file raises divide by zero 
exception
which may allow a remote attack to cause a denial-of-service attack.
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/bs1770gain/crash1$ bs1770gain poc output
analyzing ...
  [1/1] "poc": Floating point exception

---

Program received signal SIGFPE, Arithmetic exception.
0x75858e6d in sox_flow_effects () from 
/usr/lib/x86_64-linux-gnu/libsox.so.2
(gdb) x/i $rip
=> 0x75858e6d :  div%rcx
(gdb) i r rcx
rcx0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages bs1770gain depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libsox2 14.4.1-5+b2
ii  libswresample2  7:3.3.4-2+b2

bs1770gain recommends no packages.

bs1770gain suggests no packages.

-- no debconf information


poc
Description: audio/flac

Bug#881130: vorbis-tools: use uninitialized local value as a pointer running oggenc

2017-11-07 Thread Joonun Jang

Package: vorbis-tools
Version: 1.4.0-10+b1
Severity: important
Tags: security

bad free while running oggenc with "poc -o output" option

Running 'oggenc poc -o output' with the attached file raises
bad free(use uninitalized local value as a pointer)
which may allow a remote attacker to cause unspecified impact including 
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/oggenc/crash1$ oggenc poc -o output
Opening with flac module: FLAC file reader
Encoding "poc" to
 "output"
at quality 3.00
*** Error in `oggenc': free(): invalid pointer: 0x7fff9a8ae710 ***
=== Backtrace: =
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f77a7e69bfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f77a7e6ffc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7780e)[0x7f77a7e7080e]
/usr/lib/x86_64-linux-gnu/libogg.so.0(oggpack_writeclear+0x12)[0x7f77a819ba32]
/usr/lib/x86_64-linux-gnu/libvorbis.so.0(vorbis_analysis_headerout+0x467)[0x7f77a892a807]
oggenc(+0x7aa7)[0x55cc5a9afaa7]
oggenc(+0x3cf6)[0x55cc5a9abcf6]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f77a7e192e1]
oggenc(+0x485a)[0x55cc5a9ac85a]
=== Memory map: 
55cc5a9a8000-55cc5a9b9000 r-xp  08:01 2135134
/usr/bin/oggenc
55cc5abb8000-55cc5abb9000 r--p 0001 08:01 2135134
/usr/bin/oggenc
55cc5abb9000-55cc5abba000 rw-p 00011000 08:01 2135134
/usr/bin/oggenc
55cc5c25a000-55cc5c29c000 rw-p  00:00 0  [heap]
7f77a000-7f77a0021000 rw-p  00:00 0
7f77a0021000-7f77a400 ---p  00:00 0
7f77a7be2000-7f77a7bf8000 r-xp  08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7bf8000-7f77a7df7000 ---p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df7000-7f77a7df8000 r--p 00015000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df8000-7f77a7df9000 rw-p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f77a7df9000-7f77a7f8c000 r-xp  08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a7f8c000-7f77a818c000 ---p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a818c000-7f77a819 r--p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a819-7f77a8192000 rw-p 00197000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f77a84a2000-7f77a86a1000 ---p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a1000-7f77a86a2000 r--p 00102000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a2000-7f77a86a3000 rw-p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f77a86a3000-7f77a8718000 r-xp  08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8718000-7f77a8918000 ---p 00075000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8918000-7f77a8919000 r--p 00075000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a8919000-7f77a891a000 rw-p 00076000 08:01 2106746
/usr/lib/x86_64-linux-gnu/libFLAC.so.8.3.0
7f77a891a000-7f77a8945000 r-xp  08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8945000-7f77a8b44000 ---p 0002b000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b44000-7f77a8b45000 r--p 0002a000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b45000-7f77a8b46000 rw-p 0002b000 08:01 2106748
/usr/lib/x86_64-linux-gnu/libvorbis.so.0.4.8
7f77a8b46000-7f77a8bd3000 r-xp  08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8bd3000-7f77a8dd2000 ---p 0008d000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8dd2000-7f77a8dee000 r--p 0008c000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8dee000-7f77a8def000 rw-p 000a8000 08:01 2106751
/usr/lib/x86_64-linux-gnu/libvorbisenc.so.2.0.11
7f77a8def000-7f77a8e12000 r-xp  08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a8e5-7f77a8feb000 r--p  08:01 2116104
/usr/lib/locale/locale-archive
7f77a8feb000-7f77a8fef000 rw-p  00:00 0
7f77a900e000-7f77a9012000 rw-p  00:00 0
7f77a9012000-7f77a9013000 r--p 00023000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a9013000-7f77a9014000 rw-p 00024000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f77a9014000-7f77a9015000 rw-p  00:00 0
7fff9a89-7fff9a8b1000 rw-p  00:00 0

Bug#881123: ffmpeg2theora: null pointer dereference while running ffmpeg2theora

2017-11-07 Thread Joonun Jang

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash4$ ffmpeg2theora poc
[aac @ 0x55a00e699840] Format aac detected only with low score of 1, 
misdetection possible!
[aac @ 0x55a00e69abc0] More than one AAC RDB per ADTS frame is not implemented. 
Update your FFmpeg version to the newest one from Git. If the problem still 
occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x55a00e69abc0] Assuming an incorrectly encoded 7.1 channel layout 
instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according 
to the specification instead.
[aac @ 0x55a00e69abc0] Multiple frames in a packet.
Input #0, aac, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Audio: aac (LC), 16000 Hz, 7.1, fltp
[aac @ 0x55a00e69a5e0] Assuming an incorrectly encoded 7.1 channel layout 
instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according 
to the specification instead.
WARNING: Can't get duration of media, not indexing, writing Skeleton 3 track.
[aac @ 0x55a00e69a5e0] More than one AAC RDB per ADTS frame is not implemented. 
Update your FFmpeg version to the newest one from Git. If the problem still 
occurs, it means that your file has a feature which has not been implemented.
[aac @ 0x55a00e69a5e0] Assuming an incorrectly encoded 7.1 channel layout 
instead of a spec-compliant 7.1(wide) layout, use -strict 1 to decode according 
to the specification instead.
[aac @ 0x55a00e69a5e0] Multiple frames in a packet.
[aac @ 0x55a00e69a5e0] Reserved bit set.
[aac @ 0x55a00e69a5e0] Prediction is not allowed in AAC-LC.
Segmentation fault

---

Program received signal SIGSEGV, Segmentation fault.
0x55560ab1 in ?? ()
(gdb) bt
#0  0x55560ab1 in ?? ()
#1  0x55564ab4 in ?? ()
#2  0xc8da in main ()
(gdb) x/i $rip
=> 0x55560ab1:  movss  (%r10,%r8,1),%xmm0
(gdb) i r r10 r8
r100x0  0
r8 0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter67:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libkate10.4.1-7+b1
ii  libogg0 1.3.2-1+b1
ii  liboggkate1 0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4 7:3.3.4-2+b2
ii  libtheora0  1.1.1+dfsg.1-14+b1
ii  libvorbis0a 1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information


poc
Description: audio/hx-aac-adts

Bug#881122: ffmpeg2theora: null pointer dereference while running ffmpeg2theora

2017-11-07 Thread Joonun Jang

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash2$ ffmpeg2theora poc
[adp @ 0x55fbce8ff840] Format adp detected only with low score of 1, 
misdetection possible!
Input #0, adp, from 'poc':
  Duration: 00:00:00.00, start: 0.00, bitrate: 658 kb/s
Stream #0:0: Audio: adpcm_dtk, 48000 Hz, stereo, s16p
Segmentation fault

---

Program received signal SIGSEGV, Segmentation fault.
0x74b98199 in av_samples_fill_arrays () from 
/usr/lib/x86_64-linux-gnu/libavutil.so.55
(gdb) bt
#0  0x74b98199 in av_samples_fill_arrays () from 
/usr/lib/x86_64-linux-gnu/libavutil.so.55
#1  0x74b984d9 in av_samples_alloc () from 
/usr/lib/x86_64-linux-gnu/libavutil.so.55
#2  0x55565e7a in ?? ()
#3  0xc8da in main ()
(gdb) x/i $rip
=> 0x74b98199 : mov%rbx,(%r12)
(gdb) i r r12
r120x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter67:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libkate10.4.1-7+b1
ii  libogg0 1.3.2-1+b1
ii  liboggkate1 0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4 7:3.3.4-2+b2
ii  libtheora0  1.1.1+dfsg.1-14+b1
ii  libvorbis0a 1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information

Bug#881121: sox: null pointer dereference while running sox

2017-11-07 Thread Joonun Jang

Package: sox
Version: 14.4.1-5+b2
Severity: normal
Tags: security

null pointer dereference while running sox with "poc.aiff output.aiff speed 
1.027" option

Running 'sox poc.aiff output.aiff speed 1.027' with the attached file raises 
null pointer dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/sox/crash1$ sox ./poc.aiff output.aiff speed 1.027
Segmentation fault

---

Program received signal SIGSEGV, Segmentation fault.
0x77ba7ff8 in ?? () from /usr/lib/x86_64-linux-gnu/libsox.so.2
(gdb) bt
#0  0x77ba7ff8 in ?? () from /usr/lib/x86_64-linux-gnu/libsox.so.2
#1  0x77b5cb17 in sox_read () from /usr/lib/x86_64-linux-gnu/libsox.so.2
#2  0xfc74 in ?? ()
#3  0x77b6cb4e in sox_flow_effects () from 
/usr/lib/x86_64-linux-gnu/libsox.so.2
#4  0x8e21 in ?? ()
#5  0x770772e1 in __libc_start_main (main=0x7980, argc=5, 
argv=0x7fffe268,
init=, fini=, rtld_fini=, 
stack_end=0x7fffe258)
at ../csu/libc-start.c:291
#6  0xa45a in ?? ()
(gdb) x/i $rip
=> 0x77ba7ff8:  movzbl (%r11,%rsi,1),%edi
(gdb) i r r11 rsi
r110x0  0
rsi0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages sox depends on:
ii  libc6 2.24-17
ii  libgomp1  7.2.0-12
ii  libsox-fmt-alsa   14.4.1-5+b2
ii  libsox-fmt-ao 14.4.1-5+b2
ii  libsox-fmt-base   14.4.1-5+b2
ii  libsox-fmt-oss14.4.1-5+b2
ii  libsox-fmt-pulse  14.4.1-5+b2
ii  libsox2   14.4.1-5+b2

sox recommends no packages.

Versions of packages sox suggests:
ii  libsox-fmt-all  14.4.1-5+b2

-- no debconf information


poc.aiff
Description: Binary data

Bug#881120: gifsicle: use after free while running gifsicle

2017-11-07 Thread Joonun Jang

Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security

use after free while running gifsicle with "poc poc -o output" option

Running 'gifsicle poc poc -o output' with the attached file raises use after 
free
which may allow a remote attack to cause a denial-of-service attack or other 
unspecified
impact with a crafted file
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/gifsicle/crash3$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
*** Error in `gifsicle': corrupted size vs. prev_size: 0x5607ed886d40 ***
=== Backtrace: =
/lib/x86_64-linux-gnu/libc.so.6(+0x70bfb)[0x7f4338e5abfb]
/lib/x86_64-linux-gnu/libc.so.6(+0x76fc6)[0x7f4338e60fc6]
/lib/x86_64-linux-gnu/libc.so.6(+0x7738d)[0x7f4338e6138d]
/lib/x86_64-linux-gnu/libc.so.6(+0x78dfa)[0x7f4338e62dfa]
/lib/x86_64-linux-gnu/libc.so.6(__libc_malloc+0x54)[0x7f4338e64f64]
gifsicle(+0x877e)[0x5607ecfff77e]
gifsicle(+0x21a51)[0x5607ed018a51]
gifsicle(+0x22d97)[0x5607ed019d97]
gifsicle(+0x1f674)[0x5607ed016674]
gifsicle(+0x209a3)[0x5607ed0179a3]
gifsicle(+0x4054)[0x5607ecffb054]
/lib/x86_64-linux-gnu/libc.so.6(__libc_start_main+0xf1)[0x7f4338e0a2e1]
gifsicle(+0x472a)[0x5607ecffb72a]
=== Memory map: 
5607ecff7000-5607ed024000 r-xp  08:01 2104695
/usr/bin/gifsicle
5607ed224000-5607ed225000 r--p 0002d000 08:01 2104695
/usr/bin/gifsicle
5607ed225000-5607ed226000 rw-p 0002e000 08:01 2104695
/usr/bin/gifsicle
5607ed885000-5607ed8ad000 rw-p  00:00 0  [heap]
7f433400-7f4334021000 rw-p  00:00 0
7f4334021000-7f433800 ---p  00:00 0
7f4338bd3000-7f4338be9000 r-xp  08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338be9000-7f4338de8000 ---p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338de8000-7f4338de9000 r--p 00015000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338de9000-7f4338dea000 rw-p 00016000 08:01 2235139
/lib/x86_64-linux-gnu/libgcc_s.so.1
7f4338dea000-7f4338f7d000 r-xp  08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f4338f7d000-7f433917d000 ---p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f433917d000-7f4339181000 r--p 00193000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f4339181000-7f4339183000 rw-p 00197000 08:01 2235485
/lib/x86_64-linux-gnu/libc-2.24.so
7f4339183000-7f4339187000 rw-p  00:00 0
7f4339187000-7f433928a000 r-xp  08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f433928a000-7f4339489000 ---p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f4339489000-7f433948a000 r--p 00102000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f433948a000-7f433948b000 rw-p 00103000 08:01 2235490
/lib/x86_64-linux-gnu/libm-2.24.so
7f433948b000-7f43394a3000 r-xp  08:01 2235501
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f43394a3000-7f43396a2000 ---p 00018000 08:01 2235501
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a2000-7f43396a3000 r--p 00017000 08:01 2235501
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a3000-7f43396a4000 rw-p 00018000 08:01 2235501
/lib/x86_64-linux-gnu/libpthread-2.24.so
7f43396a4000-7f43396a8000 rw-p  00:00 0
7f43396a8000-7f43396cb000 r-xp  08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f43398a6000-7f43398a8000 rw-p  00:00 0
7f43398c7000-7f43398cb000 rw-p  00:00 0
7f43398cb000-7f43398cc000 r--p 00023000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f43398cc000-7f43398cd000 rw-p 00024000 08:01 2230784
/lib/x86_64-linux-gnu/ld-2.24.so
7f43398cd000-7f43398ce000 rw-p  00:00 0
7ffddc943000-7ffddc964000 rw-p  00:00 0  [stack]
7ffddc96f000-7ffddc971000 r--p  00:00 0  [vvar]
7ffddc971000-7ffddc973000 r-xp  00:00 0  [vdso]
ff60-ff601000 r-xp  00:00 0  
[vsyscall]
Aborted

---

june@yuweol:~/poc/gifsicle/crash3$ 
~/project/analyze/bins/gifsicle-1.90/src/gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 49 at file offset 13
gifsicle:poc: read error: image position and/or dimensions out of range
gifsicle:poc:#0:

Bug#881119: gifsicle: double free while running gifsicle

2017-11-07 Thread Joonun Jang

Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security

double free while running 'gifsicle with --delay 50 poc poc -o output' option

Running 'gifsicle --delay 50 poc poc -o output' with the attached file raises 
double free
which may allow a remote attacker to cause a denial-of-service attack or other 
unspecified
impact with a crafted file
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/gifsicle/crash1$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 83 at file offset 37
gifsicle:poc: file not in GIF format
Segmentation fault

---

june@yuweol:~/poc/gifsicle/crash1$ 
~/project/analyze/bins/gifsicle-1.90/src/gifsicle --delay 50 poc poc -o output
gifsicle:poc:#0: read error: unknown block type 83 at file offset 37
gifsicle:poc: file not in GIF format
=
==4607==ERROR: AddressSanitizer: attempting double-free on 0x61100400 in 
thread T0:
#0 0x7f519caaafd0 in __interceptor_realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x562d9a5a6de8 in Gif_Realloc 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
#2 0x562d9a5b19db in suck_data 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
#3 0x562d9a5b2fe2 in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
#4 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#5 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#6 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#7 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#8 0x562d9a596da9 in _start 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0xfda9)

0x61100400 is located 0 bytes inside of 207-byte region 
[0x61100400,0x611004cf)
freed by thread T0 here:
#0 0x7f519caaa8c8 in __interceptor_free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x562d9a5b33ae in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c3ae)
#2 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#3 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#4 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#5 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

previously allocated by thread T0 here:
#0 0x7f519caaafd0 in __interceptor_realloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x562d9a5a6de8 in Gif_Realloc 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
#2 0x562d9a5b19db in suck_data 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
#3 0x562d9a5b2fe2 in read_gif 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
#4 0x562d9a5b38cd in Gif_FullReadFile 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#5 0x562d9a60301d in input_stream 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#6 0x562d9a60a2e2 in main 
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#7 0x7f519c3502e0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202e0)

SUMMARY: AddressSanitizer: double-free 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0) in __interceptor_realloc
==4607==ABORTING

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6 2.24-17
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#881019: ffmpeg2theora: null pointer dereference while running ffmpeg2theora with "poc" option

2017-11-06 Thread Joonun Jang

Package: ffmpeg2theora
Version: 0.30-1+b2
Severity: normal
Tags: security

null pointer dereference while running ffmpeg2theora with "poc" option

Running 'ffmpeg2theora poc' with the attached file raises null pointer 
dereference
which may allow a remote attack to cause a denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

---

june@yuweol:~/poc/ffmpeg2theora/crash1$ ffmpeg2theora poc
[lrc @ 0x558a4a3b6840] Format lrc detected only with low score of 5, 
misdetection possible!
Input #0, lrc, from 'poc':
  Duration: N/A, bitrate: N/A
Stream #0:0: Subtitle: text
Segmentation fault

---

Program received signal SIGSEGV, Segmentation fault.
0x55565b8f in ?? ()
(gdb) bt
#0  0x55565b8f in ?? ()
#1  0xc8da in main ()
(gdb) x/i $rip
=> 0x55565b8f:  mov0x8(%rax),%rdi
(gdb) i r rax
rax0x0  0

---

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 
'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ffmpeg2theora depends on:
ii  libavcodec577:3.3.4-2+b2
ii  libavdevice57   7:3.3.4-2+b2
ii  libavfilter67:3.3.4-2+b2
ii  libavformat57   7:3.3.4-2+b2
ii  libavutil55 7:3.3.4-2+b2
ii  libc6   2.24-17
ii  libkate10.4.1-7+b1
ii  libogg0 1.3.2-1+b1
ii  liboggkate1 0.4.1-7+b1
ii  libpostproc54   7:3.3.4-2+b2
ii  libswresample2  7:3.3.4-2+b2
ii  libswscale4 7:3.3.4-2+b2
ii  libtheora0  1.1.1+dfsg.1-14+b1
ii  libvorbis0a 1.3.5-4
ii  libvorbisenc2   1.3.5-4

ffmpeg2theora recommends no packages.

ffmpeg2theora suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#878839: optipng: global-buffer-overflow bug while parsing GIF file

2017-10-16 Thread Joonun Jang

Package: optipng
Version: 0.7.6-1
Severity: normal

Dear Maintainer,

global-buffer-overflow bug while parsing GIF file

Running 'optipng' with the attached file raises global-buffer-overflow
bug,
which may allow a remote attacker to cause a denial-of-service attack or
other unspecified impact with a crafted file.

I expected the program to terminate without segfault, but the program
crashes as follow


* Please consider that this bug isn't found in default debian optipng  *
* which is installed by apt-get.   *
* This bug is only triggered when optipng was compiled by clang or by  *
* gcc without any optimizations.   * 

-



june@june:~/project/analyze/poc/optipng$ optipng poc
** Processing: poc
Warning: Bogus data in GIF
=
==11381==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55c9084bf040 at pc 0x55c908286630 bp 0x7fffd3831e40 sp 0x7fffd3831e38
WRITE of size 4 at 0x55c9084bf040 thread T0
=
==11381==ERROR: AddressSanitizer: global-buffer-overflow on address
0x55c9084bf040 at pc 0x55c908286630 bp 0x7fffd3831e40 sp 0x7fffd3831e38
WRITE of size 4 at 0x55c9084bf040 thread T0
#0 0x55c90828662f
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7362f)
#1 0x55c908285912
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x72912)
#2 0x55c90828549f
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7249f)
#3 0x55c908284e00
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x71e00)
#4 0x55c908239928
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x26928)
#5 0x55c9082367a7
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x237a7)
#6 0x55c908229674
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x16674)
#7 0x55c90822b778
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x18778)
#8 0x55c90822c9fe
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x199fe)
#9 0x55c90822731e
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x1431e)
#10 0x55c908227436
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x14436)
#11 0x7fb1b02de2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#12 0x55c908224389
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x11389)

0x55c9084bf040 is located 0 bytes to the right of global variable
'stack' defined in 'gifread.c:401:16' (0x55c9084b7040) of size 32768
0x55c9084bf040 is located 32 bytes to the left of global variable
'oldcode' defined in 'gifread.c:398:27' (0x55c9084bf060) of size 4
SUMMARY: AddressSanitizer: global-buffer-overflow
(/home/june/project/analyze/bins/optipng-0.7.6/src/optipng/optipng+0x7362f) 
Shadow bytes around the buggy address:
  0x0ab9a108fdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fdc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fdd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ab9a108fe00: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
  0x0ab9a108fe10: f9 f9 f9 f9 04 f9 f9 f9 f9 f9 f9 f9 00 00 00 00
  0x0ab9a108fe20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fe30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fe40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ab9a108fe50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable:   00
Partially addressable: 01 02 03 04 05 06 07 
Heap left redzone:   fa
Heap right redzone:  fb
Freed heap region:   fd
Stack left redzone:  f1
Stack mid redzone:   f2
Stack right redzone: f3
Stack partial redzone:   f4
Stack after return:  f5
Stack use after scope:   f8
Global redzone:  f9
Global init order:   f6
Poisoned by user:f7
Container overflow:  fc
Array cookie:ac
Intra object redzone:bb
ASan internal:   fe
Left alloca redzone: ca
Right alloca redzone:cb
==11381==ABORTING


(gdb) r poc
Starting program: /usr/bin/optipng poc
** Processing: poc
Warning: Bogus data in GIF

Program received signal SIGSEGV, Segmentation fault.
0x5557d075 in LZWReadByte (init_flag=0, input_code_size=2,
stream=0x5579e010)
at gifread.c:499
499 *sp++ = table[1][code];
(gdb) bt
#0  0x5557d075 in LZWReadByte (init_flag=0, input_code_size=2,
stream=0x5579e010) at gifread.c:499
#1  0x5557ca05 in GIFReadImageData

Bug#878745: ufraw-batch: NULL pointer dereference when running with --conf option

2017-10-16 Thread Joonun Jang

Package: ufraw-batch
Version: 0.22-1.1
Severity: normal

Dear Maintainer,

Running 'ufraw-batch --conf' with the attached file raises a NULL
pointer
dereference, which may allow a denial-of-service attack of a malicious
attacker.

I expected the program to terminate without segfault, but the program
crashes as follow.


(gdb) r --conf poc
Starting program: /usr/bin/ufraw-batch --conf poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
Error parsing 'poc'
Error on line 1 char 1: Document must begin with an element (e.g.
)

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) x/i $rip
=> 0x75456646 :  movdqu (%rax),%xmm4
(gdb) i r rax
rax0x0  0
-

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufraw-batch depends on:
ii  libbz2-1.0   1.0.6-8.1
ii  libc62.24-11+deb9u1
ii  libexiv2-14  0.25-3.1
ii  libgcc1  1:6.3.0-18
ii  libglib2.0-0 2.50.3-2
ii  libgomp1 6.3.0-18
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4
ii  liblensfun1  0.3.2-3
ii  libpng16-16  1.6.28-1
ii  libstdc++6   6.3.0-18
ii  libtiff5 4.0.8-2+deb9u1
ii  zlib1g   1:1.2.8.dfsg-5

ufraw-batch recommends no packages.

Versions of packages ufraw-batch suggests:
pn  ufraw  

-- no debconf information


poc
Description: Binary data

Bug#878739: gifsicle: double-free bug when running gifdiff

2017-10-16 Thread Joonun Jang

Package: gifsicle
Version: 1.90-1
Severity: normal

Dear Maintainer,

Running 'gifdiff poc poc' with the attached file raises double-free bug,
which may allow a remote attacker to cause a denial-of-service attack or
other unspecified impact with a crafted file.

I expected the program to terminate without segfault, but the program
crashes as follow



june@june:~/project/analyze/poc/gifdiff/crash2$
~/project/analyze/bins/gifsicle-1.90/src/gifdiff poc poc
=

==22514==ERROR: AddressSanitizer: attempting double-free on
0x61109c80 in thread T0:
#0 0x7f3b19570090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
#1 0x56146456d6f3 in Gif_Realloc
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
#2 0x561464577ed3 in suck_data
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
#3 0x561464579219 in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
#4 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#5 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#6 0x56146457e96f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2596f)
#7 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x56146455dde9 in _start
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x4de9)

0x61109c80 is located 0 bytes inside of 253-byte region
[0x61109c80,0x61109d7d)
freed by thread T0 here:
#0 0x7f3b1956fa10 in free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x56146457952d in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2052d)
#2 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#3 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#4 0x56146457e95f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
#5 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
#0 0x7f3b19570090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
#1 0x56146456d6f3 in Gif_Realloc
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
#2 0x561464577ed3 in suck_data
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
#3 0x561464579219 in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
#4 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#5 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#6 0x56146457e95f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
#7 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: double-free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) in realloc
==22514==ABORTING

-

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6 2.24-11+deb9u1
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#878736: gifsicle: NULL pointer dereference when running gifdiff with attached poc(gifdiff poc poc)

2017-10-16 Thread Joonun Jang

Package: gifsicle
Version: 1.90-1
Severity: normal

Dear Maintainer,

Running 'gifdiff' with the attached file raises a NULL pointer
dereference, which may allow a denial-of-service attack of a malicious
attacker.

I expected the program to terminate without segfault, but the program
crashes as follow.


(gdb) r poc poc
Starting program: /usr/bin/gifdiff poc poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
gifdiff: While reading ‘poc’ frame #0:
gifdiff:   error: unknown block type 0 at file offset 13
gifdiff: While reading ‘poc’ frame #0:
gifdiff:   error: unknown block type 0 at file offset 13

Program received signal SIGSEGV, Segmentation fault.
0xce38 in ?? ()
(gdb) x/i $rip
=> 0xce38:  mov(%rdx,%rax,8),%rbx
(gdb) i r rdx
rdx0x0  0
(gdb) i r rax
rax0x0  0
-

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6 2.24-11+deb9u1
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information
GIF

Bug#878734: advancecomp: NULL pointer dereference when running advmng with -l option

2017-10-16 Thread Joonun Jang

Package: advancecomp
Version: 2.0-1
Severity: normal

Dear Maintainer,

Running 'advmng -l' with the attached file raises a NULL pointer
dereference, which may allow a denial-of-service attack of a malicious
attacker.

I expected the program to terminate without segfault, but the program
crashes as follow.


(gdb) r -l poc
Starting program: /usr/bin/advmng -l poc

Program received signal SIGSEGV, Segmentation fault.
0x5556037f in ?? ()
(gdb) x/i $rip
=> 0x5556037f:  movzwl 0x0(%rbp),%r13d
(gdb) i r rbp
rbp0x0  0x0
-

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages advancecomp depends on:
ii  libc6   2.24-11+deb9u1
ii  libgcc1 1:6.3.0-18
ii  libstdc++6  6.3.0-18
ii  zlib1g  1:1.2.8.dfsg-5

advancecomp recommends no packages.

advancecomp suggests no packages.

-- no debconf information


poc
Description: video/mng

Bug#878733: ufraw-batch: NULL pointer dereference when running with --conf option

2017-10-16 Thread Joonun Jang

Package: ufraw-batch
Version: 0.22-1.1
Severity: normal

Dear Maintainer,

Running 'ufraw-batch --conf' with the attached file raises a NULL
pointer
dereference, which may allow a denial-of-service attack of a malicious
attacker.

I expected the program to terminate without segfault, but the program
crashes as follow.


(gdb) r --conf poc
Starting program: /usr/bin/ufraw-batch --conf poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x77461823 in g_markup_parse_context_end_parse () from
/lib/x86_64-linux-gnu/libglib-2.0.so.0
(gdb) x/i $rip
=> 0x77461823 : mov
(%rax),%r12
(gdb) i r rax
rax0x0  0
-

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufraw-batch depends on:
ii  libbz2-1.0   1.0.6-8.1
ii  libc62.24-11+deb9u1
ii  libexiv2-14  0.25-3.1
ii  libgcc1  1:6.3.0-18
ii  libglib2.0-0 2.50.3-2
ii  libgomp1 6.3.0-18
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4
ii  liblensfun1  0.3.2-3
ii  libpng16-16  1.6.28-1
ii  libstdc++6   6.3.0-18
ii  libtiff5 4.0.8-2+deb9u1
ii  zlib1g   1:1.2.8.dfsg-5

ufraw-batch recommends no packages.

Versions of packages ufraw-batch suggests:
pn  ufraw  

-- no debconf information

Bug#878732: ufraw-batch: NULL pointer dereference when running with --conf option

2017-10-16 Thread Joonun Jang

Package: ufraw-batch
Version: 0.22-1.1
Severity: normal

Dear Maintainer,

Running 'ufraw-batch --conf' with the attached file raises a NULL
pointer
dereference, which may allow a denial-of-service attack of a malicious
attacker.

I expected the program to terminate without segfault, but the program
crashes as follow.


(gdb) r --conf poc
Starting program: /usr/bin/ufraw-batch --conf poc
[Thread debugging using libthread_db enabled]
Using host libthread_db library
"/lib/x86_64-linux-gnu/libthread_db.so.1".
Error parsing 'poc'
Error on line 1 char 1: Document must begin with an element (e.g.
)

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) x/i $rip
=> 0x75456646 :  movdqu (%rax),%xmm4
(gdb) i r rax
rax0x0  0
-

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages ufraw-batch depends on:
ii  libbz2-1.0   1.0.6-8.1
ii  libc62.24-11+deb9u1
ii  libexiv2-14  0.25-3.1
ii  libgcc1  1:6.3.0-18
ii  libglib2.0-0 2.50.3-2
ii  libgomp1 6.3.0-18
ii  libjpeg62-turbo  1:1.5.1-2
ii  liblcms2-2   2.8-4
ii  liblensfun1  0.3.2-3
ii  libpng16-16  1.6.28-1
ii  libstdc++6   6.3.0-18
ii  libtiff5 4.0.8-2+deb9u1
ii  zlib1g   1:1.2.8.dfsg-5

ufraw-batch recommends no packages.

Versions of packages ufraw-batch suggests:
pn  ufraw  

-- no debconf information


poc
Description: video/mng

Bug#878731: gif2png: NULL pointer dereference when running with -r option

2017-10-16 Thread Joonun Jang

Package: gif2png
Version: 2.5.8-1+b2
Severity: normal

Dear Maintainer,

Running 'gif2png -r' with the attached file raises a NULL pointer
dereference, which may allow a denial-of-service attack of a malicious
attacker.

I expected the program to terminate without segfault, but the program
crashes as follow.


(gdb) r -r poc
Starting program: /usr/bin/gif2png -r poc
gif2png: bad version number, not '87a' or '89a', trying anyway
gif2png: error in reading DataBlock
gif2png: EOF / read error on image data

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/x86_64/strlen.S:106
106 ../sysdeps/x86_64/strlen.S: No such file or directory.
(gdb) x/i $rip
=> 0x77887646 :  movdqu (%rax),%xmm4
(gdb) i r rax
rax0x0  0
-

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gif2png depends on:
ii  libc62.24-11+deb9u1
ii  libpng16-16  1.6.28-1

Versions of packages gif2png recommends:
ii  python  2.7.13-2

gif2png suggests no packages.

-- no debconf information


poc
Description: Binary data

Bug#890086: ufraw-batch: stack buffer overflow while running ufraw-batch

Bug#890016: fig2dev: null dereference while running fig2dev

Bug#890015: fig2dev: global buffer overflow while running fig2dev

Bug#889272: jhead: heap buffer overflow while running jhead

Bug#889270: advancecomp: heap buffer overflow while running advzip

Bug#889224: gocr: heap buffer overflow while running gocr

Bug#883200: ffmpeg2theora: null pointer dereference while running ffmpege2theora

Bug#883198: bs1770gain: use after free while running bs1770gain with "poc output" option

Bug#881145: sox: null pointer dereference while running play

Bug#881144: fig2dev: out of bound read while running fig2dev with -L pic option

Bug#881143: fig2dev: out of bound read while running fig2dev with -L tikz

Bug#881141: gifsicle: out of bound read while running gifsicle

Bug#881139: ffmpeg2theora: heap buffer overflow while running ffmpeg2theora

Bug#881138: ffmpeg2theora: use uninitialized stack value as a pointer while running ffmpeg2theora

Bug#881133: x264: out of bound read while running x264

Bug#881132: bs1770gain: stack buffer overflow while running bs1770gain

Bug#881131: bs1770gain: divide by zero while running bs1770gain

Bug#881130: vorbis-tools: use uninitialized local value as a pointer running oggenc

Bug#881123: ffmpeg2theora: null pointer dereference while running ffmpeg2theora

Bug#881122: ffmpeg2theora: null pointer dereference while running ffmpeg2theora

Bug#881121: sox: null pointer dereference while running sox

Bug#881120: gifsicle: use after free while running gifsicle

Bug#881119: gifsicle: double free while running gifsicle

Bug#881019: ffmpeg2theora: null pointer dereference while running ffmpeg2theora with "poc" option

Bug#878839: optipng: global-buffer-overflow bug while parsing GIF file

Bug#878745: ufraw-batch: NULL pointer dereference when running with --conf option

Bug#878739: gifsicle: double-free bug when running gifdiff

Bug#878736: gifsicle: NULL pointer dereference when running gifdiff with attached poc(gifdiff poc poc)

Bug#878734: advancecomp: NULL pointer dereference when running advmng with -l option

Bug#878733: ufraw-batch: NULL pointer dereference when running with --conf option

Bug#878732: ufraw-batch: NULL pointer dereference when running with --conf option

Bug#878731: gif2png: NULL pointer dereference when running with -r option

32 matches

Site Navigation

Mail list logo

Footer information