Bug#890016: fig2dev: null dereference while running fig2dev

2018-02-13 Thread Roland Rosenfeld 
Hi Thomas!

> would you mind to wait for the next release, which should be due in
> about two to four weeks? Bug #890016 is triggered by a pointer in an
> object struct which is left un-initialized in read1_3.c. The code in
> read1_3.c is full of these things and needs more proper initializing
> and sanitizing.

No problem with waiting.  I know, that you are already working on some
input sanitizing for fig2dev, and I only forwarded the two new bugs to
you to have it documented in the Debian BTS correctly and to give you
more test files to check whether you found all code blocks where input
sanitizing is necessary...

It's great to hear, that you seem to have some progress with this,
since it's only two to four weeks now.

Tell me, if I can support you in some way.

Greetings
Roland

Bug#890016: fig2dev: null dereference while running fig2dev

2018-02-09 Thread Joonun Jang 
Package: fig2dev
Version: 1:3.2.6a-6
Severity: important
Tags: security

null dereference running fig2dev with "-L pdf poc" option

Running 'fig2dev -L pdf poc' with the attached file raises null dereference
which may allow a remote attacker to cause denial-of-service attack
I expected the program to terminate without segfault, but the program crashes 
as follow

june@june:~/temp/report/fig2dev/null$ 
../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc
incomplete spline object
ASAN:DEADLYSIGNAL
=
==16804==ERROR: AddressSanitizer: SEGV on unknown address 0x (pc 
0x5557911b bp 0x6080bf20 sp 0x7fffd8d0 T0)
#0 0x5557911a in free_splinestorage 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122
#1 0x5557ad0d in read_splineobject 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:430
#2 0x5557bef7 in read_1_3_objects 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:102
#3 0x55581ad4 in readfp_fig 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:187
#4 0x5556eb70 in main 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412
#5 0x763762b0 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x5556f259 in _start 
(/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV 
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122 in 
free_splinestorage
==16804==ABORTING

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), 
(500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk 1:4.1.4+dfsg-1
ii  libc62.24-11+deb9u1
ii  libpng16-16  1.6.28-1
ii  libxpm4  1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm   2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  

-- no debconf information
71


0
1
16 3

16 6

0

16 6

0
1
1 6
1=6