Package: fig2dev Version: 1:3.2.6a-6 Severity: important Tags: security global buffer overflow running fig2dev with "-L pdf poc" option
Running 'fig2dev -L pdf poc' with the attached file raises global buffer
overflow
which may allow a remote attacker to cause unspecified impact including
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes
as follow
june@june:~/temp/report/fig2dev/global$
../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc
=================================================================
==16175==ERROR: AddressSanitizer: global-buffer-overflow on address
0x555555826e40 at pc 0x55555557da29 bp 0x7fffffffdcd0 sp 0x7fffffffdcc8
READ of size 8 at 0x555555826e40 thread T0
#0 0x55555557da28 in save_comment
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425
#1 0x55555557da28 in get_line
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1404
#2 0x555555581d52 in read_objects
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:325
#3 0x555555581d52 in readfp_fig
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:185
#4 0x55555556eb70 in main
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412
#5 0x7ffff63762b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#6 0x55555556f259 in _start
(/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259)
0x555555826e40 is located 32 bytes to the left of global variable 'line_no'
defined in 'read.c:88:13' (0x555555826e60) of size 4
0x555555826e40 is located 0 bytes to the right of global variable 'comments'
defined in 'read.c:95:14' (0x555555826b20) of size 800
SUMMARY: AddressSanitizer: global-buffer-overflow
/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425 in save_comment
Shadow bytes around the buggy address:
0x0aab2aafcd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aafcd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aafcd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aafcda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aafcdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aab2aafcdc0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
0x0aab2aafcdd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aafcde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aafcdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aafce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0aab2aafce10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==16175==ABORTING
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'),
(500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages fig2dev depends on:
ii gawk 1:4.1.4+dfsg-1
ii libc6 2.24-11+deb9u1
ii libpng16-16 1.6.28-1
ii libxpm4 1:3.5.12-1
ii x11-common 1:7.7+19
Versions of packages fig2dev recommends:
ii ghostscript 9.20~dfsg-3.2+deb9u1
ii netpbm 2:10.0-15.3+b2
Versions of packages fig2dev suggests:
pn xfig <none>
-- no debconf information
poc
Description: Binary data
