Bug#854441: marked as done (apng2gif: CVE-2017-6961: Improper sanitization of user input causing huge memory allocations resulting in crash)

[Debian Bug Tracking System]

Your message dated Mon, 29 Oct 2018 13:04:00 +0000
with message-id <e1gh7d6-0001d2...@fasolo.debian.org>
and subject line Bug#854441: fixed in apng2gif 1.8-0.1
has caused the Debian Bug report #854441,
regarding apng2gif: CVE-2017-6961: Improper sanitization of user input causing 
huge memory allocations resulting in crash
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
854441: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=854441
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: apng2gif
Version: 1.7-1
Severity: important

Dear Maintainer,

Q.) What led up to the situation?
A.) In read_chunk function, the line "pChunk->p = new unsigned
char[pChunk->size]" is trying to allocate pChunk->size amount of memory where
this pChunk->size is read from the png file. So, if this pChunk->size is set to
a huge value, it can result in the crash of the program.

Q.) What exactly did you do (or not do) that was effective (or ineffective)?
A.) Just have to modify the relavent offset in the png file so that the
pChunk->size value is huge.

    Steps to reproduce:
        Use the makefile in the attachment and compile the program (Attaching
makefile just as a reference).
        Use the input.png file in the attachment as input to the program and
run it:
                apng2gif input.png

Q.) What was the outcome of this action?
A.) Program will try to allocate huge amount of memory and can result in a
crash.

Sample Output:

apng2gif 1.7

Reading './crashes_submitted/largememoryallocation/input.png'...
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
Aborted (core dumped)

Analysis:

gdb backtrace:
#0  0xb7fdd424 in __kernel_vsyscall ()
#1  0xb7d15687 in __GI_raise (sig=sig@entry=0x6) at
.../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xb7d18ab3 in __GI_abort () at abort.c:89
#3  0xb7f28405 in __gnu_cxx::__verbose_terminate_handler() () from
/usr/lib/i386-linux-gnu/libstdc++.so.6
#4  0xb7f26063 in ?? () from /usr/lib/i386-linux-gnu/libstdc++.so.6
#5  0xb7f2609f in std::terminate() () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#6  0xb7f26306 in __cxa_throw () from /usr/lib/i386-linux-gnu/libstdc++.so.6
#7  0xb7f26916 in operator new(unsigned int) () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#8  0xb7f269cb in operator new[](unsigned int) () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#9  0x0804e78e in read_chunk (f=0x88e0008, pChunk=0xbffff410) at
apng2gif.cpp:135
#10 0x08049921 in load_apng (szIn=0xbffff842
"./crashes_submitted/largememoryallocation/input.png", frames=...,
num_loops=0xbffff4bc) at apng2gif.cpp:267
#11 0x0804e3f9 in main (argc=0x2, argv=0xbffff6c4) at apng2gif.cpp:1336
#12 0xb7d00af3 in __libc_start_main (main=0x804df2a <main(int, char**)>,
argc=0x2, argv=0xbffff6c4, init=0x80500a0 <__libc_csu_init>, fini=0x8050110
<__libc_csu_fini>,
    rtld_fini=0xb7fed160 <_dl_fini>, stack_end=0xbffff6bc) at libc-start.c:287
#13 0x08048e71 in _start ()

The value of pChunk->size is 0xffffff8c; which is very large that caused the
allocation to fail.

Q.) What outcome did you expect instead?
A.) Maybe some check to see if pChunk->size is greater than the size of png or
proper exception handling over memory allocation using new to gracefully quit
the program or using malloc instead of new to check the return pointer is null
or not.




-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: i386 (i686)

Kernel: Linux 3.13.0-32-generic (SMP w/2 CPU cores)

PACKAGE    = apng2gif
CC         = gcc
CFLAGS     = -Wall -pedantic
CFLAGS_OPT = -g
LIBS       = -lstdc++ -lm -lpng -lz

all :
	$(CC) $(CFLAGS) $(CFLAGS_OPT) -o apng2gif apng2gif.cpp $(LIBS)

..PHONY : clean

clean : 
	rm -rf apng2gif

--- End Message ---

--- Begin Message ---

Source: apng2gif
Source-Version: 1.8-0.1

We believe that the bug you reported is fixed in the latest version of
apng2gif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reiner Herrmann <rei...@reiner-h.de> (supplier of updated apng2gif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Oct 2018 14:15:49 +0200
Source: apng2gif
Binary: apng2gif
Architecture: source
Version: 1.8-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jari Aalto <jari.aa...@cante.net>
Changed-By: Reiner Herrmann <rei...@reiner-h.de>
Description:
 apng2gif   - tool for converting APNG images to animated GIF format
Closes: 854367 854441 854447
Changes:
 apng2gif (1.8-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - Fixes CVE-2017-6960 (Closes: #854367).
     - Fixes CVE-2017-6961 (Closes: #854441).
     - Fixes CVE-2017-6962 (Closes: #854447).
Checksums-Sha1:
 2d6fdc91c41949e7c1707f4f2a1e70c1d43b059f 1886 apng2gif_1.8-0.1.dsc
 f1f24e5ece9b6880334ba218c5ff7dadf91aedda 437914 apng2gif_1.8.orig.tar.gz
 d34cc6d4258909a473752a88eb04405f404f5f22 6724 apng2gif_1.8-0.1.debian.tar.xz
 69f724c185a3620421d84967dee31f72c77f5df3 5548 
apng2gif_1.8-0.1_powerpc.buildinfo
Checksums-Sha256:
 e43a8f19ddced85f005478ea8c7be96f202622328d23bd3c90554d9e78fb0679 1886 
apng2gif_1.8-0.1.dsc
 4d47a2c0e6656bbc5afeecccc62b22f885a6b0434944bd52824126a156959649 437914 
apng2gif_1.8.orig.tar.gz
 8592fc133ea42694c79cfffa5ad31526cb8ab0c0045f1552e246757fd9a1e0be 6724 
apng2gif_1.8-0.1.debian.tar.xz
 5e66e72e7073d06871e3793f22c3396df687ce6f63919e4d826ce2e6c6fa43ef 5548 
apng2gif_1.8-0.1_powerpc.buildinfo
Files:
 839d4f7f3f0d2a869484e53b0f6de19b 1886 graphics optional apng2gif_1.8-0.1.dsc
 4cf980234840ce2aa856cf328c644e85 437914 graphics optional 
apng2gif_1.8.orig.tar.gz
 50b9332ec64e1541522fe109244f8d61 6724 graphics optional 
apng2gif_1.8-0.1.debian.tar.xz
 eaa7b7aac0edb69c1d1fdda722e916a0 5548 graphics optional 
apng2gif_1.8-0.1_powerpc.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlvUXCQACgkQxCxY61kU
kv1JaRAAsFYXg6vhnRAqwdnRYkr1OTBbmm4fsjglS4I/fzixylAXQdpGHNakbrkb
YWjxuOpPwefVzOF15o++MGunIRQMO4C0DBFah6Qf4Ioz+Wtx8Lmo6d/TZKG2R80X
7ekCOSgmE5SDkl+xfY0RrJqTTY8bLkhsplzaQsY/fyyf3isRCbkkhOZRfSWOCewa
Zft8c8U9lUVmKgGyh5AP3keJDVhgZiuU2buDswUq2VTsuQaBTwyXIICGWbIWjE0u
F0ayKvzCQKgWTHg8PSAY4m884/DyDupEofHxfYuzSp5rH4iEk4O24oJuCv6vnKyg
r1M4kiauBW0arqW4H/u4J5yKmywXxrppXRYQ+O3eu9y6sC3Vxee0rZgtNgv7GPTP
EBJik9qHLuB34TmDi5ynAx96QjQkvutMHTZsF6dksSkyasoVZ217UaL/9glAqrVN
4DvE0c6TrLsP4HTySatZJfoEze1NigJPrO9k1m5C6TEV/gKZfKXneba7IRcGxPNE
cApUjza56COd7MG2x82XpnI+vGCZChU8gVde3VnKUTLJAXJxa9tjg/zmdgtMi3GS
V5yYNYTkDY9NKzOF7vpSxRQgna0RXSg6XkMM77b/OEaxL217/Xeg6nwXrlsucCN4
mfIZm1rg9DsIBdMAvuIByMLNg6lD111OnSerGNvMmTMU0PUuabM=
=kXuG
-----END PGP SIGNATURE-----

--- End Message ---