Package: gocr Version: 0.49-2+b1 Severity: important Tags: security heap buffer overflow running gocr with "poc" option
Running 'gocr poc' with the attached file raises heap buffer overflow
which may allow a remote attacker to cause unspecified impact including
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes
as follow
june@june:~/temp/report/gocr/00004223$ ../../binary/gocr-0.49/src/gocr poc
=================================================================
==5380==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffc1
at pc 0x55555562c95f bp 0x7fffffff4da0 sp 0x7fffffff4d98
READ of size 1 at 0x61400000ffc1 thread T0
#0 0x55555562c95e in thresholding
/home/june/temp/report/binary/gocr-0.49/src/otsu.c:255
#1 0x55555558bf0c in pgm2asc
/home/june/temp/report/binary/gocr-0.49/src/pgm2asc.c:2790
#2 0x55555556a1d8 in main
/home/june/temp/report/binary/gocr-0.49/src/gocr.c:368
#3 0x7ffff65972b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#4 0x555555568149 in _start
(/home/june/temp/report/binary/gocr-0.49/src/gocr+0x14149)
0x61400000ffc1 is located 0 bytes to the right of 385-byte region
[0x61400000fe40,0x61400000ffc1)
allocated by thread T0 here:
#0 0x7ffff6effd28 in malloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1d28)
#1 0x555555642c50 in readpgm
/home/june/temp/report/binary/gocr-0.49/src/pnm.c:225
#2 0x555555569e93 in read_picture
/home/june/temp/report/binary/gocr-0.49/src/gocr.c:310
#3 0x55555556a1ba in main
/home/june/temp/report/binary/gocr-0.49/src/gocr.c:361
#4 0x7ffff65972b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: heap-buffer-overflow
/home/june/temp/report/binary/gocr-0.49/src/otsu.c:255 in thresholding
Shadow bytes around the buggy address:
0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9ff0: 00 00 00 00 00 00 00 00[01]fa fa fa fa fa fa fa
0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==5380==ABORTING
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'),
(500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gocr depends on:
ii libc6 2.24-11+deb9u1
Versions of packages gocr recommends:
ii bzip2 1.0.6-8.1
ii fig2dev [transfig] 1:3.2.6a-2+deb9u1
ii libjpeg-turbo-progs [libjpeg-progs] 1:1.5.1-2
ii netpbm 2:10.0-15.3+b2
ii transfig 1:3.2.6a-2+deb9u1
gocr suggests no packages.
-- no debconf information
poc
Description: Binary data
_______________________________________________ Secure-testing-team mailing list Secure-testing-team@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/secure-testing-team
