** Information type changed from Private Security to Public Security
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to jbigkit in Ubuntu.
https://bugs.launchpad.net/bugs/1823419
Title:
jbig-kit calls abort() on invalid data, crashing many programs
Status in jbigkit package in Ubuntu:
New
Bug description:
Hi,
Sometimes I fuzz random packages that are dependencies of lots of
other packages. Yesterday I picked up jbigkit.
I've just reported upstream a crash where invalid input can cause it
to call abort() rather than report an error up the stack.
This is a DoS in itself, but it's massively exacerbated because TIFF
files can include JBIG1-formatted streams. jbigkit is included in
libtiff, and libtiff is itself included in a bunch of other things. So
I wanted to highlight this to you because of it's widespread DoS
potential.
For example, if you process a corrupted tiff file in imagemagick, it
will crash. If view a corrupted tiff file in e.g. eog or evince, it
will crash. Worst, if you open a file picker in some apps, like chrome
or chromium-browser, it will call out to libgdk-pixbuf to generate a
preview, which will call out to libtiff, then jbigkit, then abort(),
which kills your entire browser session. This also affects the file
picker on pinta (and pinta itself), but not firefox or eog. I'm not
sure why some are affected and some are not.
Here's a trace from chromium-browser: I know it's not in main but it's
a good demonstration.
Thread 1 "chromium-browse" received signal SIGABRT, Aborted.
__GI_raise (sig=sig@entry=6) at ../sysdeps/unix/sysv/linux/raise.c:50
50 ../sysdeps/unix/sysv/linux/raise.c: No such file or directory.
(gdb) bt
#0 0x00007ffff5039077 in __GI_raise (sig=sig@entry=6) at
../sysdeps/unix/sysv/linux/raise.c:50
#1 0x00007ffff501a535 in __GI_abort () at abort.c:79
#2 0x00007fff4e15b1a3 in checked_malloc (nmemb=<optimised out>,
size=<optimised out>) at jbig.c:139
#3 0x00007fff4e160803 in jbg_dec_in (s=s@entry=0x7ffffffea8c0,
data=0x555560317eb0 "", len=14761, cnt=0x7ffffffea838, cnt@entry=0x0) at
jbig.c:2669
#4 0x00007fff941ccf50 in JBIGDecode (tif=0x55556022cf70,
buffer=0x5555604decc0 "", size=513216, s=<optimised out>) at tif_jbig.c:80
#5 0x00007fff941e46f4 in _TIFFReadEncodedStripAndAllocBuffer
(tif=tif@entry=0x55556022cf70, strip=0, buf=buf@entry=0x7ffffffeaed0,
bufsizetoalloc=bufsizetoalloc@entry=513216,
size_to_read=size_to_read@entry=513216)
at tif_read.c:586
#6 0x00007fff941c93ff in gtStripContig (img=0x7ffffffeaf30,
raster=0x7fff49cef010, w=1728, h=2376) at tif_getimage.c:960
#7 0x00007fff941cc958 in TIFFReadRGBAImageOriented
(tif=tif@entry=0x55556022cf70, rwidth=1728, rheight=2376,
raster=raster@entry=0x7fff49cef010, orientation=orientation@entry=1,
stop=stop@entry=1) at tif_getimage.c:532
#8 0x00007fffe81f668b in tiff_image_parse (tiff=tiff@entry=0x55556022cf70,
context=context@entry=0x55555fbedaa0, error=error@entry=0x7ffffffeb4c0)
at ../gdk-pixbuf/io-tiff.c:282
#9 0x00007fffe81f6b3b in gdk_pixbuf__tiff_image_stop_load
(data=0x55555fbedaa0, error=0x7ffffffeb4c0) at ../gdk-pixbuf/io-tiff.c:515
#10 0x00007ffff5398943 in gdk_pixbuf_loader_close
(loader=loader@entry=0x55555f7f0140 [GdkPixbufLoader], error=error@entry=0x0)
at ../gdk-pixbuf/gdk-pixbuf-loader.c:846
#11 0x00007ffff539601a in gdk_pixbuf_new_from_file_at_scale
(filename=0x555560072980
"/home/dja/dev/research/wip/maintest/packages/fax/crash.tiff", width=<optimised
out>, height=<optimised out>, preserve_aspect_ratio=<optimised out>, error=0x0)
at ../gdk-pixbuf/gdk-pixbuf-io.c:1353
#12 0x000055555af5d8bf in ()
#16 0x00007ffff68f83a4 in <emit signal ??? on instance 0x5555601263b0
[GtkFileChooserDialog]> (instance=0x5555601263b0, detailed_signal=<optimised
out>)
at ../../../../gobject/gsignal.c:3487
#13 0x00007ffff68dbb6d in g_closure_invoke (closure=0x5555602ee6d0,
return_value=0x0, n_param_values=1, param_values=0x7fffffffb800,
invocation_hint=0x7fffffffb780)
at ../../../../gobject/gclosure.c:810
#14 0x00007ffff68ee8f3 in signal_emit_unlocked_R
(node=node@entry=0x55555ff53be0, detail=detail@entry=0,
instance=instance@entry=0x5555601263b0,
emission_return=emission_return@entry=0x0,
instance_and_params=instance_and_params@entry=0x7fffffffb800) at
../../../../gobject/gsignal.c:3635
#15 0x00007ffff68f7882 in g_signal_emit_valist
(instance=instance@entry=0x5555601263b0, signal_id=signal_id@entry=335,
detail=detail@entry=0, var_args=var_args@entry=0x7fffffffb9f8)
at ../../../../gobject/gsignal.c:3391
#20 0x00007ffff68f83a4 in <emit signal 0x7ffff58b67d8 "update-preview" on
instance 0x5555600e0360 [GtkFileChooserWidget]>
(instance=instance@entry=0x5555600e0360,
detailed_signal=detailed_signal@entry=0x7ffff58b67d8 "update-preview") at
../../../../gobject/gsignal.c:3487
--Type <RET> for more, q to quit, c to continue without paging--c
#17 0x00007ffff68dbb6d in g_closure_invoke (closure=0x5555600e2fe0,
return_value=0x0, n_param_values=1, param_values=0x7fffffffbcf0,
invocation_hint=0x7fffffffbc70) at ../../../../gobject/gclosure.c:810
#18 0x00007ffff68ee8f3 in signal_emit_unlocked_R
(node=node@entry=0x55555ff53be0, detail=detail@entry=0,
instance=instance@entry=0x5555600e0360,
emission_return=emission_return@entry=0x0,
instance_and_params=instance_and_params@entry=0x7fffffffbcf0) at
../../../../gobject/gsignal.c:3635
#19 0x00007ffff68f7882 in g_signal_emit_valist
(instance=instance@entry=0x5555600e0360, signal_id=signal_id@entry=335,
detail=detail@entry=0, var_args=var_args@entry=0x7fffffffbee8) at
../../../../gobject/gsignal.c:3391
#21 0x00007ffff567c015 in check_preview_change
(impl=impl@entry=0x5555600e0360 [GtkFileChooserWidget]) at
../../../../gtk/gtkfilechooserwidget.c:7723
#22 0x00007ffff567fcc0 in list_selection_changed (selection=<optimised out>,
impl=0x5555600e0360 [GtkFileChooserWidget]) at
../../../../gtk/gtkfilechooserwidget.c:7778
#23 0x00007ffff68dbda6 in _g_closure_invoke_va (closure=0x555560203fe0,
return_value=0x0, instance=0x5555601cc2b0, args=0x7fffffffc330, n_params=0,
param_types=0x0) at ../../../../gobject/gclosure.c:873
#24 0x00007ffff68f7961 in g_signal_emit_valist (instance=0x5555601cc2b0,
signal_id=<optimised out>, detail=<optimised out>,
var_args=var_args@entry=0x7fffffffc330) at ../../../../gobject/gsignal.c:3300
#25 0x00007ffff68f7ecf in g_signal_emit (instance=<optimised out>,
signal_id=<optimised out>, detail=<optimised out>) at
../../../../gobject/gsignal.c:3447
#26 0x00007ffff5810607 in gtk_tree_view_real_set_cursor
(tree_view=tree_view@entry=0x5555601ee3c0 [GtkTreeView],
path=path@entry=0x55555fce37b0, flags=flags@entry=(CLEAR_AND_SELECT |
CLAMP_NODE)) at ../../../../gtk/gtktreeview.c:13323
#27 0x00007ffff581799a in gtk_tree_view_multipress_gesture_pressed
(gesture=0x55556016b790 [GtkGestureMultiPress], n_press=1, x=<optimised out>,
y=<optimised out>, tree_view=0x5555601ee3c0 [GtkTreeView]) at
../../../../gtk/gtktreeview.c:3379
#28 0x00007ffff49e9dae in ffi_call_unix64 () at
/usr/lib/x86_64-linux-gnu/libffi.so.6
#29 0x00007ffff49e971f in ffi_call () at /usr/lib/x86_64-linux-gnu/libffi.so.6
#30 0x00007ffff68dc7e6 in g_cclosure_marshal_generic_va
(closure=0x5555601f0420, return_value=0x0, instance=<optimised out>,
args_list=<optimised out>, marshal_data=<optimised out>, n_params=3,
param_types=0x55555f712690) at ../../../../gobject/gclosure.c:1610
#31 0x00007ffff68dbda6 in _g_closure_invoke_va (closure=0x5555601f0420,
return_value=0x0, instance=0x55556016b790, args=0x7fffffffca10, n_params=3,
param_types=0x55555f712690) at ../../../../gobject/gclosure.c:873
#32 0x00007ffff68f7961 in g_signal_emit_valist (instance=0x55556016b790,
signal_id=<optimised out>, detail=<optimised out>,
var_args=var_args@entry=0x7fffffffca10) at ../../../../gobject/gsignal.c:3300
#33 0x00007ffff68f7ecf in g_signal_emit
(instance=instance@entry=0x55556016b790, signal_id=<optimised out>,
detail=detail@entry=0) at ../../../../gobject/gsignal.c:3447
#34 0x00007ffff56a1868 in gtk_gesture_multi_press_begin
(gesture=0x55556016b790 [GtkGestureMultiPress], sequence=<optimised out>) at
../../../../gtk/gtkgesturemultipress.c:241
#35 0x00007ffff68deba2 in g_cclosure_marshal_VOID__BOXEDv
(closure=0x55555f65c870, return_value=<optimised out>, instance=<optimised
out>, args=<optimised out>, marshal_data=<optimised out>, n_params=<optimised
out>, param_types=0x55555f65c8e0) at ../../../../gobject/gmarshal.c:1950
#36 0x00007ffff68dbda6 in _g_closure_invoke_va (closure=0x55555f65c870,
return_value=0x0, instance=0x55556016b790, args=0x7fffffffcdc0, n_params=1,
param_types=0x55555f65c8e0) at ../../../../gobject/gclosure.c:873
#37 0x00007ffff68f7961 in g_signal_emit_valist (instance=0x55556016b790,
signal_id=<optimised out>, detail=<optimised out>,
var_args=var_args@entry=0x7fffffffcdc0) at ../../../../gobject/gsignal.c:3300
#38 0x00007ffff68f7ecf in g_signal_emit
(instance=instance@entry=0x55556016b790, signal_id=<optimised out>,
detail=detail@entry=0) at ../../../../gobject/gsignal.c:3447
#39 0x00007ffff569e6fe in _gtk_gesture_set_recognized (sequence=0x0,
recognized=1, gesture=0x55556016b790 [GtkGestureMultiPress]) at
../../../../gtk/gtkgesture.c:343
#40 0x00007ffff569e6fe in _gtk_gesture_check_recognized
(gesture=gesture@entry=0x55556016b790 [GtkGestureMultiPress],
sequence=sequence@entry=0x0) at ../../../../gtk/gtkgesture.c:389
#41 0x00007ffff569fc33 in gtk_gesture_handle_event (controller=0x55556016b790
[GtkGestureMultiPress], event=0x5555602831f0) at
../../../../gtk/gtkgesture.c:747
#42 0x00007ffff56a2a96 in gtk_gesture_single_handle_event
(controller=0x55556016b790 [GtkGestureMultiPress], event=0x5555602831f0) at
../../../../gtk/gtkgesturesingle.c:222
#43 0x00007ffff566b5f5 in gtk_event_controller_handle_event
(controller=0x55556016b790 [GtkGestureMultiPress],
event=event@entry=0x5555602831f0) at ../../../../gtk/gtkeventcontroller.c:230
#44 0x00007ffff58258db in _gtk_widget_run_controllers (widget=0x5555601ee3c0
[GtkTreeView], event=0x5555602831f0, phase=GTK_PHASE_BUBBLE) at
../../../../gtk/gtkwidget.c:7379
#49 0x00007ffff68f7ecf in <emit signal ??? on instance 0x5555601ee3c0
[GtkTreeView]> (instance=instance@entry=0x5555601ee3c0, signal_id=<optimised
out>, detail=detail@entry=0) at ../../../../gobject/gsignal.c:3447
#45 0x00007ffff5879f9b in _gtk_marshal_BOOLEAN__BOXED
(closure=0x55555f60a170, return_value=0x7fffffffd140, n_param_values=<optimised
out>, param_values=0x7fffffffd1a0, invocation_hint=<optimised out>,
marshal_data=<optimised out>) at ../../../../gtk/gtkmarshalers.c:83
#46 0x00007ffff68dbb6d in g_closure_invoke (closure=0x55555f60a170,
return_value=0x7fffffffd140, n_param_values=2, param_values=0x7fffffffd1a0,
invocation_hint=0x7fffffffd120) at ../../../../gobject/gclosure.c:810
#47 0x00007ffff68ee124 in signal_emit_unlocked_R
(node=node@entry=0x55555f60a1c0, detail=detail@entry=0,
instance=instance@entry=0x5555601ee3c0,
emission_return=emission_return@entry=0x7fffffffd2c0,
instance_and_params=instance_and_params@entry=0x7fffffffd1a0) at
../../../../gobject/gsignal.c:3673
#48 0x00007ffff68f6f43 in g_signal_emit_valist (instance=<optimised out>,
signal_id=<optimised out>, detail=<optimised out>,
var_args=var_args@entry=0x7fffffffd370) at ../../../../gobject/gsignal.c:3401
#50 0x00007ffff5827b74 in gtk_widget_event_internal
(widget=widget@entry=0x5555601ee3c0 [GtkTreeView],
event=event@entry=0x5555602831f0) at ../../../../gtk/gtkwidget.c:7744
#51 0x00007ffff5829c8a in gtk_widget_event
(widget=widget@entry=0x5555601ee3c0 [GtkTreeView],
event=event@entry=0x5555602831f0) at ../../../../gtk/gtkwidget.c:7314
#52 0x00007ffff56e7c56 in propagate_event_up (topmost=<optimised out>,
event=<optimised out>, widget=0x5555601ee3c0 [GtkTreeView]) at
../../../../gtk/gtkmain.c:2592
#53 0x00007ffff56e7c56 in propagate_event (widget=<optimised out>,
event=0x5555602831f0, captured=<optimised out>, topmost=0x0) at
../../../../gtk/gtkmain.c:2695
#54 0x00007ffff56e9d73 in gtk_main_do_event (event=<optimised out>) at
../../../../gtk/gtkmain.c:1915
#55 0x00007ffff53e7445 in _gdk_event_emit (event=event@entry=0x5555602831f0)
at ../../../../gdk/gdkevents.c:73
#56 0x00007ffff5418012 in gdk_event_source_dispatch (source=<optimised out>,
callback=<optimised out>, user_data=<optimised out>) at
../../../../../gdk/x11/gdkeventsource.c:367
#57 0x00007ffff67fbc3e in g_main_dispatch (context=0x55555f581110) at
../../../../glib/gmain.c:3182
#58 0x00007ffff67fbc3e in g_main_context_dispatch
(context=context@entry=0x55555f581110) at ../../../../glib/gmain.c:3847
#59 0x00007ffff67fbed8 in g_main_context_iterate
(context=context@entry=0x55555f581110, block=block@entry=1,
dispatch=dispatch@entry=1, self=<optimised out>) at
../../../../glib/gmain.c:3920
#60 0x00007ffff67fbf6c in g_main_context_iteration (context=0x55555f581110,
may_block=1) at ../../../../glib/gmain.c:3981
#61 0x0000555558c41e92 in ()
#62 0x0000555558c5e8e9 in ()
#63 0x0000555558b6f2a7 in ()
#64 0x0000555557203274 in ()
#65 0x0000555557205962 in ()
#66 0x000055555720039b in ()
#67 0x000055555882f96a in ()
#68 0x000055555882f5e6 in ()
#69 0x0000555558865996 in ()
#70 0x000055555882d9d1 in ()
#71 0x00005555565a74f3 in ChromeMain ()
#72 0x00007ffff501c09b in __libc_start_main (main=0x5555565a7470, argc=2,
argv=0x7fffffffde38, init=<optimised out>, fini=<optimised out>,
rtld_fini=<optimised out>, stack_end=0x7fffffffde28) at ../csu/libc-start.c:308
#73 0x00005555565a73aa in _start ()
You could potentially mitigate this by building libtiff without jbig1 support
- it's a fairly old format for faxes.
I've been doing these tests on Cosmic but jbigkit has been unchanged
for years so the bugs should apply to older distros.
My message to upstream follows.
Hi,
I decided to try fuzzing jbig-kit with afl-fuzz.
I discovered that it is easy for untrusted inputs to jbig-kit to cause
an abort() in checked_malloc by providing overly large input values.
This will immediately kill any application that links to jbig-kit,
including tools like imagemagick. I think this would be considered a
denial of service attack.
Due to libtiff's embedding of jbig-kit, anything that uses libtiff can
also be caused to abort and dump core rather than fail gracefully.
I have attached both an example jbig file and an example tiff file.
'jbgtopbm crash.jbg'' will crash, and 'convert crash.tiff crash.png'
and 'eog crash.tiff' should also crash. I've had to put the tiff file
in an archive because clicking on it to attach it to the email crashes
the Gnome file picker: it tries to generate a preview, calls out to
libtiff, calls out to jbig-kit, and abort()s.
I think the solution is to have checked_malloc return some sort of
error where it would currently abort().
While fuzzing with AddressSanitizer, I also found a minor buffer over-
read. Perhaps in very rare circumstances it could cause a crash, or
perhaps some data corruption. It can be fixed like so:
diff --git a/libjbig/jbig.c b/libjbig/jbig.c
index fe549464b859..d77990b9205d 100644
--- a/libjbig/jbig.c
+++ b/libjbig/jbig.c
@@ -3264,6 +3264,8 @@ int jbg_newlen(unsigned char *bie, size_t len)
while ((p = jbg_next_pscdms(p, len - (p - bie)))) {
if (p == bie + len)
return JBG_EOK;
+ else if (len - (p - bie) < 6)
+ return JBG_EINVAL;
else if (p[0] == MARKER_ESC)
switch (p[1]) {
case MARKER_NEWLEN:
Regards,
Daniel Axtens
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/jbigkit/+bug/1823419/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
