Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 17 Jul 2016 10:32:56 -0400 (EDT)
From: cve-assign@...re.org
To: marco.gra@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: multiple memory corruption issues in lepton

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I just reported on dropbox/lepton github project some memory corruption
> issues, with reproducers.
> 
> https://github.com/dropbox/lepton/issues/26

>> download some samples that will cause memory corruption problems in lepton:
>> 
>> https://github.com/marcograss/marcograss.github.io/blob/master/assets/lepton_testcases1.zip?raw=true
>> 
>> you can reproduce with ./lepton/lepton -singlethread -unjailed -preload testcase.jpeg /tmp/out.lep

>> AddressSanitizer: unknown-crash
>> READ of size 208
>> #0 0x52eb78 in std::__atomic_base::load(std::memory_order) const /usr/include/c++/6/bits/atomic_base.h:396
>> #1 0x52eb78 in std::__atomic_base::operator unsigned int() const /usr/include/c++/6/bits/atomic_base.h:259
>> #2 0x52eb78 in print_bill(int) src/vp8/util/billing.cc:145
>> #3 0x46b7f3 in process_file(IOUtil::FileReader, IOUtil::FileWriter, int, bool) src/lepton/jpgcoder.cc:1616

Use CVE-2016-6234. We think this is an issue in Lepton code. We were
unable to find any relationship between src/vp8/util/billing.cc and
the https://github.com/webmproject/libvpx/tree/master/vp8 code.


>> AddressSanitizer: SEGV on unknown address
>> #0 0x455163 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023

Use CVE-2016-6235.


>> AddressSanitizer: global-buffer-overflow
>> READ of size 2
>> #0 0x4571f0 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023

Use CVE-2016-6236 for this buffer over-read issue.


>> AddressSanitizer: global-buffer-overflow
>> WRITE of size 2
>> #0 0x45392c in build_huffcodes(unsigned char, unsigned char, huffCodes, huffTree) src/lepton/jpgcoder.cc:5099

Use CVE-2016-6237.


>> AddressSanitizer: global-buffer-overflow
>> READ of size 2
>> #0 0x4fe248 in ProbabilityTablesBase::set_quantization_table(BlockType, unsigned short const) src/vp8/model/model.hh:233
>> #1 0x4fe248 in VP8ComponentEncoder::vp8_full_encoder(UncompressedComponents const, IOUtil::FileWriter, ThreadHandoff const, unsigned int) src/lepton/vp8_encoder.cc:465
>> #2 0x47b3a8 in write_ujpg(std::vector >, std::vector >) src/lepton/jpgcoder.cc:3660

Use CVE-2016-6238 for this buffer over-read issue. We think this is an
issue in Lepton code. We were unable to find any relationship between
src/vp8/model/model.hh and the
https://github.com/webmproject/libvpx/tree/master/vp8 code.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXi5bEAAoJEHb/MwWLVhi2NgEP/3kibyFdWoOvdS0pi/zyPGq4
WnVyS1lgnjNKUH/eJSj2L0mpxh9ecW7SRojAxE5DG8W0KjZRH2KyNJDnSVq04BtW
tgZv5SzUbAZpZ3g0mQo4hjXcfv9Iss3ajjHol7KliMIpU8gnquHRUJytKGHVjKyj
uTFCIsQIv29yXGyU9A7999uuSlwWpKo6amJUh4q4ip14B75Ho9SDCOwjX6Zp7E7Z
z0aoPUWRHaOIg3/1u3KPQ2JM0dapD+Z0R7Bo9I5uHWYA79shp5OQ4LeLCF8jMCHI
Y2WOp2sQWxXBGoYPtbeCzvTFj+EAeXfLa6vI+oEFiYiQRaUzrbwN4PGgNJ00IISu
2snPbfeUxnwbTXjcs1eBS0kwlBBuCNjA619sdIuq8CV4qEXSHr4SR195j1dVa3kD
aQOhp7IhTzvTwbhDrzccCcqnoduE3Gs9GfzS0QQfvYgPxkclRT3zIBFoKqJ9kgy6
mzBouOlWmCPzVD4PB2ugG5Aq7ChqDoTTwCmP+VoA9Ne736Y0s2FiEGPC5rKhLACW
vjkHAjKLfV4hXbXfPRRL3FDZ2t3EV2CqFVer5+iJZgAY6DE7vYP/BSuqA/Qjrnl/
h+H1xnvBiW6V5MF+D7vmrdn8LzZ3Bj+G5KCdIAT7c0VtlFO6VM68LE1OyRGjcHID
Fw2yhG0f2WXRJCB1eda6
=OEE8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ