Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 13 Sep 2016 12:24:23 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: Hanno Böck <hanno@...eck.de>
Cc: "vul@...safe" <vul@...safe.com>, oss-security@...ts.openwall.com
Subject: Re: Heapoverflow in giflib5.1.4

On Tue, Sep 13, 2016 at 06:55:08PM +0200, Hanno Böck wrote:
> Two notes:
> * This is a bug *only* in the gif2rgb command line tool, not in giflib
>   itself.
> * I reported this before. The giflib maintainer claimed multiple times
>   that he has fixed it, yet he hasn't. See:
> https://sourceforge.net/p/giflib/bugs/79/

Hanno, can you still reproduce this issue? I followed your excellent
reproducer script and I don't get any ASAN warnings. If you still get ASAN
warnings this may indicate the source of the confusion.

Thanks

ubuntu@...~$ git clone --depth=1 git://git.code.sf.net/p/giflib/code giflib-code
Cloning into 'giflib-code'...
remote: Counting objects: 149, done.
remote: Compressing objects: 100% (147/147), done.
remote: Total 149 (delta 22), reused 10 (delta 0)
Receiving objects: 100% (149/149), 389.03 KiB | 0 bytes/s, done.
Resolving deltas: 100% (22/22), done.
Checking connectivity... done.
ubuntu@...~$  cd giflib-code/
ubuntu@...~/giflib-code$ CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" ./autogen.sh
Warning: This script will run configure for you -- if you need to pass
  arguments to configure, please give them as arguments to this script.
aclocal: warning: couldn't open directory 'm4': No such file or directory
configure.ac:14: installing './ar-lib'
configure.ac:14: installing './compile'
configure.ac:15: installing './config.guess'
configure.ac:15: installing './config.sub'
configure.ac:5: installing './install-sh'
configure.ac:5: installing './missing'
Makefile.am: installing './INSTALL'
parallel-tests: installing './test-driver'
lib/Makefile.am: installing './depcomp'
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
[...]
configure: creating ./config.status
config.status: creating util/Makefile
config.status: creating lib/Makefile
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating pic/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
ubuntu@...~/giflib-code$ make -j
make  all-recursive
make[1]: Entering directory '/home/ubuntu/giflib-code'
Making all in lib
make[2]: Entering directory '/home/ubuntu/giflib-code/lib'
  CC       dgif_lib.lo
  CC       gif_font.lo
  CC       egif_lib.lo
  CC       gif_hash.lo
  CC       gifalloc.lo
  CC       openbsd-reallocarray.lo
  CC       gif_err.lo
  CC       quantize.lo
  CCLD     libgif.la
ar: `u' modifier ignored since `D' is the default (see `U')
make[2]: Leaving directory '/home/ubuntu/giflib-code/lib'
Making all in util
make[2]: Entering directory '/home/ubuntu/giflib-code/util'
  CC       getarg.o
  CC       gif2rgb.o
  CC       qprintf.o
  CC       gifbuild.o
  CC       gifecho.o
  CC       gifinto.o
  CC       giftext.o
  CC       giftool.o
  CC       gifclrmp.o
  CC       giffix.o
  CC       gifbg.o
  CC       gifcolor.o
  CC       giffilter.o
  CC       gifsponge.o
  CC       gifhisto.o
  CC       gifwedge.o
  AR       libgetarg.a
ar: `u' modifier ignored since `D' is the default (see `U')
  CCLD     gif2rgb
  CCLD     gifecho
  CCLD     giffix
  CCLD     giftext
  CCLD     gifinto
  CCLD     giftool
  CCLD     gifbg
  CCLD     gifclrmp
  CCLD     gifcolor
  CCLD     giffilter
  CCLD     gifsponge
  CCLD     gifwedge
  CCLD     gifhisto
  CCLD     gifbuild
make[2]: Leaving directory '/home/ubuntu/giflib-code/util'
Making all in pic
make[2]: Entering directory '/home/ubuntu/giflib-code/pic'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/ubuntu/giflib-code/pic'
make[2]: Entering directory '/home/ubuntu/giflib-code'
make[2]: Leaving directory '/home/ubuntu/giflib-code'
make[1]: Leaving directory '/home/ubuntu/giflib-code'
ubuntu@...~/giflib-code$ wget https://sourceforge.net/p/giflib/bugs/79/attachment/gif2rgb-oob-heap-read.gif
--2016-09-13 19:19:27--  https://sourceforge.net/p/giflib/bugs/79/attachment/gif2rgb-oob-heap-read.gif
Resolving sourceforge.net (sourceforge.net)... 216.34.181.60
Connecting to sourceforge.net (sourceforge.net)|216.34.181.60|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20 [image/gif]
Saving to: ‘gif2rgb-oob-heap-read.gif’

gif2rgb-oob-heap-read.gif    100%[=============================================>]      20  --.-KB/s    in 0s

2016-09-13 19:19:27 (2.73 MB/s) - ‘gif2rgb-oob-heap-read.gif’ saved [20/20]

ubuntu@...~/giflib-code$  util/gif2rgb gif2rgb-oob-heap-read.gif
Background color out of range for colormap
ubuntu@...~/giflib-code$ 


[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ