Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 13 Sep 2016 12:24:23 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: Hanno Böck <hanno@...eck.de>
Cc: "vul@...safe" <vul@...safe.com>, oss-security@...ts.openwall.com
Subject: Re: Heapoverflow in giflib5.1.4

On Tue, Sep 13, 2016 at 06:55:08PM +0200, Hanno Böck wrote:
> Two notes:
> * This is a bug *only* in the gif2rgb command line tool, not in giflib
>   itself.
> * I reported this before. The giflib maintainer claimed multiple times
>   that he has fixed it, yet he hasn't. See:
> https://sourceforge.net/p/giflib/bugs/79/

Hanno, can you still reproduce this issue? I followed your excellent
reproducer script and I don't get any ASAN warnings. If you still get ASAN
warnings this may indicate the source of the confusion.

Thanks

ubuntu@x1:~$ git clone --depth=1 git://git.code.sf.net/p/giflib/code giflib-code
Cloning into 'giflib-code'...
remote: Counting objects: 149, done.
remote: Compressing objects: 100% (147/147), done.
remote: Total 149 (delta 22), reused 10 (delta 0)
Receiving objects: 100% (149/149), 389.03 KiB | 0 bytes/s, done.
Resolving deltas: 100% (22/22), done.
Checking connectivity... done.
ubuntu@x1:~$  cd giflib-code/
ubuntu@x1:~/giflib-code$ CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" ./autogen.sh
Warning: This script will run configure for you -- if you need to pass
  arguments to configure, please give them as arguments to this script.
aclocal: warning: couldn't open directory 'm4': No such file or directory
configure.ac:14: installing './ar-lib'
configure.ac:14: installing './compile'
configure.ac:15: installing './config.guess'
configure.ac:15: installing './config.sub'
configure.ac:5: installing './install-sh'
configure.ac:5: installing './missing'
Makefile.am: installing './INSTALL'
parallel-tests: installing './test-driver'
lib/Makefile.am: installing './depcomp'
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
[...]
configure: creating ./config.status
config.status: creating util/Makefile
config.status: creating lib/Makefile
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating pic/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
ubuntu@x1:~/giflib-code$ make -j
make  all-recursive
make[1]: Entering directory '/home/ubuntu/giflib-code'
Making all in lib
make[2]: Entering directory '/home/ubuntu/giflib-code/lib'
  CC       dgif_lib.lo
  CC       gif_font.lo
  CC       egif_lib.lo
  CC       gif_hash.lo
  CC       gifalloc.lo
  CC       openbsd-reallocarray.lo
  CC       gif_err.lo
  CC       quantize.lo
  CCLD     libgif.la
ar: `u' modifier ignored since `D' is the default (see `U')
make[2]: Leaving directory '/home/ubuntu/giflib-code/lib'
Making all in util
make[2]: Entering directory '/home/ubuntu/giflib-code/util'
  CC       getarg.o
  CC       gif2rgb.o
  CC       qprintf.o
  CC       gifbuild.o
  CC       gifecho.o
  CC       gifinto.o
  CC       giftext.o
  CC       giftool.o
  CC       gifclrmp.o
  CC       giffix.o
  CC       gifbg.o
  CC       gifcolor.o
  CC       giffilter.o
  CC       gifsponge.o
  CC       gifhisto.o
  CC       gifwedge.o
  AR       libgetarg.a
ar: `u' modifier ignored since `D' is the default (see `U')
  CCLD     gif2rgb
  CCLD     gifecho
  CCLD     giffix
  CCLD     giftext
  CCLD     gifinto
  CCLD     giftool
  CCLD     gifbg
  CCLD     gifclrmp
  CCLD     gifcolor
  CCLD     giffilter
  CCLD     gifsponge
  CCLD     gifwedge
  CCLD     gifhisto
  CCLD     gifbuild
make[2]: Leaving directory '/home/ubuntu/giflib-code/util'
Making all in pic
make[2]: Entering directory '/home/ubuntu/giflib-code/pic'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/ubuntu/giflib-code/pic'
make[2]: Entering directory '/home/ubuntu/giflib-code'
make[2]: Leaving directory '/home/ubuntu/giflib-code'
make[1]: Leaving directory '/home/ubuntu/giflib-code'
ubuntu@x1:~/giflib-code$ wget https://sourceforge.net/p/giflib/bugs/79/attachment/gif2rgb-oob-heap-read.gif
--2016-09-13 19:19:27--  https://sourceforge.net/p/giflib/bugs/79/attachment/gif2rgb-oob-heap-read.gif
Resolving sourceforge.net (sourceforge.net)... 216.34.181.60
Connecting to sourceforge.net (sourceforge.net)|216.34.181.60|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20 [image/gif]
Saving to: ‘gif2rgb-oob-heap-read.gif’

gif2rgb-oob-heap-read.gif    100%[=============================================>]      20  --.-KB/s    in 0s

2016-09-13 19:19:27 (2.73 MB/s) - ‘gif2rgb-oob-heap-read.gif’ saved [20/20]

ubuntu@x1:~/giflib-code$  util/gif2rgb gif2rgb-oob-heap-read.gif
Background color out of range for colormap
ubuntu@x1:~/giflib-code$ 


Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.