Date: Sun, 16 Nov 2014 15:10:37 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hi, I wanted to share a couple of issues I recently found via zzuf and afl fuzzing. It's a telling story about the state of some of the free software projects involved and I can only encourage others to join the effort to find bugs via fuzzing. Some of them are really low hanging fruit. I'm cc-ing cve-assigners, I leave it up to you to decide which you assign CVEs. If you want / need more info on details please ask. Imagemagick: Multiple issues in PCX, DCM parser and generic issue in resize code http://www.imagemagick.org/script/changelog.php These already got CVEs: http://int21.de/cve/CVE-2014-8354-ImageMagick-oob-heap-overflow.html http://int21.de/cve/CVE-2014-8355-ImageMagick-pcx-oob-heap-overflow.html http://int21.de/cve/CVE-2014-8562-ImageMagick-dcm-oob-heap-overflow.html GraphicsMagick: Fork of Imagemagick, so some of the above also affect it, tests with the same fuzzed sample set turned out one independent other issue: http://sourceforge.net/p/graphicsmagick/code/ci/37ab9576dbdfeecd8bbc0a312a49b362846016c1/ Heap Overflow / oob read One more issue with PNGs that turned out to be weird, it caused an error message to overflow: http://sourceforge.net/p/graphicsmagick/code/ci/0dc6e1d3119f1dda668b0f2d1464459a06767879/ elfutils: Checks done with the set of files that crashed binutils turned out one issue: https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-October/004215.html Invalid read american fuzzy lop found a couple more: https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004230.html and more: https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004249.html GIMP: Invalid reads in import plugins for fli and tga. https://bugzilla.gnome.org/show_bug.cgi?id=739133 https://bugzilla.gnome.org/show_bug.cgi?id=739134 claws-mail / gdk-pixbuf Assert in gdk-pixbuf when trying to load a malformed file as an animation. This was an accidental discovery when I clicked on a malformed PNG I send while reporting another issue (in graphicsmagick) in my mail client (and it crashed with an assert). https://bugzilla.gnome.org/show_bug.cgi?id=739785 http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3322 file/libmagic: out of bounds read when parsing JPG header http://bugs.gw.com/view.php?id=398 https://github.com/file/file/commit/59e63838913eee47f5c120a6c53d4565af638158 ndisasm: Actually I found this by running ndisasm on /dev/urandom - no joke! Crash / oob read: http://bugzilla.nasm.us/show_bug.cgi?id=3392289 less: Out of bounds read, upstream doesn't answer and doesn't have a public bug tracker. This wasn't really found by fuzzing but by running less on a likely malwared gif, I reduced it to a smaller testcase: http://int21.de/cve/less-oob cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno@...eck.de GPG: BBB51E42 Download attachment "signature.asc" of type "application/pgp-signature" (820 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.