Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 6 Feb 2016 14:42:36 +0100
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE request: Out-of-bound read in the parsing of gif files using
 GraphicsMagick 1.3.18

Hi,

We found a read out-of-bound in the parsing of gif files using
GraphicsMagick. This issue was tested in Ubuntu 14.04 (x86_64) using
GraphicsMagick 1.3.18. Find attached a specially crafted file to reproduce
this issue. The AddressSanitizer report showing the faulty code is here:

$ ./gm identify overflow.gif
=================================================================
==3173==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000037be at pc 0x0000007e5f56 bp 0x7fffffffa940 sp 0x7fffffffa938
READ of size 1 at 0x6210000037be thread T0
    #0 0x7e5f55 in DecodeImage coders/gif.c:276
    #1 0x7ebdac in ReadGIFImage coders/gif.c:1075
    #2 0x490fc6 in ReadImage magick/constitute.c:1600
    #3 0x48fcd0 in PingImage magick/constitute.c:1363
    #4 0x43fc25 in IdentifyImageCommand magick/command.c:8350
    #5 0x4427b9 in MagickCommand magick/command.c:8840
    #6 0x47c4d6 in GMCommandSingle magick/command.c:17253
    #7 0x47c79c in GMCommand magick/command.c:17306
    #8 0x40c8c5 in main utilities/gm.c:61
    #9 0x7ffff3739ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x40c7d8
(/home/vagrant/repos/graphicsmagick-1.3.18/utilities/gm+0x40c7d8)
AddressSanitizer can not describe address in more detail (wild memory
access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/gif.c:276 DecodeImage
Shadow bytes around the buggy address:
  0x0c427fff86a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff86b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff86c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff86d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff86f0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c427fff8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==3173==ABORTING

This issue is caused by the use of unintialized memory in DecodeImage and
fortunately it was fixed here:

http://marc.info/?l=graphicsmagick-commit&m=142283721604323&w=2

Regards,
Gus.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.