Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 27 Nov 2018 11:29:35 +0100
From: Marcus Meissner <meissner@...e.de>
To: oss-security@...ts.openwall.com
Subject: Re: Crashes and memory safety bugs in dcraw

On Fri, Nov 23, 2018 at 09:22:17AM +0100, Hanno Böck wrote:
> Hi,
> 
> dcraw is a tool to process raw images from digital cameras.
> It easily crashes with various issues (tested version 9.28.0). This was
> very shallow testing (afl fuzzing with random inputs, not starting with
> valid images), I assume there's much more. I reported those a long time
> ago to its author, he didn't seem interested in fixing such issues.
> 
> Some applications use dcraw automatically to parse images (gthumb,
> kphotoalbum, kde thumbnailers, gwenview).

I have requested and received CVEs from Mitre for those.

Ciao, Marcus

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The 4 CVE IDs are below.

We would not ordinarily have CVE IDs for these types of crash issues.
However, https://seclists.org/oss-sec/2018/q4/171 says "because dcraw
intentionally doesn't provide a library, only an executable, code from
it is bundled in at least some applications."

For example, an FPE (such as a divide-by-zero) in the dcraw executable
isn't a security issue because it is only a way for the local user to
attack himself. However, it is plausible that someone has bundled the
dcraw code in an application that is supposed to continue running
forever to accept a continuous series of raw images from a camera over
Wi-Fi.

In https://seclists.org/oss-sec/2018/q4/165, "kodac_radc_load_raw" has
a typo in the fifth letter.


> [Suggested description]
> A buffer over-read in crop_masked_pixels in dcraw through 9.28 could be
> used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak
> private information.
> 
> ------------------------------------------
> 
> [Additional Information]
> issue 1 listed
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> CWE-126
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Dave Coffin
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> dcraw - 9.28
> 
> ------------------------------------------
> 
> [Affected Component]
> dcraw
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Information Disclosure]
> true
> 
> ------------------------------------------
> 
> [CVE Impact Other]
> crash
> 
> ------------------------------------------
> 
> [Attack Vectors]
> processing raw files
> 
> ------------------------------------------
> 
> [Reference]
> https://seclists.org/oss-sec/2018/q4/165
> https://seclists.org/oss-sec/2018/q4/171
> 
> ------------------------------------------
> 
> [Discoverer]
> Hanno Boeck

Use CVE-2018-19565.


> [Suggested description]
> A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be
> used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak
> private information.
> 
> ------------------------------------------
> 
> [Additional Information]
> second issue in posting
> 
> ------------------------------------------
> 
> [Vulnerability Type]
> Buffer Overflow
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Dave Coffin
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> dcraw - 9.28
> 
> ------------------------------------------
> 
> [Affected Component]
> dcraw
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Information Disclosure]
> true
> 
> ------------------------------------------
> 
> [CVE Impact Other]
> crash
> 
> ------------------------------------------
> 
> [Attack Vectors]
> processing supplied raw files
> 
> ------------------------------------------
> 
> [Reference]
> https://seclists.org/oss-sec/2018/q4/165
> https://seclists.org/oss-sec/2018/q4/171
> 
> ------------------------------------------
> 
> [Discoverer]
> Hanno Boeck

Use CVE-2018-19566.


> [Suggested description]
> A floating point exception in parse_tiff_ifd in dcraw through 9.28 could
> be used by attackers able to supply malicious files to crash an application that bundles the dcraw code.
> 
> ------------------------------------------
> 
> [Additional Information]
> fourth issue in list
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> crash
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Dave Coffin
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> dcraw - 9.28
> 
> ------------------------------------------
> 
> [Affected Component]
> dcraw
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> attackers able to supply crafted files
> 
> ------------------------------------------
> 
> [Reference]
> https://seclists.org/oss-sec/2018/q4/165
> https://seclists.org/oss-sec/2018/q4/171
> 
> ------------------------------------------
> 
> [Discoverer]
> Hanno Boeck

Use CVE-2018-19567.


> [Suggested description]
> A floating point exception in kodak_radc_load_raw in dcraw through 9.28
> could be used by attackers able to supply malicious files to crash
> an application that bundles the dcraw code.
> 
> ------------------------------------------
> 
> [Additional Information]
> last issue in post
> 
> ------------------------------------------
> 
> [VulnerabilityType Other]
> crash
> 
> ------------------------------------------
> 
> [Vendor of Product]
> Dave Coffin
> 
> ------------------------------------------
> 
> [Affected Product Code Base]
> dcraw - 9.28
> 
> ------------------------------------------
> 
> [Affected Component]
> dcraw
> 
> ------------------------------------------
> 
> [Attack Type]
> Local
> 
> ------------------------------------------
> 
> [Impact Denial of Service]
> true
> 
> ------------------------------------------
> 
> [Attack Vectors]
> attackers able to supply crafted raw images
> 
> ------------------------------------------
> 
> [Reference]
> https://seclists.org/oss-sec/2018/q4/165
> https://seclists.org/oss-sec/2018/q4/171
> 
> ------------------------------------------
> 
> [Discoverer]
> Hanno Boeck

Use CVE-2018-19568.


- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJb/E9MAAoJEA2h+fVryJLo3uIP/3Vb9oOJKgQfo2R2DgLcvMeN
G87/1iAGgkvVSQk7vB5bUeockwHtcIRfy/yN6FwPKe893ec80o9R4dixDUp9mr+P
R2hJFYAsnGGuSbz1h25HOMQDmkg6jk2WWBtXuB7nVoWo9sabzTthqq5ykjdN8lLm
JFrvRQxTh2+FKSEZUP3UqaYngMktbOec+F8dEu7KlOeR+kBtrG2OoMU4RED/oAIW
HX2rdTs1tlEC2Awqa0gM4BbGB1Zrp/OvuRescV8BPDo/qHrLZbRmYuNR2JP0Rz9X
mxq26CZO29y5Vsghsg+Y/ytpBGwQUGYWo475Nt/YXbAOowammPCX/2zrEeoW+lSM
6J1mkuRC4dXOf3zZBX1GQaUJHS3ixMNJ5mtcURVo+2vQRyCMrAdMvWabhruzndTQ
4aCc+B3/UvxW+zzBrf0CSOt1An8XDrk/XCN/YlKsbJRJ7cSqKDtzlKtHmQHxxktQ
hTFGr4KKP6pgPHhLhMS6U2JL2LzOAyliT33uRJyE35dALs+WNSu5GKtpPHrxwf0L
4+lXhbi+6sjEBhVXQx7Lo7vStBQetEEVHJnQKfqSZZX6bJ65RstY3iaJ8aQDxi+C
f2PZcnxV49OU2bTR/zdlpMCT+5xrhivtKCuweiw9R04aGjztA6EErwTH0141v5RJ
9SfuauD6zHzlImz0/Uw5
=AUEp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.