apng2gif: CVE-2017-6960: Integer overflow resulting in heap buffer overflow

Debian Bug report logs - #854367
apng2gif: CVE-2017-6960: Integer overflow resulting in heap buffer overflow

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dileep Kumar Jallepalli <dileep.chinu@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apng2gif: Integer overflow resulting in heap buffer overflow

Date: Mon, 06 Feb 2017 04:20:49 -0800

[Message part 1 (text/plain, inline)]

Package: apng2gif
Version: 1.7-1
Severity: important

Dear Maintainer,

Q.) What led up to the situation?
A.) In load_apng function, the imagesize variable is prone to integer overflow
vulnerability (It is basically calculated from w and h variables which are in
the hands of the user input). And then frameRaw.p and frameCur.p are assigned
an lower amount of memory because of this vulnerability which will result in
unallocated memory pointers in frameRaw.rows and frameCur.rows whose
dereference can cause heap buffer overflow read/write.

Q.) What exactly did you do (or not do) that was effective (or ineffective)?
A.) Just have to modify the relavent offsets in the png file so that the h and
w variables can result in an overflow of the imagesize variable.

    Steps to reproduce:
        Use the makefile in the attachment and compile the program to get the
program in asan mode.
        Use the input.png file in the attachment as input to the program and
run it:
                apng2gif input.png

Q.) What was the outcome of this action?
A.) Heap buffer overflow read at memcpy in the if condition bop==0 in
compose_frame function for example. But theoretically, This can result in an
heap overflow write in some memcpy too under specific conditions.

Sample ASAN Output:

apng2gif 1.7

Reading './crashes_submitted/integeroverflow/input.png'...
=================================================================
==16318== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb57ff8ff
at pc 0x804a7e2 bp 0xbfe89908 sp 0xbfe898fc
READ of size 1 at 0xb57ff8ff thread T0
    #0 0x804a7e1 (apng2gif/1.7/gccasanbuild/apng2gif+0x804a7e1)
    #1 0x80582bb (apng2gif/1.7/gccasanbuild/apng2gif+0x80582bb)
    #2 0x804938b (apng2gif/1.7/gccasanbuild/apng2gif+0x804938b)
    #3 0xb5e2baf2 (/lib/i386-linux-gnu/libc-2.19.so+0x19af2)
    #4 0x804a0c1 (apng2gif/1.7/gccasanbuild/apng2gif+0x804a0c1)
0xb57ff8ff is located 255 bytes to the right of 67375104-byte region
[0xb17be800,0xb57ff800)
allocated by thread T0 here:
    #0 0xb61006a4 (/usr/lib/i386-linux-gnu/libasan.so.0.0.0+0x116a4)
    #1 0x805626a (apng2gif/1.7/gccasanbuild/apng2gif+0x805626a)
    #2 0x804938b (apng2gif/1.7/gccasanbuild/apng2gif+0x804938b)
    #3 0xb5e2baf2 (/lib/i386-linux-gnu/libc-2.19.so+0x19af2)
Shadow bytes around the buggy address:
  0x36affec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36affed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36affee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36affef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x36afff00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x36afff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa]
  0x36afff20:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36afff30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36afff40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36afff50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x36afff60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:     fa
  Heap righ redzone:     fb
  Freed Heap region:     fd
  Stack left redzone:    f1
  Stack mid redzone:     f2
  Stack right redzone:   f3
  Stack partial redzone: f4
  Stack after return:    f5
  Stack use after scope: f8
  Global redzone:        f9
  Global init order:     f6
  Poisoned by user:      f7
  ASan internal:         fe
==16318== ABORTING

Q.) What outcome did you expect instead?
A.) Maybe some check to see if each pointer in frameRaw.rows/frameCur.rows is
less than or equal to frameCur.p + imagesize before trying to dereference them.
Or may be something to get rid of interger overflow in the first place

-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: i386 (i686)

Kernel: Linux 3.13.0-32-generic (SMP w/2 CPU cores)

[input.png (image/png, attachment)]

[Makefile (text/x-makefile, attachment)]

Message #10 received at 854367@bugs.debian.org (full text, mbox, reply):

From: Dileep Kumar <dileep.chinu@gmail.com>

To: 854367@bugs.debian.org

Subject: Any update on this bug

Date: Wed, 15 Feb 2017 12:45:05 +0530

[Message part 1 (text/plain, inline)]

Hi,

Is there any update on this bug. Im new to submitting bugs in debian
packages, hence not sure if I had done it correctly and if it had been
assigned to the maintainer or not.

-Dileep

[Message part 2 (text/html, inline)]

Message #21 received at 854367@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: 854367@bugs.debian.org, Dileep Kumar Jallepalli <dileep.chinu@gmail.com>

Subject: Problem easy to reproduce (CVE-2017-6960)

Date: Mon, 20 Mar 2017 23:10:01 +0100

[Message part 1 (text/plain, inline)]

Hi

I just want to inform that the problem was easy to reproduce on wheezy,
jessie and sid.

Sid:
(sid_chroot)root@tigereye:/# apng2gif input-854367.png
apng2gif 1.7
Reading 'input-854367.png'...
Segmentation fault

Wheezy and jessie looks similar:
(wheezy_chroot)root@tigereye:/# apng2gif input-854367.png
apng2gif 1.5
Reading 'input-854367.png'...
Segmentation fault

Best regards

// Ola

-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #26 received at 854367@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 854367@bugs.debian.org, 854367-submitter@bugs.debian.org

Subject: Re: Bug#854367: apng2gif: Integer overflow resulting in heap buffer overflow

Date: Tue, 21 Mar 2017 20:44:31 +0100

Control: found -1 1.5-1

Hi 

although the code has changed a lot after 1.5 this seem in similar
form presend as well in LoadAPNG (triggerable e.g. on line 623), as

==6087==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fac2f9ff800 at pc 0x7fac3356673c bp 0x7ffd048d8520 sp 0x7ffd048d7cd0
WRITE of size 1090585600 at 0x7fac2f9ff800 thread T0
[...]
so even as heap-buffer-overflow WRITE.

Updating found version accordingly.

Regards,
Salvatore

Message #36 received at 854367@bugs.debian.org (full text, mbox, reply):

From: Chris Lamb <lamby@debian.org>

To: 854367@bugs.debian.org

Cc: Dileep Kumar Jallepalli <dileep.chinu@gmail.com>

Subject: Re: apng2gif: CVE-2017-6960: Integer overflow resulting in heap buffer overflow

Date: Fri, 24 Mar 2017 22:00:32 +0000

Hi,

> apng2gif: CVE-2017-6960: Integer overflow resulting in heap buffer
> overflow

Do we have an upstream-blessed patch for this yet, out of interest?


Regards,

-- 
      ,''`.
     : :'  :     Chris Lamb
     `. `'`      lamby@debian.org / chris-lamb.co.uk
       `-

Message #39 received at 854367-submitter@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: 854367-submitter@bugs.debian.org

Cc: debian-lts@lists.debian.org, team@security.debian.org

Subject: Patch proposal for CVE-2017-6960 in Wheezy (/Jessie)

Date: Thu, 25 May 2017 17:01:36 +0200

[Message part 1 (text/plain, inline)]

Hi,

I have prepared a patch for apng2gif 1.5.

Testing did not reveal any problem, but I'm sure it can still be
improved.

Could anybody take a look at it ? 

Debdiff for wheezy is in attachment (a test package for wheezy is also
available here[0]).

This patch should also fix the issue in Jessie, but I did not test it.
I can build a test package if needed.

Cheers,
 Hugo

[0] https://people.debian.org/~hle/lts/apng2gif_1.5-1+deb7u1_amd64.changes

-- 
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

[debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #44 received at 854367@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 854367@bugs.debian.org, 854441@bugs.debian.org, 854447@bugs.debian.org

Subject: Fixed upstream (new upstream version 1.8)

Date: Thu, 25 May 2017 17:25:09 +0200

All of those should be fixed in the new upstream version 1.8 according
to the upstream author.

Message #47 received at 854367-submitter@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Hugo Lefeuvre <hle@debian.org>

Cc: 854367-submitter@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Patch proposal for CVE-2017-6960 in Wheezy (/Jessie)

Date: Wed, 31 May 2017 22:48:04 +0200

Hi Hugo

I have reviewed your code and it looks good to me. I do not know this
library very well however so may have overlooked something. But the
checks looks ok.

What I'm not sure of is the break statement, but I guess you have
control over that part.

Have you tested that the solution work against some test image that
breaked it in earlier version?
Have you done any form of regression test?

Best regards

// Ola

On 25 May 2017 at 17:01, Hugo Lefeuvre <hle@debian.org> wrote:
> Hi,
>
> I have prepared a patch for apng2gif 1.5.
>
> Testing did not reveal any problem, but I'm sure it can still be
> improved.
>
> Could anybody take a look at it ?
>
> Debdiff for wheezy is in attachment (a test package for wheezy is also
> available here[0]).
>
> This patch should also fix the issue in Jessie, but I did not test it.
> I can build a test package if needed.
>
> Cheers,
>  Hugo
>
> [0] https://people.debian.org/~hle/lts/apng2gif_1.5-1+deb7u1_amd64.changes
>
> --
>              Hugo Lefeuvre (hle)    |    www.owl.eu.com
> 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E



-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

Message #50 received at 854367-submitter@bugs.debian.org (full text, mbox, reply):

From: Hugo Lefeuvre <hle@debian.org>

To: Ola Lundqvist <ola@inguza.com>

Cc: 854367-submitter@bugs.debian.org, Debian LTS <debian-lts@lists.debian.org>, Debian Security Team <team@security.debian.org>

Subject: Re: Patch proposal for CVE-2017-6960 in Wheezy (/Jessie)

Date: Fri, 2 Jun 2017 09:29:14 +0200

[Message part 1 (text/plain, inline)]

Hi Ola,

> I have reviewed your code and it looks good to me. I do not know this
> library very well however so may have overlooked something. But the
> checks looks ok.
> 
> What I'm not sure of is the break statement, but I guess you have
> control over that part.

Thanks for your review !

This code is executed in a big do-while structure, that's why we break
in case of errors (upstream did it at line 620 for example). The return
value res is initialized with value 1 (=error) at line 524 so we return
error. Error handling is then realised at line 1891.

> Have you tested that the solution work against some test image that
> breaked it in earlier version?
> Have you done any form of regression test?

I have tested with the original reproducer and crafted myself other
malicious apng files to trigger the case where (h > UINT_MAX/(4*(frames+1))) or
(w > UINT_MAX/(4*(frames+1))) which I forgot to handle at the beginning.

regression tests with two "normal" apng files, everything was working
fine.

If nobody is against it, I'd upload this patch now.

Cheers,
 Hugo

-- 
             Hugo Lefeuvre (hle)    |    www.owl.eu.com
4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

[signature.asc (application/pgp-signature, inline)]

Message #55 received at 854367@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: jari.aalto@cante.net

Cc: 854367@bugs.debian.org, 854441@bugs.debian.org, 854447@bugs.debian.org, carnil@debian.org

Subject: Re: Fixed upstream (new upstream version 1.8)

Date: Sun, 1 Oct 2017 11:32:46 +0200

On Thu, May 25, 2017 at 05:25:09PM +0200, Salvatore Bonaccorso wrote:
> All of those should be fixed in the new upstream version 1.8 according
> to the upstream author.

What's the status? This is unfixed for quite a while now?

Cheers,
        Moritz

Message #66 received at 854367@bugs.debian.org (full text, mbox, reply):

From: reiner@reiner-h.de

To: 854367@bugs.debian.org, 854441@bugs.debian.org, 854447@bugs.debian.org

Subject: apng2gif: diff for NMU version 1.8-0.1

Date: Sat, 27 Oct 2018 14:52:26 +0200

Control: tags 854367 + pending
Control: tags 854441 + pending
Control: tags 854447 + pending


Dear maintainer,

I've prepared an NMU for apng2gif (versioned as 1.8-0.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.
  Reiner

Message #73 received at 854367-close@bugs.debian.org (full text, mbox, reply):

From: Reiner Herrmann <reiner@reiner-h.de>

To: 854367-close@bugs.debian.org

Subject: Bug#854367: fixed in apng2gif 1.8-0.1

Date: Mon, 29 Oct 2018 13:04:00 +0000

Source: apng2gif
Source-Version: 1.8-0.1

We believe that the bug you reported is fixed in the latest version of
apng2gif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854367@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated apng2gif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Oct 2018 14:15:49 +0200
Source: apng2gif
Binary: apng2gif
Architecture: source
Version: 1.8-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jari Aalto <jari.aalto@cante.net>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Description:
 apng2gif   - tool for converting APNG images to animated GIF format
Closes: 854367 854441 854447
Changes:
 apng2gif (1.8-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - Fixes CVE-2017-6960 (Closes: #854367).
     - Fixes CVE-2017-6961 (Closes: #854441).
     - Fixes CVE-2017-6962 (Closes: #854447).
Checksums-Sha1:
 2d6fdc91c41949e7c1707f4f2a1e70c1d43b059f 1886 apng2gif_1.8-0.1.dsc
 f1f24e5ece9b6880334ba218c5ff7dadf91aedda 437914 apng2gif_1.8.orig.tar.gz
 d34cc6d4258909a473752a88eb04405f404f5f22 6724 apng2gif_1.8-0.1.debian.tar.xz
 69f724c185a3620421d84967dee31f72c77f5df3 5548 apng2gif_1.8-0.1_powerpc.buildinfo
Checksums-Sha256:
 e43a8f19ddced85f005478ea8c7be96f202622328d23bd3c90554d9e78fb0679 1886 apng2gif_1.8-0.1.dsc
 4d47a2c0e6656bbc5afeecccc62b22f885a6b0434944bd52824126a156959649 437914 apng2gif_1.8.orig.tar.gz
 8592fc133ea42694c79cfffa5ad31526cb8ab0c0045f1552e246757fd9a1e0be 6724 apng2gif_1.8-0.1.debian.tar.xz
 5e66e72e7073d06871e3793f22c3396df687ce6f63919e4d826ce2e6c6fa43ef 5548 apng2gif_1.8-0.1_powerpc.buildinfo
Files:
 839d4f7f3f0d2a869484e53b0f6de19b 1886 graphics optional apng2gif_1.8-0.1.dsc
 4cf980234840ce2aa856cf328c644e85 437914 graphics optional apng2gif_1.8.orig.tar.gz
 50b9332ec64e1541522fe109244f8d61 6724 graphics optional apng2gif_1.8-0.1.debian.tar.xz
 eaa7b7aac0edb69c1d1fdda722e916a0 5548 graphics optional apng2gif_1.8-0.1_powerpc.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlvUXCQACgkQxCxY61kU
kv1JaRAAsFYXg6vhnRAqwdnRYkr1OTBbmm4fsjglS4I/fzixylAXQdpGHNakbrkb
YWjxuOpPwefVzOF15o++MGunIRQMO4C0DBFah6Qf4Ioz+Wtx8Lmo6d/TZKG2R80X
7ekCOSgmE5SDkl+xfY0RrJqTTY8bLkhsplzaQsY/fyyf3isRCbkkhOZRfSWOCewa
Zft8c8U9lUVmKgGyh5AP3keJDVhgZiuU2buDswUq2VTsuQaBTwyXIICGWbIWjE0u
F0ayKvzCQKgWTHg8PSAY4m884/DyDupEofHxfYuzSp5rH4iEk4O24oJuCv6vnKyg
r1M4kiauBW0arqW4H/u4J5yKmywXxrppXRYQ+O3eu9y6sC3Vxee0rZgtNgv7GPTP
EBJik9qHLuB34TmDi5ynAx96QjQkvutMHTZsF6dksSkyasoVZ217UaL/9glAqrVN
4DvE0c6TrLsP4HTySatZJfoEze1NigJPrO9k1m5C6TEV/gKZfKXneba7IRcGxPNE
cApUjza56COd7MG2x82XpnI+vGCZChU8gVde3VnKUTLJAXJxa9tjg/zmdgtMi3GS
V5yYNYTkDY9NKzOF7vpSxRQgna0RXSg6XkMM77b/OEaxL217/Xeg6nwXrlsucCN4
mfIZm1rg9DsIBdMAvuIByMLNg6lD111OnSerGNvMmTMU0PUuabM=
=kXuG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.