apng2gif: CVE-2017-6961: Improper sanitization of user input causing huge memory allocations resulting in crash

Debian Bug report logs - #854441
apng2gif: CVE-2017-6961: Improper sanitization of user input causing huge memory allocations resulting in crash

Reply or subscribe to this bug.

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Dileep Kumar Jallepalli <dileep.chinu@gmail.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: apng2gif: Improper sanitization of user input causing huge memory allocations resulting in crash

Date: Tue, 07 Feb 2017 01:27:09 -0800

[Message part 1 (text/plain, inline)]

Package: apng2gif
Version: 1.7-1
Severity: important

Dear Maintainer,

Q.) What led up to the situation?
A.) In read_chunk function, the line "pChunk->p = new unsigned
char[pChunk->size]" is trying to allocate pChunk->size amount of memory where
this pChunk->size is read from the png file. So, if this pChunk->size is set to
a huge value, it can result in the crash of the program.

Q.) What exactly did you do (or not do) that was effective (or ineffective)?
A.) Just have to modify the relavent offset in the png file so that the
pChunk->size value is huge.

    Steps to reproduce:
        Use the makefile in the attachment and compile the program (Attaching
makefile just as a reference).
        Use the input.png file in the attachment as input to the program and
run it:
                apng2gif input.png

Q.) What was the outcome of this action?
A.) Program will try to allocate huge amount of memory and can result in a
crash.

Sample Output:

apng2gif 1.7

Reading './crashes_submitted/largememoryallocation/input.png'...
terminate called after throwing an instance of 'std::bad_alloc'
  what():  std::bad_alloc
Aborted (core dumped)

Analysis:

gdb backtrace:
#0  0xb7fdd424 in __kernel_vsyscall ()
#1  0xb7d15687 in __GI_raise (sig=sig@entry=0x6) at
.../nptl/sysdeps/unix/sysv/linux/raise.c:56
#2  0xb7d18ab3 in __GI_abort () at abort.c:89
#3  0xb7f28405 in __gnu_cxx::__verbose_terminate_handler() () from
/usr/lib/i386-linux-gnu/libstdc++.so.6
#4  0xb7f26063 in ?? () from /usr/lib/i386-linux-gnu/libstdc++.so.6
#5  0xb7f2609f in std::terminate() () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#6  0xb7f26306 in __cxa_throw () from /usr/lib/i386-linux-gnu/libstdc++.so.6
#7  0xb7f26916 in operator new(unsigned int) () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#8  0xb7f269cb in operator new[](unsigned int) () from /usr/lib/i386-linux-
gnu/libstdc++.so.6
#9  0x0804e78e in read_chunk (f=0x88e0008, pChunk=0xbffff410) at
apng2gif.cpp:135
#10 0x08049921 in load_apng (szIn=0xbffff842
"./crashes_submitted/largememoryallocation/input.png", frames=...,
num_loops=0xbffff4bc) at apng2gif.cpp:267
#11 0x0804e3f9 in main (argc=0x2, argv=0xbffff6c4) at apng2gif.cpp:1336
#12 0xb7d00af3 in __libc_start_main (main=0x804df2a <main(int, char**)>,
argc=0x2, argv=0xbffff6c4, init=0x80500a0 <__libc_csu_init>, fini=0x8050110
<__libc_csu_fini>,
    rtld_fini=0xb7fed160 <_dl_fini>, stack_end=0xbffff6bc) at libc-start.c:287
#13 0x08048e71 in _start ()

The value of pChunk->size is 0xffffff8c; which is very large that caused the
allocation to fail.

Q.) What outcome did you expect instead?
A.) Maybe some check to see if pChunk->size is greater than the size of png or
proper exception handling over memory allocation using new to gracefully quit
the program or using malloc instead of new to check the return pointer is null
or not.




-- System Information:
Debian Release: jessie/sid
  APT prefers trusty-updates
  APT policy: (500, 'trusty-updates'), (500, 'trusty-security'), (500,
'trusty'), (100, 'trusty-backports')
Architecture: i386 (i686)

Kernel: Linux 3.13.0-32-generic (SMP w/2 CPU cores)

[Makefile (text/x-makefile, attachment)]

[input.png (image/png, attachment)]

Message #16 received at 854441@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: 854441@bugs.debian.org, Dileep Kumar Jallepalli <dileep.chinu@gmail.com>

Subject: Can not reproduce in wheezy, jessie or sid (CVE-2017-6961) or?

Date: Mon, 20 Mar 2017 23:02:25 +0100

[Message part 1 (text/plain, inline)]

Hi

I have tried to reproduce this problem in wheezy, jessie and sid.

Wheezy:
(wheezy_chroot)root@tigereye:/# apng2gif bugreport.png
apng2gif 1.5
Reading 'bugreport.png'...
Error: can't load 'bugreport.png'

Jessie looks the same.

Sid looks a little different:
(sid_chroot)root@tigereye:/# apng2gif bugreport.png
apng2gif 1.7
Reading 'bugreport.png'...
load_apng() failed: 'bugreport.png'

But I can not find an indication of a core dump. Or is it so that I just do
not see that due to how the binary is built?

Best regards

// Ola
-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #21 received at 854441@bugs.debian.org (full text, mbox, reply):

From: Dileep Kumar <dileep.chinu@gmail.com>

To: Ola Lundqvist <ola@inguza.com>, 854441@bugs.debian.org

Subject: Re: Can not reproduce in wheezy, jessie or sid (CVE-2017-6961) or?

Date: Tue, 21 Mar 2017 11:32:58 +0530

[Message part 1 (text/plain, inline)]

Hey,

The way you built the binary should not be a problem for reproducing for
this bug. What is the machine config that you are using to reproduce?? As
mentioned in the analysis, this input.png will try to allocate 0xffffff8c
bytes of memory which should be around 4GB, so try testing it in a machine
with lower RAM or try limiting the process memory using ulimit or something
similar. Hope it helps.

Best Regards

On Tue, Mar 21, 2017 at 3:32 AM, Ola Lundqvist <ola@inguza.com> wrote:

> Hi
>
> I have tried to reproduce this problem in wheezy, jessie and sid.
>
> Wheezy:
> (wheezy_chroot)root@tigereye:/# apng2gif bugreport.png
> apng2gif 1.5
> Reading 'bugreport.png'...
> Error: can't load 'bugreport.png'
>
> Jessie looks the same.
>
> Sid looks a little different:
> (sid_chroot)root@tigereye:/# apng2gif bugreport.png
> apng2gif 1.7
> Reading 'bugreport.png'...
> load_apng() failed: 'bugreport.png'
>
> But I can not find an indication of a core dump. Or is it so that I just
> do not see that due to how the binary is built?
>
> Best regards
>
> // Ola
> --
>  --- Inguza Technology AB --- MSc in Information Technology ----
> /  ola@inguza.com                    Folkebogatan 26            \
> |  opal@debian.org                   654 68 KARLSTAD            |
> |  http://inguza.com/                Mobile: +46 (0)70-332 1551
> <+46%2070%20332%2015%2051> |
> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>  ---------------------------------------------------------------
>
>

[Message part 2 (text/html, inline)]

Message #26 received at 854441@bugs.debian.org (full text, mbox, reply):

From: Ola Lundqvist <ola@inguza.com>

To: Dileep Kumar <dileep.chinu@gmail.com>

Cc: Ola Lundqvist <ola@inguza.com>, 854441@bugs.debian.org

Subject: Re: Can not reproduce in wheezy, jessie or sid (CVE-2017-6961) or?

Date: Tue, 21 Mar 2017 12:59:00 +0100

[Message part 1 (text/plain, inline)]

Hi

I'm quite sure I do not have as much as 4 GB ram on my machine. It is an
amd64 but I do not think I have more than 4 GB in total. I have to check
that.
Also it aborts with an error much earlier than I expect if it really tries
to allocate that size.

Best regards

// Ola

On 21 March 2017 at 07:02, Dileep Kumar <dileep.chinu@gmail.com> wrote:

> Hey,
>
> The way you built the binary should not be a problem for reproducing for
> this bug. What is the machine config that you are using to reproduce?? As
> mentioned in the analysis, this input.png will try to allocate 0xffffff8c
> bytes of memory which should be around 4GB, so try testing it in a machine
> with lower RAM or try limiting the process memory using ulimit or something
> similar. Hope it helps.
>
> Best Regards
>
> On Tue, Mar 21, 2017 at 3:32 AM, Ola Lundqvist <ola@inguza.com> wrote:
>
>> Hi
>>
>> I have tried to reproduce this problem in wheezy, jessie and sid.
>>
>> Wheezy:
>> (wheezy_chroot)root@tigereye:/# apng2gif bugreport.png
>> apng2gif 1.5
>> Reading 'bugreport.png'...
>> Error: can't load 'bugreport.png'
>>
>> Jessie looks the same.
>>
>> Sid looks a little different:
>> (sid_chroot)root@tigereye:/# apng2gif bugreport.png
>> apng2gif 1.7
>> Reading 'bugreport.png'...
>> load_apng() failed: 'bugreport.png'
>>
>> But I can not find an indication of a core dump. Or is it so that I just
>> do not see that due to how the binary is built?
>>
>> Best regards
>>
>> // Ola
>> --
>>  --- Inguza Technology AB --- MSc in Information Technology ----
>> /  ola@inguza.com                    Folkebogatan 26            \
>> |  opal@debian.org                   654 68 KARLSTAD            |
>> |  http://inguza.com/                Mobile: +46 (0)70-332 1551
>> <+46%2070%20332%2015%2051> |
>> \  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
>>  ---------------------------------------------------------------
>>
>>
>


-- 
 --- Inguza Technology AB --- MSc in Information Technology ----
/  ola@inguza.com                    Folkebogatan 26            \
|  opal@debian.org                   654 68 KARLSTAD            |
|  http://inguza.com/                Mobile: +46 (0)70-332 1551 |
\  gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9  /
 ---------------------------------------------------------------

[Message part 2 (text/html, inline)]

Message #31 received at 854441@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 854367@bugs.debian.org, 854441@bugs.debian.org, 854447@bugs.debian.org

Subject: Fixed upstream (new upstream version 1.8)

Date: Thu, 25 May 2017 17:25:09 +0200

All of those should be fixed in the new upstream version 1.8 according
to the upstream author.

Message #36 received at 854441@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: jari.aalto@cante.net

Cc: 854367@bugs.debian.org, 854441@bugs.debian.org, 854447@bugs.debian.org, carnil@debian.org

Subject: Re: Fixed upstream (new upstream version 1.8)

Date: Sun, 1 Oct 2017 11:32:46 +0200

On Thu, May 25, 2017 at 05:25:09PM +0200, Salvatore Bonaccorso wrote:
> All of those should be fixed in the new upstream version 1.8 according
> to the upstream author.

What's the status? This is unfixed for quite a while now?

Cheers,
        Moritz

Message #45 received at 854441@bugs.debian.org (full text, mbox, reply):

From: reiner@reiner-h.de

To: 854367@bugs.debian.org, 854441@bugs.debian.org, 854447@bugs.debian.org

Subject: apng2gif: diff for NMU version 1.8-0.1

Date: Sat, 27 Oct 2018 14:52:26 +0200

Control: tags 854367 + pending
Control: tags 854441 + pending
Control: tags 854447 + pending


Dear maintainer,

I've prepared an NMU for apng2gif (versioned as 1.8-0.1) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards.
  Reiner

Message #50 received at 854441-close@bugs.debian.org (full text, mbox, reply):

From: Reiner Herrmann <reiner@reiner-h.de>

To: 854441-close@bugs.debian.org

Subject: Bug#854441: fixed in apng2gif 1.8-0.1

Date: Mon, 29 Oct 2018 13:04:00 +0000

Source: apng2gif
Source-Version: 1.8-0.1

We believe that the bug you reported is fixed in the latest version of
apng2gif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 854441@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Reiner Herrmann <reiner@reiner-h.de> (supplier of updated apng2gif package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat, 27 Oct 2018 14:15:49 +0200
Source: apng2gif
Binary: apng2gif
Architecture: source
Version: 1.8-0.1
Distribution: unstable
Urgency: medium
Maintainer: Jari Aalto <jari.aalto@cante.net>
Changed-By: Reiner Herrmann <reiner@reiner-h.de>
Description:
 apng2gif   - tool for converting APNG images to animated GIF format
Closes: 854367 854441 854447
Changes:
 apng2gif (1.8-0.1) unstable; urgency=medium
 .
   * Non-maintainer upload.
   * New upstream release.
     - Fixes CVE-2017-6960 (Closes: #854367).
     - Fixes CVE-2017-6961 (Closes: #854441).
     - Fixes CVE-2017-6962 (Closes: #854447).
Checksums-Sha1:
 2d6fdc91c41949e7c1707f4f2a1e70c1d43b059f 1886 apng2gif_1.8-0.1.dsc
 f1f24e5ece9b6880334ba218c5ff7dadf91aedda 437914 apng2gif_1.8.orig.tar.gz
 d34cc6d4258909a473752a88eb04405f404f5f22 6724 apng2gif_1.8-0.1.debian.tar.xz
 69f724c185a3620421d84967dee31f72c77f5df3 5548 apng2gif_1.8-0.1_powerpc.buildinfo
Checksums-Sha256:
 e43a8f19ddced85f005478ea8c7be96f202622328d23bd3c90554d9e78fb0679 1886 apng2gif_1.8-0.1.dsc
 4d47a2c0e6656bbc5afeecccc62b22f885a6b0434944bd52824126a156959649 437914 apng2gif_1.8.orig.tar.gz
 8592fc133ea42694c79cfffa5ad31526cb8ab0c0045f1552e246757fd9a1e0be 6724 apng2gif_1.8-0.1.debian.tar.xz
 5e66e72e7073d06871e3793f22c3396df687ce6f63919e4d826ce2e6c6fa43ef 5548 apng2gif_1.8-0.1_powerpc.buildinfo
Files:
 839d4f7f3f0d2a869484e53b0f6de19b 1886 graphics optional apng2gif_1.8-0.1.dsc
 4cf980234840ce2aa856cf328c644e85 437914 graphics optional apng2gif_1.8.orig.tar.gz
 50b9332ec64e1541522fe109244f8d61 6724 graphics optional apng2gif_1.8-0.1.debian.tar.xz
 eaa7b7aac0edb69c1d1fdda722e916a0 5548 graphics optional apng2gif_1.8-0.1_powerpc.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlvUXCQACgkQxCxY61kU
kv1JaRAAsFYXg6vhnRAqwdnRYkr1OTBbmm4fsjglS4I/fzixylAXQdpGHNakbrkb
YWjxuOpPwefVzOF15o++MGunIRQMO4C0DBFah6Qf4Ioz+Wtx8Lmo6d/TZKG2R80X
7ekCOSgmE5SDkl+xfY0RrJqTTY8bLkhsplzaQsY/fyyf3isRCbkkhOZRfSWOCewa
Zft8c8U9lUVmKgGyh5AP3keJDVhgZiuU2buDswUq2VTsuQaBTwyXIICGWbIWjE0u
F0ayKvzCQKgWTHg8PSAY4m884/DyDupEofHxfYuzSp5rH4iEk4O24oJuCv6vnKyg
r1M4kiauBW0arqW4H/u4J5yKmywXxrppXRYQ+O3eu9y6sC3Vxee0rZgtNgv7GPTP
EBJik9qHLuB34TmDi5ynAx96QjQkvutMHTZsF6dksSkyasoVZ217UaL/9glAqrVN
4DvE0c6TrLsP4HTySatZJfoEze1NigJPrO9k1m5C6TEV/gKZfKXneba7IRcGxPNE
cApUjza56COd7MG2x82XpnI+vGCZChU8gVde3VnKUTLJAXJxa9tjg/zmdgtMi3GS
V5yYNYTkDY9NKzOF7vpSxRQgna0RXSg6XkMM77b/OEaxL217/Xeg6nwXrlsucCN4
mfIZm1rg9DsIBdMAvuIByMLNg6lD111OnSerGNvMmTMU0PUuabM=
=kXuG
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.