Debian Bug report logs -
#878739
gifsicle: double-free bug when running gifdiff
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, joonun.jang@gmail.com, Herbert Parentes Fortes Neto <hpfn@debian.org>
:
Bug#878739
; Package gifsicle
.
(Mon, 16 Oct 2017 11:15:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Joonun Jang <joonun.jang@gmail.com>
:
New Bug report received and forwarded. Copy sent to joonun.jang@gmail.com, Herbert Parentes Fortes Neto <hpfn@debian.org>
.
(Mon, 16 Oct 2017 11:15:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: gifsicle
Version: 1.90-1
Severity: normal
Dear Maintainer,
Running 'gifdiff poc poc' with the attached file raises double-free bug,
which may allow a remote attacker to cause a denial-of-service attack or
other unspecified impact with a crafted file.
I expected the program to terminate without segfault, but the program
crashes as follow
----------------------------
june@june:~/project/analyze/poc/gifdiff/crash4$
~/project/analyze/bins/gifsicle-1.90/src/gifdiff poc poc
=================================================================
==22514==ERROR: AddressSanitizer: attempting double-free on
0x611000009c80 in thread T0:
#0 0x7f3b19570090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
#1 0x56146456d6f3 in Gif_Realloc
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
#2 0x561464577ed3 in suck_data
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
#3 0x561464579219 in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
#4 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#5 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#6 0x56146457e96f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2596f)
#7 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x56146455dde9 in _start
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x4de9)
0x611000009c80 is located 0 bytes inside of 253-byte region
[0x611000009c80,0x611000009d7d)
freed by thread T0 here:
#0 0x7f3b1956fa10 in free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x56146457952d in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2052d)
#2 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#3 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#4 0x56146457e95f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
#5 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
previously allocated by thread T0 here:
#0 0x7f3b19570090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
#1 0x56146456d6f3 in Gif_Realloc
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
#2 0x561464577ed3 in suck_data
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
#3 0x561464579219 in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
#4 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#5 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#6 0x56146457e95f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
#7 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
SUMMARY: AddressSanitizer: double-free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) in realloc
==22514==ABORTING
-----------------------------
The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
-- System Information:
Debian Release: 9.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gifsicle depends on:
ii libc6 2.24-11+deb9u1
ii libx11-6 2:1.6.4-3
gifsicle recommends no packages.
gifsicle suggests no packages.
-- no debconf information
[poc (application/octet-stream, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Herbert Parentes Fortes Neto <hpfn@debian.org>
:
Bug#878739
; Package gifsicle
.
(Mon, 16 Oct 2017 13:27:03 GMT) (full text, mbox, link).
Acknowledgement sent
to control@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Herbert Parentes Fortes Neto <hpfn@debian.org>
.
(Mon, 16 Oct 2017 13:27:03 GMT) (full text, mbox, link).
Message #10 received at 878739@bugs.debian.org (full text, mbox, reply):
forwarded 878739 https://github.com/kohler/gifsicle/issues/117
thanks
Em 16-10-2017 09:12, Joonun Jang escreveu:
> Package: gifsicle
> Version: 1.90-1
> Severity: normal
>
> Dear Maintainer,
>
> Running 'gifdiff poc poc' with the attached file raises double-free bug,
> which may allow a remote attacker to cause a denial-of-service attack or
> other unspecified impact with a crafted file.
>
> I expected the program to terminate without segfault, but the program
> crashes as follow
>
> ----------------------------
>
> june@june:~/project/analyze/poc/gifdiff/crash4$
> ~/project/analyze/bins/gifsicle-1.90/src/gifdiff poc poc
> =================================================================
>
> ==22514==ERROR: AddressSanitizer: attempting double-free on
> 0x611000009c80 in thread T0:
> #0 0x7f3b19570090 in realloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
> #1 0x56146456d6f3 in Gif_Realloc
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
> #2 0x561464577ed3 in suck_data
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
> #3 0x561464579219 in read_gif
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
> #4 0x561464579825 in Gif_FullReadFile
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
> #5 0x56146457e4eb in read_stream
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
> #6 0x56146457e96f in main
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2596f)
> #7 0x7f3b18e2b2b0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
> #8 0x56146455dde9 in _start
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x4de9)
>
> 0x611000009c80 is located 0 bytes inside of 253-byte region
> [0x611000009c80,0x611000009d7d)
> freed by thread T0 here:
> #0 0x7f3b1956fa10 in free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
> #1 0x56146457952d in read_gif
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2052d)
> #2 0x561464579825 in Gif_FullReadFile
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
> #3 0x56146457e4eb in read_stream
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
> #4 0x56146457e95f in main
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
> #5 0x7f3b18e2b2b0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
>
> previously allocated by thread T0 here:
> #0 0x7f3b19570090 in realloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
> #1 0x56146456d6f3 in Gif_Realloc
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
> #2 0x561464577ed3 in suck_data
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
> #3 0x561464579219 in read_gif
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
> #4 0x561464579825 in Gif_FullReadFile
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
> #5 0x56146457e4eb in read_stream
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
> #6 0x56146457e95f in main
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
> #7 0x7f3b18e2b2b0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
>
> SUMMARY: AddressSanitizer: double-free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) in realloc
> ==22514==ABORTING
>
> -----------------------------
>
> The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
>
> -- System Information:
> Debian Release: 9.2
> APT prefers stable-updates
> APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
>
> Versions of packages gifsicle depends on:
> ii libc6 2.24-11+deb9u1
> ii libx11-6 2:1.6.4-3
>
> gifsicle recommends no packages.
>
> gifsicle suggests no packages.
>
> -- no debconf information
>
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org
.
(Mon, 04 Dec 2017 17:09:09 GMT) (full text, mbox, link).
Reply sent
to Herbert Parentes Fortes Neto <hpfn@debian.org>
:
You have taken responsibility.
(Tue, 09 Jan 2018 10:30:35 GMT) (full text, mbox, link).
Notification sent
to Joonun Jang <joonun.jang@gmail.com>
:
Bug acknowledged by developer.
(Tue, 09 Jan 2018 10:30:35 GMT) (full text, mbox, link).
Message #19 received at 878739-close@bugs.debian.org (full text, mbox, reply):
Source: gifsicle
Source-Version: 1.91-2
We believe that the bug you reported is fixed in the latest version of
gifsicle, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 878739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Herbert Parentes Fortes Neto <hpfn@debian.org> (supplier of updated gifsicle package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 09 Jan 2018 07:54:35 -0200
Source: gifsicle
Binary: gifsicle
Architecture: source
Version: 1.91-2
Distribution: unstable
Urgency: medium
Maintainer: Herbert Parentes Fortes Neto <hpfn@debian.org>
Changed-By: Herbert Parentes Fortes Neto <hpfn@debian.org>
Description:
gifsicle - Tool for manipulating GIF images
Closes: 878736 878739 881119 881120 881141
Changes:
gifsicle (1.91-2) unstable; urgency=medium
.
* I forgot to mention that this upstream version fixes
important bugs:
(Closes: #878739, #878736, #881141, #881120, #881119)
Checksums-Sha1:
0be74456776067cf775d7242d966f932bb76f760 1906 gifsicle_1.91-2.dsc
faa1daef7a85d94e8d3f21847a335dd27befa344 476239 gifsicle_1.91.orig.tar.gz
978145fa81259777b734a4f382a2820daa3184d2 4588 gifsicle_1.91-2.debian.tar.xz
2db7f1fb6094d5b9ce3275c4931469d9c89b3339 6310 gifsicle_1.91-2_amd64.buildinfo
Checksums-Sha256:
6df8dc16cc09a9481b50ab895aa61456505d4cbc5aa52bddcb8a1b827405b795 1906 gifsicle_1.91-2.dsc
7c289f1402a0f955ee7b03f25857d4dd84368768da2da312ad1657f9434d616b 476239 gifsicle_1.91.orig.tar.gz
a7c4178bb58dfd4721682c1c737ffca6a3c1630a4151658d5b50c910c637e4cd 4588 gifsicle_1.91-2.debian.tar.xz
d3cd8ee44cd0d0545e712124f1b6409ae5c638118fbaf7442768e3a21bc649cb 6310 gifsicle_1.91-2_amd64.buildinfo
Files:
d1056d4de10f88cb0b149b8c5d93b404 1906 graphics optional gifsicle_1.91-2.dsc
aa0329e0105bec10f409c19a67579c19 476239 graphics optional gifsicle_1.91.orig.tar.gz
6c38773c9d1d4c4ab42649274ac6ff3f 4588 graphics optional gifsicle_1.91-2.debian.tar.xz
722b02c4ea9b37cdb521c09347a1b955 6310 graphics optional gifsicle_1.91-2_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJEBAEBCgAuFiEEbiJhr5LBUJGFGPlCVSVvKKxgYRoFAlpUk9YQHGhwZm5AZGVi
aWFuLm9yZwAKCRBVJW8orGBhGv/KD/9O/UKGO5tEsdtT2rWVAQJfEuaiwKHa3YYr
7ZBX2MnO9OSFXgpwBMvwr6C4hiOn9Q3W3K2iEIyjnvq/5qdEn6gPXPpoyZ351pAS
A0XoqBYuu2ZTMtC9iFtwob9DTfb0MXfyvjFWIFERYgIJPtyRqxkFts4xadfbFfqf
STGBIs2wHdcfVLcB3q1eacJar0yjRU/jv2AGLk+oYYMR+gBzNXNcp3KbffLtHvOC
HP5lyl4hhTrPmx5HDGT/7NtNuaCaFMjGUaMbdDAOE7+etLQD0qXhqWGmv0UnN2d2
OfA/HDAxgzMGGnbvB7qrHwqB8Uospw626apl399X9Zte2imZqTzaok3EuSfUYiLe
UsRUBoSku0mg2Gc7o/Nm/DrV57ceH7EVXATDWDLayfHeiJUO7aIspkNyXfuaGE27
udlAoJLlzcnEwtSBWRL7dHNqmN32TXbwcsotgA3Bj2c0sLXIIfZJ87W5LdqPgWQE
4ZtAlpyOMdGTn7OnzmQuregDN2u8u+Ztwgf9T2q8Pyyk9bCinYxUDDVtlCQVJJxC
7zeBYFc7xcYsNDIF7XxlZ8YJwxKyAyepHRhZ47ua0dH/x/Qp/DtnNBrsbzwkpz59
1p/C2uo4I/87mL7AouBr2Y2XGRwAgN/7ZLFcPSIBiziBtkNPBCoQnWuOuWGtrglK
lT5SvxemhA==
=BOBc
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Herbert Parentes Fortes Neto <hpfn@debian.org>
:
Bug#878739
; Package gifsicle
.
(Mon, 19 Feb 2018 02:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Jaeseung Choi <jschoi17@kaist.ac.kr>
:
Extra info received and forwarded to list. Copy sent to Herbert Parentes Fortes Neto <hpfn@debian.org>
.
(Mon, 19 Feb 2018 02:36:03 GMT) (full text, mbox, link).
Message #24 received at 878739@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
For your information, this bug was assigned CVE-2017-18120.
Thank you for the fix.
[Message part 2 (text/html, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 30 May 2018 07:27:17 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:46:28 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.