Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gifsicle: double-free bug when running gifdiff

Related Vulnerabilities: CVE-2017-18120  

Source

Debian Bug report logs - #878739
gifsicle: double-free bug when running gifdiff

version graph

Package: gifsicle; Maintainer for gifsicle is Herbert Parentes Fortes Neto <hpfn@debian.org>; Source for gifsicle is src:gifsicle (PTS, buildd, popcon).

Reported by: Joonun Jang <joonun.jang@gmail.com>

Date: Mon, 16 Oct 2017 11:15:04 UTC

Severity: normal

Tags: fixed-upstream

Found in version gifsicle/1.90-1

Fixed in version gifsicle/1.91-2

Done: Herbert Parentes Fortes Neto <hpfn@debian.org>

Bug is archived. No further changes may be made.

Forwarded to https://github.com/kohler/gifsicle/issues/117

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, joonun.jang@gmail.com, Herbert Parentes Fortes Neto <hpfn@debian.org>:
Bug#878739; Package gifsicle. (Mon, 16 Oct 2017 11:15:07 GMT) (full text, mbox, link).

Acknowledgement sent to Joonun Jang <joonun.jang@gmail.com>:
New Bug report received and forwarded. Copy sent to joonun.jang@gmail.com, Herbert Parentes Fortes Neto <hpfn@debian.org>. (Mon, 16 Oct 2017 11:15:07 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joonun Jang <joonun.jang@gmail.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gifsicle: double-free bug when running gifdiff
Date: Mon, 16 Oct 2017 20:12:02 +0900
[Message part 1 (text/plain, inline)]
Package: gifsicle
Version: 1.90-1
Severity: normal

Dear Maintainer,

Running 'gifdiff poc poc' with the attached file raises double-free bug,
which may allow a remote attacker to cause a denial-of-service attack or
other unspecified impact with a crafted file.

I expected the program to terminate without segfault, but the program
crashes as follow

----------------------------

june@june:~/project/analyze/poc/gifdiff/crash4$
~/project/analyze/bins/gifsicle-1.90/src/gifdiff poc poc
=================================================================

==22514==ERROR: AddressSanitizer: attempting double-free on
0x611000009c80 in thread T0:
#0 0x7f3b19570090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
#1 0x56146456d6f3 in Gif_Realloc
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
#2 0x561464577ed3 in suck_data
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
#3 0x561464579219 in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
#4 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#5 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#6 0x56146457e96f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2596f)
#7 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
#8 0x56146455dde9 in _start
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x4de9)

0x611000009c80 is located 0 bytes inside of 253-byte region
[0x611000009c80,0x611000009d7d)
freed by thread T0 here:
#0 0x7f3b1956fa10 in free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
#1 0x56146457952d in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2052d)
#2 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#3 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#4 0x56146457e95f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
#5 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

previously allocated by thread T0 here:
#0 0x7f3b19570090 in realloc
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
#1 0x56146456d6f3 in Gif_Realloc
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
#2 0x561464577ed3 in suck_data
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
#3 0x561464579219 in read_gif
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
#4 0x561464579825 in Gif_FullReadFile
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
#5 0x56146457e4eb in read_stream
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
#6 0x56146457e95f in main
(/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
#7 0x7f3b18e2b2b0 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x202b0)

SUMMARY: AddressSanitizer: double-free
(/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) in realloc
==22514==ABORTING

-----------------------------

The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: 9.2
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages gifsicle depends on:
ii  libc6     2.24-11+deb9u1
ii  libx11-6  2:1.6.4-3

gifsicle recommends no packages.

gifsicle suggests no packages.

-- no debconf information

[poc (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Herbert Parentes Fortes Neto <hpfn@debian.org>:
Bug#878739; Package gifsicle. (Mon, 16 Oct 2017 13:27:03 GMT) (full text, mbox, link).

Acknowledgement sent to control@bugs.debian.org:
Extra info received and forwarded to list. Copy sent to Herbert Parentes Fortes Neto <hpfn@debian.org>. (Mon, 16 Oct 2017 13:27:03 GMT) (full text, mbox, link).

Message #10 received at 878739@bugs.debian.org (full text, mbox, reply):

From: Herbert Fortes <terberh@gmail.com>
To: 878739@bugs.debian.org
Subject: Re: Bug#878739: gifsicle: double-free bug when running gifdiff
Date: Mon, 16 Oct 2017 11:25:25 -0200
forwarded 878739 https://github.com/kohler/gifsicle/issues/117
thanks

Em 16-10-2017 09:12, Joonun Jang escreveu:
> Package: gifsicle
> Version: 1.90-1
> Severity: normal
> 
> Dear Maintainer,
> 
> Running 'gifdiff poc poc' with the attached file raises double-free bug,
> which may allow a remote attacker to cause a denial-of-service attack or
> other unspecified impact with a crafted file.
> 
> I expected the program to terminate without segfault, but the program
> crashes as follow
> 
> ----------------------------
> 
> june@june:~/project/analyze/poc/gifdiff/crash4$
> ~/project/analyze/bins/gifsicle-1.90/src/gifdiff poc poc
> =================================================================
> 
> ==22514==ERROR: AddressSanitizer: attempting double-free on
> 0x611000009c80 in thread T0:
> #0 0x7f3b19570090 in realloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
> #1 0x56146456d6f3 in Gif_Realloc
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
> #2 0x561464577ed3 in suck_data
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
> #3 0x561464579219 in read_gif
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
> #4 0x561464579825 in Gif_FullReadFile
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
> #5 0x56146457e4eb in read_stream
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
> #6 0x56146457e96f in main
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2596f)
> #7 0x7f3b18e2b2b0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
> #8 0x56146455dde9 in _start
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x4de9)
> 
> 0x611000009c80 is located 0 bytes inside of 253-byte region
> [0x611000009c80,0x611000009d7d)
> freed by thread T0 here:
> #0 0x7f3b1956fa10 in free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10)
> #1 0x56146457952d in read_gif
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2052d)
> #2 0x561464579825 in Gif_FullReadFile
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
> #3 0x56146457e4eb in read_stream
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
> #4 0x56146457e95f in main
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
> #5 0x7f3b18e2b2b0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
> 
> previously allocated by thread T0 here:
> #0 0x7f3b19570090 in realloc
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090)
> #1 0x56146456d6f3 in Gif_Realloc
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3)
> #2 0x561464577ed3 in suck_data
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3)
> #3 0x561464579219 in read_gif
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219)
> #4 0x561464579825 in Gif_FullReadFile
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825)
> #5 0x56146457e4eb in read_stream
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb)
> #6 0x56146457e95f in main
> (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f)
> #7 0x7f3b18e2b2b0 in __libc_start_main
> (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
> 
> SUMMARY: AddressSanitizer: double-free
> (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) in realloc
> ==22514==ABORTING
> 
> -----------------------------
> 
> The bug was found with a fuzzer developed by 'SoftSec' group at KAIST.
> 
> -- System Information:
> Debian Release: 9.2
>   APT prefers stable-updates
>   APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> Init: systemd (via /run/systemd/system)
> 
> Versions of packages gifsicle depends on:
> ii  libc6     2.24-11+deb9u1
> ii  libx11-6  2:1.6.4-3
> 
> gifsicle recommends no packages.
> 
> gifsicle suggests no packages.
> 
> -- no debconf information
>

Set Bug forwarded-to-address to 'https://github.com/kohler/gifsicle/issues/117'. Request was from Herbert Fortes <terberh@gmail.com> to control@bugs.debian.org. (Mon, 16 Oct 2017 16:51:03 GMT) (full text, mbox, link).

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 04 Dec 2017 17:09:09 GMT) (full text, mbox, link).

Reply sent to Herbert Parentes Fortes Neto <hpfn@debian.org>:
You have taken responsibility. (Tue, 09 Jan 2018 10:30:35 GMT) (full text, mbox, link).

Notification sent to Joonun Jang <joonun.jang@gmail.com>:
Bug acknowledged by developer. (Tue, 09 Jan 2018 10:30:35 GMT) (full text, mbox, link).

Message #19 received at 878739-close@bugs.debian.org (full text, mbox, reply):

From: Herbert Parentes Fortes Neto <hpfn@debian.org>
To: 878739-close@bugs.debian.org
Subject: Bug#878739: fixed in gifsicle 1.91-2
Date: Tue, 09 Jan 2018 10:19:18 +0000
Source: gifsicle
Source-Version: 1.91-2

We believe that the bug you reported is fixed in the latest version of
gifsicle, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 878739@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Herbert Parentes Fortes Neto <hpfn@debian.org> (supplier of updated gifsicle package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 09 Jan 2018 07:54:35 -0200
Source: gifsicle
Binary: gifsicle
Architecture: source
Version: 1.91-2
Distribution: unstable
Urgency: medium
Maintainer: Herbert Parentes Fortes Neto <hpfn@debian.org>
Changed-By: Herbert Parentes Fortes Neto <hpfn@debian.org>
Description:
 gifsicle   - Tool for manipulating GIF images
Closes: 878736 878739 881119 881120 881141
Changes:
 gifsicle (1.91-2) unstable; urgency=medium
 .
   * I forgot to mention that this upstream version fixes
     important bugs:
     (Closes: #878739, #878736, #881141, #881120, #881119)
Checksums-Sha1:
 0be74456776067cf775d7242d966f932bb76f760 1906 gifsicle_1.91-2.dsc
 faa1daef7a85d94e8d3f21847a335dd27befa344 476239 gifsicle_1.91.orig.tar.gz
 978145fa81259777b734a4f382a2820daa3184d2 4588 gifsicle_1.91-2.debian.tar.xz
 2db7f1fb6094d5b9ce3275c4931469d9c89b3339 6310 gifsicle_1.91-2_amd64.buildinfo
Checksums-Sha256:
 6df8dc16cc09a9481b50ab895aa61456505d4cbc5aa52bddcb8a1b827405b795 1906 gifsicle_1.91-2.dsc
 7c289f1402a0f955ee7b03f25857d4dd84368768da2da312ad1657f9434d616b 476239 gifsicle_1.91.orig.tar.gz
 a7c4178bb58dfd4721682c1c737ffca6a3c1630a4151658d5b50c910c637e4cd 4588 gifsicle_1.91-2.debian.tar.xz
 d3cd8ee44cd0d0545e712124f1b6409ae5c638118fbaf7442768e3a21bc649cb 6310 gifsicle_1.91-2_amd64.buildinfo
Files:
 d1056d4de10f88cb0b149b8c5d93b404 1906 graphics optional gifsicle_1.91-2.dsc
 aa0329e0105bec10f409c19a67579c19 476239 graphics optional gifsicle_1.91.orig.tar.gz
 6c38773c9d1d4c4ab42649274ac6ff3f 4588 graphics optional gifsicle_1.91-2.debian.tar.xz
 722b02c4ea9b37cdb521c09347a1b955 6310 graphics optional gifsicle_1.91-2_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJEBAEBCgAuFiEEbiJhr5LBUJGFGPlCVSVvKKxgYRoFAlpUk9YQHGhwZm5AZGVi
aWFuLm9yZwAKCRBVJW8orGBhGv/KD/9O/UKGO5tEsdtT2rWVAQJfEuaiwKHa3YYr
7ZBX2MnO9OSFXgpwBMvwr6C4hiOn9Q3W3K2iEIyjnvq/5qdEn6gPXPpoyZ351pAS
A0XoqBYuu2ZTMtC9iFtwob9DTfb0MXfyvjFWIFERYgIJPtyRqxkFts4xadfbFfqf
STGBIs2wHdcfVLcB3q1eacJar0yjRU/jv2AGLk+oYYMR+gBzNXNcp3KbffLtHvOC
HP5lyl4hhTrPmx5HDGT/7NtNuaCaFMjGUaMbdDAOE7+etLQD0qXhqWGmv0UnN2d2
OfA/HDAxgzMGGnbvB7qrHwqB8Uospw626apl399X9Zte2imZqTzaok3EuSfUYiLe
UsRUBoSku0mg2Gc7o/Nm/DrV57ceH7EVXATDWDLayfHeiJUO7aIspkNyXfuaGE27
udlAoJLlzcnEwtSBWRL7dHNqmN32TXbwcsotgA3Bj2c0sLXIIfZJ87W5LdqPgWQE
4ZtAlpyOMdGTn7OnzmQuregDN2u8u+Ztwgf9T2q8Pyyk9bCinYxUDDVtlCQVJJxC
7zeBYFc7xcYsNDIF7XxlZ8YJwxKyAyepHRhZ47ua0dH/x/Qp/DtnNBrsbzwkpz59
1p/C2uo4I/87mL7AouBr2Y2XGRwAgN/7ZLFcPSIBiziBtkNPBCoQnWuOuWGtrglK
lT5SvxemhA==
=BOBc
-----END PGP SIGNATURE-----

Information forwarded to debian-bugs-dist@lists.debian.org, Herbert Parentes Fortes Neto <hpfn@debian.org>:
Bug#878739; Package gifsicle. (Mon, 19 Feb 2018 02:36:03 GMT) (full text, mbox, link).

Acknowledgement sent to Jaeseung Choi <jschoi17@kaist.ac.kr>:
Extra info received and forwarded to list. Copy sent to Herbert Parentes Fortes Neto <hpfn@debian.org>. (Mon, 19 Feb 2018 02:36:03 GMT) (full text, mbox, link).

Message #24 received at 878739@bugs.debian.org (full text, mbox, reply):

From: Jaeseung Choi <jschoi17@kaist.ac.kr>
To: 878739@bugs.debian.org
Subject: Bug#878739 : CVE-2017-18120
Date: Mon, 19 Feb 2018 11:25:31 +0900
[Message part 1 (text/plain, inline)]
For your information, this bug was assigned  CVE-2017-18120.

Thank you for the fix.

[Message part 2 (text/html, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 30 May 2018 07:27:17 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 17:46:28 2019; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started