Debian Bug report logs -
#890086
ufraw: CVE-2018-19655: stack buffer overflow while running ufraw-batch
Reported by: Joonun Jang <joonun.jang@gmail.com>
Date: Sat, 10 Feb 2018 23:54:02 UTC
Severity: grave
Tags: patch, security
Found in version ufraw/0.22-2
Fixed in version ufraw/0.22-3.1
Done: Salvatore Bonaccorso <carnil@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, joonun.jang@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Hubert Chathi <uhoreg@debian.org>:
Bug#890086; Package ufraw-batch.
(Sat, 10 Feb 2018 23:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Joonun Jang <joonun.jang@gmail.com>:
New Bug report received and forwarded. Copy sent to joonun.jang@gmail.com, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Hubert Chathi <uhoreg@debian.org>.
(Sat, 10 Feb 2018 23:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: ufraw-batch
Version: 0.22-2
Severity: important
Tags: security
stack buffer overflow running ufraw-batch with "--overwrite poc" option
Running 'ufraw-batch --overwrite poc' with the attached file raises stack buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow
june@june:~/temp/report/ufraw-batch/unknown$ ufraw-batch poc
*** stack smashing detected ***: ufraw-batch terminated
Segmentation fault
Below is debugging information about this bug
0. poc file
00000000: 0001 0001 0040 2020 0000 0020 2020 4b41 .....@ ... KA
00000010: 492d 3033 3430 200f 4343 4343 4343 4343 I-0340 .CCCCCCCC
00000020: 4343 4343 4343 4343 4343 [4141] 6565 CCCCCCCCCCAAee
1. Above two bytes [4141] was stored in the variable 'raw_width'
in DCRaw::identify function at dcraw.cc
8871 } else if (!memcmp (head,"\0\001\0\001\0@",6)) {
8872 fseek (ifp, 6, SEEK_SET);
8873 fread (make, 1, 8, ifp);
8874 fread (model, 1, 8, ifp);
8875 fread (model2, 1, 16, ifp);
8876 data_offset = get2();
8877 get2();
8878 raw_width = get2(); // HERE
8879 raw_height = get2();
8880 load_raw = &CLASS nokia_load_raw;
8881 filters = 0x61616161;
--gdb--
8878 raw_width = get2();
(gdb) n
8879 raw_height = get2();
(gdb) p/x raw_width
$21 = 0x4141
-------
2. And then it stored in the varaible 'width' in the same function
9008 desc[511] = artist[63] = make[63] = model[63] = model2[63] = 0;
9009 if (!is_raw) goto notraw;
9010
9011 if (!height) height = raw_height;
9012 if (!width) width = raw_width; // HERE
9013 if (height == 2624 && width == 3936) /* Pentax K10D and Samsung GX10 */
9014 { height = 2616; width = 3896; }
9015 if (height == 3136 && width == 4864) /* Pentax K20D and Samsung GX20 */
--gdb--
Breakpoint 9, DCRaw::identify (this=this@entry=0x7ffff48b2010) at dcraw.cc:9012
9012 if (!width) width = raw_width;
$24 = 0
(gdb) n
9013 if (height == 2624 && width == 3936) /* Pentax K10D and Samsung GX10 */
(gdb) p/x width
$25 = 0x4141
3. This 'width' was used in the below loop
in the function DCRaw::find_green at the same file.
8504 float CLASS find_green (int bps, int bite, int off0, int off1)
8505 {
8506 UINT64 bitbuf=0;
8507 int vbits, col, i, c;
8508 ushort img[2][2064];
8509 double sum[]={0,0};
8510
8511 FORC(2) {
8512 fseek (ifp, c ? off1:off0, SEEK_SET);
8513 for (vbits=col=0; col < width; col++) { // HERE(1), width was used
8514 for (vbits -= bps; vbits < 0; vbits += bite) {
8515 bitbuf <<= bite;
8516 for (i=0; i < bite; i+=8)
8517 bitbuf |= (unsigned) (fgetc(ifp) << i);
8518 }
8519 img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); // HERE(2), col is index of img buffer
8520 }
8521 }
8522 FORC(width-1) {
8523 sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
8524 sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
8525 }
8526 return 100 * log(sum[0]/sum[1]);
8527 }
At HERE(2) because local variable 'col' increased until being same as variable 'width'
which can be easily modified by input file and can have big enough value to overwrite local buffer img.
=========================================================================
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ufraw-batch depends on:
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.24-11+deb9u1
ii libexiv2-14 0.25-3.1
ii libgcc1 1:6.3.0-18
ii libglib2.0-0 2.50.3-2
ii libgomp1 6.3.0-18
ii libjpeg62-turbo 1:1.5.1-2
ii liblcms2-2 2.8-4
ii liblensfun1 0.3.2-3
ii libpng16-16 1.6.28-1
ii libstdc++6 6.3.0-18
ii libtiff5 4.0.8-2+deb9u2
ii zlib1g 1:1.2.8.dfsg-5
ufraw-batch recommends no packages.
Versions of packages ufraw-batch suggests:
pn ufraw <none>
-- no debconf information
[poc (application/octet-stream, attachment)]
Changed Bug title to 'ufraw: CVE-2018-19655: stack buffer overflow while running ufraw-batch' from 'ufraw-batch: stack buffer overflow while running ufraw-batch'.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 30 Nov 2018 13:33:07 GMT) (full text, mbox, link).
Severity set to 'grave' from 'important'
Request was from jmm@inutil.org (Moritz Muehlenhoff)
to control@bugs.debian.org.
(Fri, 30 Nov 2018 16:45:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Hubert Chathi <uhoreg@debian.org>:
Bug#890086; Package ufraw-batch.
(Sun, 02 Dec 2018 10:09:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Hubert Chathi <uhoreg@debian.org>.
(Sun, 02 Dec 2018 10:09:05 GMT) (full text, mbox, link).
Message #14 received at 890086@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 890086 + patch
Control: tags 890086 + pending
Dear maintainer,
I've prepared an NMU for ufraw (versioned as 0.22-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[ufraw-0.22-3.1-nmu.diff (text/x-diff, attachment)]
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 890086-submit@bugs.debian.org.
(Sun, 02 Dec 2018 10:09:05 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 890086-submit@bugs.debian.org.
(Sun, 02 Dec 2018 10:09:05 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#890086; Package ufraw-batch.
(Sun, 02 Dec 2018 21:09:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Hubert Chathi <uhoreg@debian.org>:
Extra info received and forwarded to list.
(Sun, 02 Dec 2018 21:09:06 GMT) (full text, mbox, link).
Message #23 received at 890086@bugs.debian.org (full text, mbox, reply):
On Sun, 2 Dec 2018 11:04:25 +0100, Salvatore Bonaccorso <carnil@debian.org> said:
> Dear maintainer,
> I've prepared an NMU for ufraw (versioned as 0.22-3.1) and uploaded it
> to DELAYED/5. Please feel free to tell me if I should delay it longer.
Hi Salvatore,
Thank you very much for the NMU. I have no objections to it.
--
Hubert Chathi <uhoreg@debian.org> -- https://www.uhoreg.ca/
Jabber: hubert@uhoreg.ca -- Matrix: @uhoreg:matrix.org
PGP/GnuPG key: 4096R/F24C F749 6C73 DDB8 DCB8 72DE B2DE 88D3 113A 1368
Information forwarded
to debian-bugs-dist@lists.debian.org, Hubert Chathi <uhoreg@debian.org>:
Bug#890086; Package ufraw-batch.
(Sun, 02 Dec 2018 21:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Hubert Chathi <uhoreg@debian.org>.
(Sun, 02 Dec 2018 21:21:02 GMT) (full text, mbox, link).
Message #28 received at 890086@bugs.debian.org (full text, mbox, reply):
Hi!
On Sun, Dec 02, 2018 at 03:40:44PM -0500, Hubert Chathi wrote:
> On Sun, 2 Dec 2018 11:04:25 +0100, Salvatore Bonaccorso <carnil@debian.org> said:
>
> > Dear maintainer,
>
> > I've prepared an NMU for ufraw (versioned as 0.22-3.1) and uploaded it
> > to DELAYED/5. Please feel free to tell me if I should delay it longer.
>
> Hi Salvatore,
>
> Thank you very much for the NMU. I have no objections to it.
Thanks for your feedback. Any preference from you to keep it in the
delayed queue or speed processing up? (feel free as well to just
reschedule it).
Regards,
Salvatore
Information forwarded
to debian-bugs-dist@lists.debian.org:
Bug#890086; Package ufraw-batch.
(Mon, 03 Dec 2018 14:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Hubert Chathi <uhoreg@debian.org>:
Extra info received and forwarded to list.
(Mon, 03 Dec 2018 14:57:03 GMT) (full text, mbox, link).
Message #33 received at 890086@bugs.debian.org (full text, mbox, reply):
On Sun, 2 Dec 2018 22:13:24 +0100, Salvatore Bonaccorso <carnil@debian.org> said:
> Thanks for your feedback. Any preference from you to keep it in the
> delayed queue or speed processing up? (feel free as well to just
> reschedule it).
I don't have any preference. If you want to speed up processing, then
go ahead.
--
Hubert Chathi <uhoreg@debian.org> -- https://www.uhoreg.ca/
Jabber: hubert@uhoreg.ca -- Matrix: @uhoreg:matrix.org
PGP/GnuPG key: 4096R/F24C F749 6C73 DDB8 DCB8 72DE B2DE 88D3 113A 1368
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Fri, 07 Dec 2018 10:39:09 GMT) (full text, mbox, link).
Notification sent
to Joonun Jang <joonun.jang@gmail.com>:
Bug acknowledged by developer.
(Fri, 07 Dec 2018 10:39:09 GMT) (full text, mbox, link).
Message #38 received at 890086-close@bugs.debian.org (full text, mbox, reply):
Source: ufraw
Source-Version: 0.22-3.1
We believe that the bug you reported is fixed in the latest version of
ufraw, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 890086@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated ufraw package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 02 Dec 2018 10:55:01 +0100
Source: ufraw
Binary: ufraw ufraw-batch gimp-ufraw
Architecture: source
Version: 0.22-3.1
Distribution: unstable
Urgency: medium
Maintainer: Hubert Chathi <uhoreg@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 890086
Description:
gimp-ufraw - gimp importer for raw camera images
ufraw - standalone importer for raw camera images
ufraw-batch - batch importer for raw camera images
Changes:
ufraw (0.22-3.1) unstable; urgency=medium
.
* Non-maintainer upload.
* stack-based buffer overflow bug (CVE-2018-19655) (Closes: #890086)
Checksums-Sha1:
4e974886a4ec3a379d03d48a58588506d15f16a3 2127 ufraw_0.22-3.1.dsc
0fc453b0924c4df46276533d00e8766835763b07 8672 ufraw_0.22-3.1.debian.tar.xz
Checksums-Sha256:
dc869baa14afba40691f753d2312f1a97c24eb51d952f2f86697672fa9b14d48 2127 ufraw_0.22-3.1.dsc
27176a7e800cc47497d82b5fb333977a578f59eb309e9ad71446327ba05fa9a7 8672 ufraw_0.22-3.1.debian.tar.xz
Files:
9a667e8d59ca7c43f19e52df76e0eec2 2127 graphics optional ufraw_0.22-3.1.dsc
4d4a2cabb9e3f14b9d9002b266dba948 8672 graphics optional ufraw_0.22-3.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwDrbxfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89E1WQP/0bdvRZn6WZaUROeZ0dx3lo4w/p4LonI
EscJ5iqeVOwYM/Zx2/Ao81aMGcGAiu7oppnKTxA4TAsdIPmu/L+LQfRPKxsJjDAl
VYVIiR5h7CRgHCjdTGgSjFrD03YyxeKXB3F+f1FjUcuF9IAcEr8MR9nPDsB3plrQ
XyUhUqNYwWJIkhnWKEYt0VuSc4Vz4NNwBHYKuizZP/1QaItZ0YKb3Nj2gY+9ig4d
7LM7zqe8+t9NVFm9786SnLKMCKAWBtPK++7+Zr8/mTow7Qm2675rKifYRwjWvbBB
hfUGeS2NaPTi75gvva+SguniI+hQV2FrJRkTJ4PPGL92kYPNuqkTbNFRydkTMPVA
HhFlOYlZHZj08aBIxgOnTCJQ70zg0RBdOo3lcEfSjrHu/NQIk9vqCJc+ij9kyM8+
HtcD6FFH7sq1H6mrnfOFXHzNwt9oxDoBeMZ3q+R6yU8WWjrKQv+uQENENDk3vvou
htV+BmimUu5CmPoqu5b/EFIHFE9hSQVptfeGSeAtNSRDaQU37TKKCQ5gjzpA9O/o
1SJf7xQsXPG0sRYR61hBX0W74c80Pru4fjn9DrW+kRlbxzKFxUDHnYW+5nMw1XrH
9+uslIPZ62vB43v9yAFbOM20Apg4/TFjCznLEzpcF8mEsL91y4E3JRM7zp+sy+RN
uh4R2u0ZAb+I
=+9eT
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 09 Jan 2019 07:29:43 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:26:01 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon