Bug 1607247 (CVE-2018-13794)
Summary: | CVE-2018-13794 catimg: Heap-based buffer overflow in stb_image.h:stbi__bmp_load_cont() via crafted .ico file | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED UPSTREAM | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | igor.raits |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:33:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1607248 | ||
Bug Blocks: |
Description
Sam Fowler
2018-07-23 04:27:04 UTC
Created catimg tracking bugs for this issue: Affects: fedora-all [bug 1607248] Reproduced with catimg-2.4.0-2.fc28.x86_64: # catimg img.ico 2>&1 | ./asan_symbolize.py -d ================================================================= ==68==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e82 at pc 0x000000411bf6 bp 0x7fff774a9b00 sp 0x7fff774a9af0 WRITE of size 1 at 0x619000000e82 thread T0 #0 0x411bf5 in stbi__bmp_load_cont /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:4748 #1 0x419f30 in stbi__ico_load /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:4867 #2 0x419f30 in stbi__load_main /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:962 #2 0x41d94d in stbi__xload_main (/usr/bin/catimg+0x41d94d) #3 0x41da71 in stbi_xload (/usr/bin/catimg+0x41da71) #4 0x41e0e2 in img_load_from_file (/usr/bin/catimg+0x41e0e2) #5 0x4029a7 in main (/usr/bin/catimg+0x4029a7) #6 0x7fb86e3c418a in __libc_start_main (/lib64/libc.so.6+0x2318a) #7 0x4031a9 in _start (/usr/bin/catimg+0x4031a9) 0x619000000e82 is located 2 bytes to the right of 1024-byte region [0x619000000a80,0x619000000e80) allocated by thread T0 here: #0 0x7fb86ebe2c48 in malloc (/lib64/libasan.so.5+0xeec48) #3 0x41125c in stbi__malloc /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:900 #4 0x41125c in stbi__bmp_load_cont /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:4684 #5 0x419f30 in stbi__ico_load /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:4867 #6 0x419f30 in stbi__load_main /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:962 #3 0x41d94d in stbi__xload_main (/usr/bin/catimg+0x41d94d) #4 0x41da71 in stbi_xload (/usr/bin/catimg+0x41da71) #5 0x41e0e2 in img_load_from_file (/usr/bin/catimg+0x41e0e2) #6 0x4029a7 in main (/usr/bin/catimg+0x4029a7) #7 0x7fb86e3c418a in __libc_start_main (/lib64/libc.so.6+0x2318a) SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/catimg+0x411bf5) Shadow bytes around the buggy address: 0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x0c327fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 =>0x0c327fff81d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c327fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==68==ABORTING This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products. |