Bug 1607247 (CVE-2018-13794)

Summary: CVE-2018-13794 catimg: Heap-based buffer overflow in stb_image.h:stbi__bmp_load_cont() via crafted .ico file
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED UPSTREAM QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: igor.raits
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:33:53 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1607248    
Bug Blocks:    

Description Sam Fowler 2018-07-23 04:27:04 UTC 
catimg through version 2.4.0 is vulnerable to a heap-based buffer overflow in the stb_image.h:stbi__bmp_load_cont() function. An attacker could exploit this to cause a crash via crafted .ico file.


Upstream Issue:

https://github.com/posva/catimg/issues/34
Comment 1 Sam Fowler 2018-07-23 04:27:25 UTC 
Created catimg tracking bugs for this issue:

Affects: fedora-all [bug 1607248]
Comment 2 Sam Fowler 2018-07-23 04:28:42 UTC 
Reproduced with catimg-2.4.0-2.fc28.x86_64:

# catimg img.ico 2>&1 | ./asan_symbolize.py -d
=================================================================
==68==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x619000000e82 at pc 0x000000411bf6 bp 0x7fff774a9b00 sp 0x7fff774a9af0
WRITE of size 1 at 0x619000000e82 thread T0
    #0 0x411bf5 in stbi__bmp_load_cont /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:4748
    #1 0x419f30 in stbi__ico_load /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:4867
    #2 0x419f30 in stbi__load_main /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:962
    #2 0x41d94d in stbi__xload_main (/usr/bin/catimg+0x41d94d)
    #3 0x41da71 in stbi_xload (/usr/bin/catimg+0x41da71)
    #4 0x41e0e2 in img_load_from_file (/usr/bin/catimg+0x41e0e2)
    #5 0x4029a7 in main (/usr/bin/catimg+0x4029a7)
    #6 0x7fb86e3c418a in __libc_start_main (/lib64/libc.so.6+0x2318a)
    #7 0x4031a9 in _start (/usr/bin/catimg+0x4031a9)

0x619000000e82 is located 2 bytes to the right of 1024-byte region [0x619000000a80,0x619000000e80)
allocated by thread T0 here:
    #0 0x7fb86ebe2c48 in malloc (/lib64/libasan.so.5+0xeec48)
    #3 0x41125c in stbi__malloc /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:900
    #4 0x41125c in stbi__bmp_load_cont /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:4684
    #5 0x419f30 in stbi__ico_load /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:4867
    #6 0x419f30 in stbi__load_main /usr/src/debug/catimg-2.4.0-2.fc28.x86_64/src/stb_image.h:962
    #3 0x41d94d in stbi__xload_main (/usr/bin/catimg+0x41d94d)
    #4 0x41da71 in stbi_xload (/usr/bin/catimg+0x41da71)
    #5 0x41e0e2 in img_load_from_file (/usr/bin/catimg+0x41e0e2)
    #6 0x4029a7 in main (/usr/bin/catimg+0x4029a7)
    #7 0x7fb86e3c418a in __libc_start_main (/lib64/libc.so.6+0x2318a)

SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/bin/catimg+0x411bf5)
Shadow bytes around the buggy address:
  0x0c327fff8180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff8190: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff81a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff81b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c327fff81c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c327fff81d0:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff81e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff81f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8200: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8210: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c327fff8220: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==68==ABORTING
Comment 3 Product Security DevOps Team 2019-06-10 10:33:53 UTC 
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.