Bug 1652610

Summary: There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.
Product: [Fedora] Fedora Reporter: shuitao gan <ganshuitao>
Component: liblasAssignee: Sandro Mani <manisandro>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 31CC: devrim
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: liblas-1.8.1-5.fc32 liblas-1.8.1-5.fc31 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-25 02:22:29 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
./las2pg POC1 none

Description shuitao gan 2018-11-22 13:15:05 UTC 
Created attachment 1507936 [details]
./las2pg POC1

version: libLAS2.4
Summary: 

There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.

Description:

The gdb debug is as follows:

$./las2pg POC1 

=================================================================
==40200==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e400 at pc 0x7ff597100d95 bp 0x7fff485354b0 sp 0x7fff48534c58
READ of size 262208 at 0x60600000e400 thread T0
    #0 0x7ff597100d94 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cd94)
    #1 0x7ff596bf5ffd in ST_SetKey (/usr/lib/x86_64-linux-gnu/libgeotiff.so.2+0x16ffd)
    #2 0x7ff595c23475 in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:518
    #3 0x7ff595c25681 in liblas::SpatialReference::SpatialReference(std::vector<liblas::VariableRecord, std::allocator<liblas::VariableRecord> > const&) /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:102
    #4 0x7ff595c7bd58 in liblas::detail::reader::Header::ReadVLRs() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:389
    #5 0x7ff595c7f53d in liblas::detail::reader::Header::ReadHeader() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:272
    #6 0x7ff595bc91f6 in liblas::ReaderFactory::CreateWithStream(std::istream&) /home/company/real_sanitize/libLAS-master/src/factory.cpp:92
    #7 0x7ff596e47d4f in LASReader_Create /home/company/real_sanitize/libLAS-master/src/c_api.cpp:248
    #8 0x403701 in main /home/company/real_sanitize/libLAS-master/apps/las2pg.c:424
    #9 0x7ff596835a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #10 0x404b88 in _start (/home/company/real_sanitize/libLAS-master/build/install/bin/las2pg+0x404b88)

0x60600000e400 is located 0 bytes to the right of 64-byte region [0x60600000e3c0,0x60600000e400)
allocated by thread T0 here:
    #0 0x7ff59710d8b2 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x998b2)
    #1 0x7ff595c2362b in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x7ff595c2362b in __gnu_cxx::__alloc_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/5/ext/alloc_traits.h:182
    #3 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    #4 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/5/bits/stl_vector.h:185
    #5 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:136
    #6 0x7ff595c2362b in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/include/c++/5/bits/stl_vector.h:320
    #7 0x7ff595c2362b in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:496
    #8 0x7fff48535adf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c7fff9c80:[fa]fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9c90: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff9ca0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9cb0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff9cc0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==40200==ABORTING
Comment 1 Ben Cotton 2019-08-13 16:50:21 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.
Comment 2 Fedora Admin XMLRPC Client 2020-03-04 04:18:56 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 3 Fedora Admin XMLRPC Client 2020-04-14 16:43:17 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 4 Fedora Update System 2020-04-14 20:14:13 UTC 
FEDORA-2020-6dbbecb893 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6dbbecb893
Comment 5 Fedora Update System 2020-04-14 20:14:14 UTC 
FEDORA-2020-b0695fcdf7 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b0695fcdf7
Comment 6 Fedora Update System 2020-04-15 19:57:53 UTC 
FEDORA-2020-b0695fcdf7 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b0695fcdf7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b0695fcdf7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2020-04-16 19:27:55 UTC 
FEDORA-2020-6dbbecb893 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6dbbecb893`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6dbbecb893

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2020-04-25 02:22:29 UTC 
FEDORA-2020-6dbbecb893 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2020-04-25 03:00:43 UTC 
FEDORA-2020-b0695fcdf7 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.