Bug 2107471 (CVE-2022-32323)

Summary: CVE-2022-32323 autotrace: heap-buffer overflow via the ReadImage() at input-bmp.c
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: duffy, eng-i18n-bugs, gwync, jhorak, jonathan.underwood, jskarvad, lemenkov, lkundrak, pnemade, rlerch, stransky
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A buffer overflow flaw was found in the autotrace package. This flaw allows an attacker to trick the user into opening a maliciously crafted BMP image, triggering arbitrary code execution or causing the application to crash.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-16 17:43:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2121826, 2121827, 2121828    
Bug Blocks: 2107473    

Description TEJ RATHI 2022-07-15 07:25:06 UTC 
AutoTrace v0.40.0 was discovered to contain a heap overflow via the ReadImage function at input-bmp.c:660.

https://github.com/autotrace/autotrace/commit/e96bffadc25ff0ba0e10745f8012efcc5f920ea9
Comment 1 Parag Nemade 2022-07-15 09:56:44 UTC 
You are not authorized to access bug #2107473.
Comment 3 Parag Nemade 2022-07-15 10:27:28 UTC 
I do not see any reference by looking into that commit that it is related to heap-buffer overflow. Are you sure fixing "Misleading indentation" is related to heap-buffer overflow?

I think the commit that should be considered for the CVE is https://github.com/autotrace/autotrace/commit/e96bffadc25ff0ba0e10745f8012efcc5f920ea9
Comment 5 Marco Benatto 2022-08-26 17:45:53 UTC 
Created autotrace tracking bugs for this issue:

Affects: fedora-all [bug 2121826]
Comment 7 Marco Benatto 2022-08-26 18:08:34 UTC 
There's a flaw in autotrace ReadImage() function. When reading the BMP image header it relies in the untrusted input from the file and doesn't proper validate if its contents fits the internal buffer size, an attacker can leverage that by crafting a malicious BMP file triggering a buffer overflow. An successful attack can lead to possible code execution with a high impact in confidentiality and integrity, for availability the impact can be considered low as it affects only the single execution from the single user running the application. For a successful attack to happens, the attacker needs to trick the user to open the crafted BMP file.
Comment 8 errata-xmlrpc 2023-05-09 08:01:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2589 https://access.redhat.com/errata/RHSA-2023:2589
Comment 9 errata-xmlrpc 2023-05-16 08:49:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:3067 https://access.redhat.com/errata/RHSA-2023:3067
Comment 10 Product Security DevOps Team 2023-05-16 17:43:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32323