Bug 509531 (CVE-2009-2295)
| Summary: | CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-2009-009) | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||||
| Component: | vulnerability | Assignee: | Richard W.M. Jones <rjones> | ||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | |||||||||
| Severity: | medium | Docs Contact: | |||||||||
| Priority: | medium | ||||||||||
| Version: | unspecified | CC: | fedora-ocaml-list, rjones, vdanen | ||||||||
| Target Milestone: | --- | Keywords: | Security | ||||||||
| Target Release: | --- | ||||||||||
| Hardware: | All | ||||||||||
| OS: | Linux | ||||||||||
| Whiteboard: | |||||||||||
| Fixed In Version: | Doc Type: | Bug Fix | |||||||||
| Doc Text: | Story Points: | --- | |||||||||
| Clone Of: | Environment: | ||||||||||
| Last Closed: | 2009-10-16 10:03:26 UTC | Type: | --- | ||||||||
| Regression: | --- | Mount Type: | --- | ||||||||
| Documentation: | --- | CRM: | |||||||||
| Verified Versions: | Category: | --- | |||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||
| Embargoed: | |||||||||||
| Attachments: |
|
||||||||||
|
Description
Tomas Hoger
2009-07-03 10:37:04 UTC
I'll have a look at this one now. Created attachment 350433 [details]
camlimages-oversized-png-check.patch
This is a potential fix which checks whether the
numbers we are about to multiply together could
provoke an arithmetic overflow (or are negative,
which would be equally bogus).
It solves the test case that I was given privately.
Note that in any case the bug only manifests on 32 bit
architectures. On 64 bit, the multiply does not
overflow, but unless you have loads of free memory
you will shortly afterwards get a (safe) Out_of_memory
exception.
(In reply to comment #4) > Created an attachment (id=350433) [details] > camlimages-oversized-png-check.patch One note from a very quick look... in general, test like: (x) * (y) < (x) || (x) * (y) < (y) is not sufficient to catch all possible integer overflows in multiplication. Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit world. This can still result in small buffer that may be overflown later. The test is usually written as: y != 0 && x > (TYPE)_MAX / y (first part is needed if y can be 0, not needed in cases where y is sizeof(sometype)). ocaml-camlimages-3.0.1-7.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-7.fc11.1 ocaml-camlimages-3.0.1-3.fc10.1 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-3.fc10.1 (In reply to comment #5) > (In reply to comment #4) > > Created an attachment (id=350433) [details] [details] > > camlimages-oversized-png-check.patch > > One note from a very quick look... in general, test like: > > (x) * (y) < (x) || (x) * (y) < (y) > > is not sufficient to catch all possible integer overflows in multiplication. > Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit > world. This can still result in small buffer that may be overflown later. > > The test is usually written as: > > y != 0 && x > (TYPE)_MAX / y > > (first part is needed if y can be 0, not needed in cases where y is > sizeof(sometype)). Yup, someone just found a counterexample on #ocaml. I'll change the patch and rebuild in a moment. Created attachment 350440 [details]
camlimages-oversized-png-check-CVE-2009-2295.patch
Fix overflow detection in the patch.
I also see two occurrences of this in pngread.c: row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height); While sizeof(png_bytep) is fixed, height comes from the file and it seems possible for it to be 2^32/4 or larger. Created attachment 350441 [details] camlimages-oversized-png-check-CVE-2009-2295.patch Updated the patch with feedback from comment 10. I've pushed new packages for Fedora 10, 11 and Rawhide with the patch in comment 11. Note that although we have CVS branches for EL-4 and EL-5, we don't currently distribute this package (missing build dep). However I've added the patch to those branches too, so that if in future we build for EL-4/5 we will have the patch. I've also discussed this issue and the patch with Debian and OpenBSD maintainers. Updates coming shortly. ocaml-camlimages-3.0.1-3.fc10.2 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-3.fc10.2 ocaml-camlimages-3.0.1-7.fc11.2 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-7.fc11.2 Robert @ Gentoo reported that upstream fixed similar integer overflows in gifread.c and jpegread.c for values that are used in memory allocations and memcpy(): A stripped down [by Alexis Ballier] version of the patch is in Gentoo's BZ: https://bugs.gentoo.org/show_bug.cgi?id=276235 https://bugs.gentoo.org/attachment.cgi?id=199108 ocaml-camlimages-3.0.1-7.fc11.2 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. ocaml-camlimages-3.0.1-3.fc10.2 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Long fixed ... Closing. |