Bug 727800 (CVE-2011-2896)

Summary: CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
Product: [Other] Security Response Reporter: Tomas Hoger <thoger>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, jpopelka, jrusnack, nphilipp, ppisar, security-response-team, twaugh, wade.colson
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: public=20110810,reported=20110617,source=redhat,impact=moderate,cvss2=5.1/AV:N/AC:H/Au:N/C:P/I:P/A:P,rhel-4/cups=wontfix/impact=low/cvss2=4.3/AV:A/AC:H/Au:N/C:P/I:P/A:P,rhel-5/cups=affected/impact=low/cvss2=4.3/AV:A/AC:H/Au:N/C:P/I:P/A:P,rhel-6/cups=affected/impact=low/cvss2=4.3/AV:A/AC:H/Au:N/C:P/I:P/A:P,fedora-all/cups=affected/impact=low/cvss2=4.3/AV:A/AC:H/Au:N/C:P/I:P/A:P,rhel-4/gimp=wontfix,rhel-5/gimp=affected,rhel-6/gimp=affected,fedora-all/gimp=affected,rhel-6/pl=wontfix/impact=low,fedora-all/pl=affected/impact=low,rhel-6/ocaml=wontfix,fedora-all/ocaml=notaffected,rhel-4/gtk2=notaffected,rhel-5/gtk2=notaffected,rhel-6/gtk2=notaffected,fedora-all/gtk2=notaffected,rhel-4/gdk-pixbuf=notaffected,rhel-5/gdk-pixbuf=notaffected,fedora-all/gdk-pixbuf=notaffected,rhel-4/gd=notaffected,rhel-5/gd=notaffected,rhel-6/gd=notaffected,fedora-all/gd=notaffected,rhel-4/php=notaffected,rhel-5/php=notaffected,rhel-5/php53=notaffected,rhel-6/php=notaffected,fedora-all/php=notaffected,rhel-4/tk=notaffected,rhel-5/tk=notaffected,rhel-6/tk=notaffected,fedora-all/tk=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-23 04:35:57 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 714118, 714127, 714128, 730338, 731944, 731951, 752118, 840067, 840068    
Bug Blocks: 714114, 714279, 734217, 734220, 742493    
Attachments:
Description Flags
giftoppm.c
none
Test case none

Description Tomas Hoger 2011-08-03 05:22:38 EDT
GIF image file format readers in various open source projects are based on the GIF decoder implementation written by David Koblas.  This implementation contains a bug in the LZW decompressor, causing it to in correctly handle compressed streams that contain code words that were not yet added to the decompression table.  LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table.  The implementation used in this GIF reading code allows code words not only matching, but also exceeding the first free entry.

This problem is identical to a bug found in BSD compress (CVE-2011-2895, bug #727624), but given the unclear relationship between BSD compress and GIF decoder code bases, separate CVE is used here.

Several projects refer to pbmplus as the source form where GIF reading code was taken:

http://www.acme.com/software/pbmplus/

In pbmplus version of the code, the flaw can be found in LWZReadByte():

        if (code >= max_code) {
            *sp++ = firstcode;
            code = oldcode;
        }

This allows creating a loop in the decompression table, which leads to an "infinite" loop:

        while (code >= clear_code) {
            *sp++ = table[1][code];
            if (code == table[0][code])
                pm_error("circular table entry BIG ERROR");
            code = table[0][code];
        }

where:

  #define MAX_LWZ_BITS        12
  static int  table[2][(1<< MAX_LWZ_BITS)];
  static int  stack[(1<<(MAX_LWZ_BITS))*2], *sp;
  sp = stack;

This results in stack[] buffer overflow.  If table[][] is located above stack[], stack[] overflow may further modify decoding table and break infinite loop.
Comment 1 Tomas Hoger 2011-08-03 05:25:13 EDT
Created attachment 516471 [details]
giftoppm.c

Local copy of the giftoppm.c, extracted from pbmplus_10dec1991.tar.gz, available from: http://www.acme.com/software/pbmplus/
Comment 2 Tomas Hoger 2011-08-03 05:26:41 EDT
Created attachment 516472 [details]
Test case

From bug #714118, already public via http://cups.org/str.php?L3867
Comment 4 Tomas Hoger 2011-08-03 06:09:02 EDT
As noted above, this GIF reader code is used in several open source projects.  Many of them have already correct this bug, either by rejecting code > max_code, or by checking for stack[] overflow.

tk - code > max_code check
http://core.tcl.tk/tk/artifact/c0026f5eee240f40fe716e235d28c0818b981ab7

gd - stack overflow check
http://svn.php.net/viewvc/gd/trunk/libgd/src/gd_gif_in.c?revision=282370&view=markup#l512

gdk-pixbuf - stack overflow check
http://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/io-gif.c?id=f8569bb1#n656

CUPS was fixed recently (in 1.4.7) and now does code > max_code check
http://cups.org/str.php?L3867
svn diff -c 9840 http://svn.easysw.com/public/cups/

GIMP is still affected:
http://git.gnome.org/browse/gimp/tree/plug-ins/common/file-gif-load.c?id=8ff66342#n810

XPCE is still affected:
http://www.swi-prolog.org/git/packages/xpce.git/blob/876ce515:/src/img/gifread.c#l507

There are several other projects that contain very similar code, but their relationship to David Koblas' code is unclear.  Mentioning them here for the sake of completeness.  They contain stack overflow check.  They include libpr0n/mozilla/webkit code as well as Qt:
http://hg.mozilla.org/mozilla-central/file/c4b84b05c46c/modules/libpr0n/decoders/nsGIFDecoder2.cpp#l500
http://trac.webkit.org/browser/trunk/Source/WebCore/platform/image-decoders/gif/GIFImageReader.cpp?rev=75748#L309
http://qt.gitorious.org/qt/qt/blobs/4.5/src/plugins/imageformats/gif/qgifhandler.cpp#line484
Comment 8 Tomas Hoger 2011-08-07 15:15:09 EDT
(In reply to comment #4)
> CUPS was fixed recently (in 1.4.7) and now does code > max_code check
> http://cups.org/str.php?L3867
> svn diff -c 9840 http://svn.easysw.com/public/cups/

Additional change is required to fully address the problem in CUPS:
http://www.cups.org/str.php?L3914
svn diff -c 9865 http://svn.easysw.com/public/cups/
Comment 9 Tomas Hoger 2011-08-10 14:14:09 EDT
Making this public.
Comment 10 Josh Bressers 2011-08-12 10:25:18 EDT
Created gimp tracking bugs for this issue

Affects: fedora-all [bug 730338]
Comment 12 Petr Pisar 2011-08-18 05:25:31 EDT
(In reply to comment #4)
> 
> XPCE is still affected:
> http://www.swi-prolog.org/git/packages/xpce.git/blob/876ce515:/src/img/gifread.c#l507
> 
I've sent a report to SWI Prolog bug tracking system
(http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7).
Comment 15 Tomas Hoger 2011-08-19 04:08:21 EDT
Created pl tracking bugs for this issue

Affects: fedora-all [bug 731944]
Comment 16 Tomas Hoger 2011-08-19 04:54:47 EDT
Created cups tracking bugs for this issue

Affects: fedora-all [bug 731951]
Comment 17 Petr Pisar 2011-08-19 09:59:41 EDT
(In reply to comment #14)
> (In reply to comment #12)
> > I've sent a report to SWI Prolog bug tracking system
> > (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7).
> 
> Thank you!  Upstream did following commits to address the issue:
> 
> http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/bb328029beb148691edc031d9db9cf0a503c8247
> http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
> 
> Additionally, a CVE-2006-4484 / CVE-2007-6697 / CVE-2008-0553 / CVE-2008-0554 /
> CVE-2008-1373 / CVE-2011-2897 -like crash was corrected:
> 
> http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652

After applying all three patches on 5.10.2 version from Fedora 15, and loading `Minimal test case with valid first code' test case, I get segfault in PutImagePixels32(), a Xorg libXpm library, after 4 calls of LZWReadByte():

?- show('xpce-gif-CVE-2011-2896/giflzw-1-260-259-260-260-0-first_code_valid.gif').

Program received signal SIGSEGV, Segmentation fault.
0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, pixelindex=0x8c23a0, 
    height=10, width=10, image=<optimized out>) at create.c:1384
1384                    pixel = pixels[*(iptr++)];
(gdb) bt
#0  0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, 
    pixelindex=0x8c23a0, height=10, width=10, image=<optimized out>)
    at create.c:1384
#1  XpmCreateImageFromXpmImage (display=0x8737d0, image=0x7fffffffd3e0, 
    image_return=0x7fffffffd388, shapeimage_return=0x7fffffffd390, 
    attributes=0x7fffffffd290) at create.c:881
#2  0x00007ffff15b5135 in attachXpmImageImage (image=0x8b3350, 
    xpm=0x7fffffffd3e0) at x11/xconvert.c:468
#3  0x00007ffff15b5394 in readGIFFile (fd=0x8a6660, image=0x8b3350)
    at x11/xconvert.c:537
[...]

(gdb) info locals 
data = 0x8c25c0 "\377\377\377"
y = <optimized out>
iptr = 0x8c23a8
pixel = <optimized out>
bpl = 40
data_ptr = 0x8c25c8 "\370T\031_7"
max_data = 0x8c25e8 ""

I guess this is because pl/xpce decodes the GIF image erroneously and decoded image size does not match image bitmap. However this test case is private, so I cannot provide it to upstream.
Comment 18 Jan Lieskovsky 2011-11-08 10:40:16 EST
Statement:

Vulnerable. This issue affects the versions of cups as shipped with Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact for the cups package. A future update may address this issue in the cups package for Red Hat Enterprise Linux 4, 5, and 6. For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/.
Comment 20 errata-xmlrpc 2011-12-06 10:28:56 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1635 https://rhn.redhat.com/errata/RHSA-2011-1635.html
Comment 21 Tomas Hoger 2012-02-13 11:03:04 EST
(In reply to comment #8)
> Additional change is required to fully address the problem in CUPS:
> http://www.cups.org/str.php?L3914
> svn diff -c 9865 http://svn.easysw.com/public/cups/

Note this also got a separate CVE CVE-2011-3170, bug #732106.
Comment 22 errata-xmlrpc 2012-02-20 22:09:57 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0302 https://rhn.redhat.com/errata/RHSA-2012-0302.html
Comment 26 errata-xmlrpc 2012-08-20 09:34:30 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1180 https://rhn.redhat.com/errata/RHSA-2012-1180.html
Comment 27 errata-xmlrpc 2012-08-20 09:45:06 EDT
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1181 https://rhn.redhat.com/errata/RHSA-2012-1181.html
Comment 28 Wade Colson 2014-04-15 19:00:57 EDT
*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/teen-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.
Comment 29 Tomas Hoger 2014-06-23 04:35:57 EDT
Affected code is also part of pl as shipped with Red Hat Enterprise Linux 6.  That package is only provided via Optional repository with limited support, there is currently no plan to address this issue in future pl package updates in Red Hat Enterprise Linux 6.