Bug 727800 (CVE-2011-2896)

Summary:

CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow

Product:

[Other] Security Response

Reporter:

Tomas Hoger <thoger>

Component:

vulnerability

Assignee:

Red Hat Product Security <security-response-team>

Status:

CLOSED ERRATA

QA Contact:

Severity:

medium

Docs Contact:

Priority:

medium

Version:

unspecified

CC:

jlieskov, jpopelka, jrusnack, nphilipp, ppisar, security-response-team, twaugh, wade.colson

Target Milestone:

---

Keywords:

Security

Target Release:

---

Hardware:

All

OS:

Linux

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2014-06-23 08:35:57 UTC

Type:

---

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Bug Depends On:

714118, 714127, 714128, 730338, 731944, 731951, 752118, 840067, 840068

Bug Blocks:

714114, 714279, 734217, 734220, 742493

Attachments:

Description	Flags
giftoppm.c	none
Test case	none

Description Tomas Hoger 2011-08-03 09:22:38 UTC

GIF image file format readers in various open source projects are based on the GIF decoder implementation written by David Koblas.  This implementation contains a bug in the LZW decompressor, causing it to in correctly handle compressed streams that contain code words that were not yet added to the decompression table.  LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table.  The implementation used in this GIF reading code allows code words not only matching, but also exceeding the first free entry.

This problem is identical to a bug found in BSD compress (CVE-2011-2895, bug #727624), but given the unclear relationship between BSD compress and GIF decoder code bases, separate CVE is used here.

Several projects refer to pbmplus as the source form where GIF reading code was taken:

http://www.acme.com/software/pbmplus/

In pbmplus version of the code, the flaw can be found in LWZReadByte():

        if (code >= max_code) {
            *sp++ = firstcode;
            code = oldcode;
        }

This allows creating a loop in the decompression table, which leads to an "infinite" loop:

        while (code >= clear_code) {
            *sp++ = table[1][code];
            if (code == table[0][code])
                pm_error("circular table entry BIG ERROR");
            code = table[0][code];
        }

where:

  #define MAX_LWZ_BITS        12
  static int  table[2][(1<< MAX_LWZ_BITS)];
  static int  stack[(1<<(MAX_LWZ_BITS))*2], *sp;
  sp = stack;

This results in stack[] buffer overflow.  If table[][] is located above stack[], stack[] overflow may further modify decoding table and break infinite loop.

Comment 1 Tomas Hoger 2011-08-03 09:25:13 UTC

Created attachment 516471 [details]
giftoppm.c

Local copy of the giftoppm.c, extracted from pbmplus_10dec1991.tar.gz, available from: http://www.acme.com/software/pbmplus/

Comment 2 Tomas Hoger 2011-08-03 09:26:41 UTC

Created attachment 516472 [details]
Test case

From bug #714118, already public via http://cups.org/str.php?L3867

Comment 4 Tomas Hoger 2011-08-03 10:09:02 UTC

As noted above, this GIF reader code is used in several open source projects.  Many of them have already correct this bug, either by rejecting code > max_code, or by checking for stack[] overflow.

tk - code > max_code check
http://core.tcl.tk/tk/artifact/c0026f5eee240f40fe716e235d28c0818b981ab7

gd - stack overflow check
http://svn.php.net/viewvc/gd/trunk/libgd/src/gd_gif_in.c?revision=282370&view=markup#l512

gdk-pixbuf - stack overflow check
http://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/io-gif.c?id=f8569bb1#n656

CUPS was fixed recently (in 1.4.7) and now does code > max_code check
http://cups.org/str.php?L3867
svn diff -c 9840 http://svn.easysw.com/public/cups/

GIMP is still affected:
http://git.gnome.org/browse/gimp/tree/plug-ins/common/file-gif-load.c?id=8ff66342#n810

XPCE is still affected:
http://www.swi-prolog.org/git/packages/xpce.git/blob/876ce515:/src/img/gifread.c#l507

There are several other projects that contain very similar code, but their relationship to David Koblas' code is unclear.  Mentioning them here for the sake of completeness.  They contain stack overflow check.  They include libpr0n/mozilla/webkit code as well as Qt:
http://hg.mozilla.org/mozilla-central/file/c4b84b05c46c/modules/libpr0n/decoders/nsGIFDecoder2.cpp#l500
http://trac.webkit.org/browser/trunk/Source/WebCore/platform/image-decoders/gif/GIFImageReader.cpp?rev=75748#L309
http://qt.gitorious.org/qt/qt/blobs/4.5/src/plugins/imageformats/gif/qgifhandler.cpp#line484

Comment 8 Tomas Hoger 2011-08-07 19:15:09 UTC

(In reply to comment #4)
> CUPS was fixed recently (in 1.4.7) and now does code > max_code check
> http://cups.org/str.php?L3867
> svn diff -c 9840 http://svn.easysw.com/public/cups/

Additional change is required to fully address the problem in CUPS:
http://www.cups.org/str.php?L3914
svn diff -c 9865 http://svn.easysw.com/public/cups/

Comment 9 Tomas Hoger 2011-08-10 18:14:09 UTC

Making this public.

Comment 10 Josh Bressers 2011-08-12 14:25:18 UTC

Created gimp tracking bugs for this issue

Affects: fedora-all [bug 730338]

Comment 11 Tomas Hoger 2011-08-12 16:12:11 UTC

(In reply to comment #4)
> GIMP is still affected:
> http://git.gnome.org/browse/gimp/tree/plug-ins/common/file-gif-load.c?id=8ff66342#n810

Upstream git commit:
http://git.gnome.org/browse/gimp/commit/plug-ins/common/file-gif-load.c?id=376ad788c1a1c31d40f18494889c383f6909ebfc

Comment 12 Petr Pisar 2011-08-18 09:25:31 UTC

(In reply to comment #4)
> 
> XPCE is still affected:
> http://www.swi-prolog.org/git/packages/xpce.git/blob/876ce515:/src/img/gifread.c#l507
> 
I've sent a report to SWI Prolog bug tracking system
(http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7).

Comment 14 Tomas Hoger 2011-08-19 08:05:54 UTC

(In reply to comment #12)
> I've sent a report to SWI Prolog bug tracking system
> (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7).

Thank you!  Upstream did following commits to address the issue:

http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/bb328029beb148691edc031d9db9cf0a503c8247
http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/30fbc4e030cbef5871e1b96c31458116ce3e2ee8

Additionally, a CVE-2006-4484 / CVE-2007-6697 / CVE-2008-0553 / CVE-2008-0554 / CVE-2008-1373 / CVE-2011-2897 -like crash was corrected:

http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652

Comment 15 Tomas Hoger 2011-08-19 08:08:21 UTC

Created pl tracking bugs for this issue

Affects: fedora-all [bug 731944]

Comment 16 Tomas Hoger 2011-08-19 08:54:47 UTC

Created cups tracking bugs for this issue

Affects: fedora-all [bug 731951]

Comment 17 Petr Pisar 2011-08-19 13:59:41 UTC

(In reply to comment #14)
> (In reply to comment #12)
> > I've sent a report to SWI Prolog bug tracking system
> > (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7).
> 
> Thank you!  Upstream did following commits to address the issue:
> 
> http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/bb328029beb148691edc031d9db9cf0a503c8247
> http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
> 
> Additionally, a CVE-2006-4484 / CVE-2007-6697 / CVE-2008-0553 / CVE-2008-0554 /
> CVE-2008-1373 / CVE-2011-2897 -like crash was corrected:
> 
> http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652

After applying all three patches on 5.10.2 version from Fedora 15, and loading `Minimal test case with valid first code' test case, I get segfault in PutImagePixels32(), a Xorg libXpm library, after 4 calls of LZWReadByte():

?- show('xpce-gif-CVE-2011-2896/giflzw-1-260-259-260-260-0-first_code_valid.gif').

Program received signal SIGSEGV, Segmentation fault.
0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, pixelindex=0x8c23a0, 
    height=10, width=10, image=<optimized out>) at create.c:1384
1384                    pixel = pixels[*(iptr++)];
(gdb) bt
#0  0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, 
    pixelindex=0x8c23a0, height=10, width=10, image=<optimized out>)
    at create.c:1384
#1  XpmCreateImageFromXpmImage (display=0x8737d0, image=0x7fffffffd3e0, 
    image_return=0x7fffffffd388, shapeimage_return=0x7fffffffd390, 
    attributes=0x7fffffffd290) at create.c:881
#2  0x00007ffff15b5135 in attachXpmImageImage (image=0x8b3350, 
    xpm=0x7fffffffd3e0) at x11/xconvert.c:468
#3  0x00007ffff15b5394 in readGIFFile (fd=0x8a6660, image=0x8b3350)
    at x11/xconvert.c:537
[...]

(gdb) info locals 
data = 0x8c25c0 "\377\377\377"
y = <optimized out>
iptr = 0x8c23a8
pixel = <optimized out>
bpl = 40
data_ptr = 0x8c25c8 "\370T\031_7"
max_data = 0x8c25e8 ""

I guess this is because pl/xpce decodes the GIF image erroneously and decoded image size does not match image bitmap. However this test case is private, so I cannot provide it to upstream.

Comment 18 Jan Lieskovsky 2011-11-08 15:40:16 UTC

Statement:

Vulnerable. This issue affects the versions of cups as shipped with Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact for the cups package. A future update may address this issue in the cups package for Red Hat Enterprise Linux 4, 5, and 6. For additional information, refer to the Issue Severity Classification:
https://access.redhat.com/security/updates/classification/.

Comment 20 errata-xmlrpc 2011-12-06 15:28:56 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1635 https://rhn.redhat.com/errata/RHSA-2011-1635.html

Comment 21 Tomas Hoger 2012-02-13 16:03:04 UTC

(In reply to comment #8)
> Additional change is required to fully address the problem in CUPS:
> http://www.cups.org/str.php?L3914
> svn diff -c 9865 http://svn.easysw.com/public/cups/

Note this also got a separate CVE CVE-2011-3170, bug #732106.

Comment 22 errata-xmlrpc 2012-02-21 03:09:57 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:0302 https://rhn.redhat.com/errata/RHSA-2012-0302.html

Comment 26 errata-xmlrpc 2012-08-20 13:34:30 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1180 https://rhn.redhat.com/errata/RHSA-2012-1180.html

Comment 27 errata-xmlrpc 2012-08-20 13:45:06 UTC

This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2012:1181 https://rhn.redhat.com/errata/RHSA-2012-1181.html

Comment 28 Wade Colson 2014-04-15 23:00:57 UTC

*** Bug 260998 has been marked as a duplicate of this bug. ***
Seen from the domain http://volichat.com
Page where seen: http://volichat.com/teen-chat-rooms
Marked for reference. Resolved as fixed @bugzilla.

Comment 29 Tomas Hoger 2014-06-23 08:35:57 UTC

Affected code is also part of pl as shipped with Red Hat Enterprise Linux 6.  That package is only provided via Optional repository with limited support, there is currently no plan to address this issue in future pl package updates in Red Hat Enterprise Linux 6.