Bug 727800 (CVE-2011-2896)
Summary: | CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | jlieskov, jpopelka, jrusnack, nphilipp, ppisar, security-response-team, twaugh, wade.colson | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2014-06-23 08:35:57 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 714118, 714127, 714128, 730338, 731944, 731951, 752118, 840067, 840068 | ||||||||
Bug Blocks: | 714114, 714279, 734217, 734220, 742493 | ||||||||
Attachments: |
|
Description
Tomas Hoger
2011-08-03 09:22:38 UTC
Created attachment 516471 [details] giftoppm.c Local copy of the giftoppm.c, extracted from pbmplus_10dec1991.tar.gz, available from: http://www.acme.com/software/pbmplus/ Created attachment 516472 [details] Test case From bug #714118, already public via http://cups.org/str.php?L3867 As noted above, this GIF reader code is used in several open source projects. Many of them have already correct this bug, either by rejecting code > max_code, or by checking for stack[] overflow. tk - code > max_code check http://core.tcl.tk/tk/artifact/c0026f5eee240f40fe716e235d28c0818b981ab7 gd - stack overflow check http://svn.php.net/viewvc/gd/trunk/libgd/src/gd_gif_in.c?revision=282370&view=markup#l512 gdk-pixbuf - stack overflow check http://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/io-gif.c?id=f8569bb1#n656 CUPS was fixed recently (in 1.4.7) and now does code > max_code check http://cups.org/str.php?L3867 svn diff -c 9840 http://svn.easysw.com/public/cups/ GIMP is still affected: http://git.gnome.org/browse/gimp/tree/plug-ins/common/file-gif-load.c?id=8ff66342#n810 XPCE is still affected: http://www.swi-prolog.org/git/packages/xpce.git/blob/876ce515:/src/img/gifread.c#l507 There are several other projects that contain very similar code, but their relationship to David Koblas' code is unclear. Mentioning them here for the sake of completeness. They contain stack overflow check. They include libpr0n/mozilla/webkit code as well as Qt: http://hg.mozilla.org/mozilla-central/file/c4b84b05c46c/modules/libpr0n/decoders/nsGIFDecoder2.cpp#l500 http://trac.webkit.org/browser/trunk/Source/WebCore/platform/image-decoders/gif/GIFImageReader.cpp?rev=75748#L309 http://qt.gitorious.org/qt/qt/blobs/4.5/src/plugins/imageformats/gif/qgifhandler.cpp#line484 (In reply to comment #4) > CUPS was fixed recently (in 1.4.7) and now does code > max_code check > http://cups.org/str.php?L3867 > svn diff -c 9840 http://svn.easysw.com/public/cups/ Additional change is required to fully address the problem in CUPS: http://www.cups.org/str.php?L3914 svn diff -c 9865 http://svn.easysw.com/public/cups/ Making this public. Created gimp tracking bugs for this issue Affects: fedora-all [bug 730338] (In reply to comment #4) > GIMP is still affected: > http://git.gnome.org/browse/gimp/tree/plug-ins/common/file-gif-load.c?id=8ff66342#n810 Upstream git commit: http://git.gnome.org/browse/gimp/commit/plug-ins/common/file-gif-load.c?id=376ad788c1a1c31d40f18494889c383f6909ebfc (In reply to comment #4) > > XPCE is still affected: > http://www.swi-prolog.org/git/packages/xpce.git/blob/876ce515:/src/img/gifread.c#l507 > I've sent a report to SWI Prolog bug tracking system (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7). (In reply to comment #12) > I've sent a report to SWI Prolog bug tracking system > (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7). Thank you! Upstream did following commits to address the issue: http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/bb328029beb148691edc031d9db9cf0a503c8247 http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/30fbc4e030cbef5871e1b96c31458116ce3e2ee8 Additionally, a CVE-2006-4484 / CVE-2007-6697 / CVE-2008-0553 / CVE-2008-0554 / CVE-2008-1373 / CVE-2011-2897 -like crash was corrected: http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652 Created pl tracking bugs for this issue Affects: fedora-all [bug 731944] Created cups tracking bugs for this issue Affects: fedora-all [bug 731951] (In reply to comment #14) > (In reply to comment #12) > > I've sent a report to SWI Prolog bug tracking system > > (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7). > > Thank you! Upstream did following commits to address the issue: > > http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/bb328029beb148691edc031d9db9cf0a503c8247 > http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/30fbc4e030cbef5871e1b96c31458116ce3e2ee8 > > Additionally, a CVE-2006-4484 / CVE-2007-6697 / CVE-2008-0553 / CVE-2008-0554 / > CVE-2008-1373 / CVE-2011-2897 -like crash was corrected: > > http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652 After applying all three patches on 5.10.2 version from Fedora 15, and loading `Minimal test case with valid first code' test case, I get segfault in PutImagePixels32(), a Xorg libXpm library, after 4 calls of LZWReadByte(): ?- show('xpce-gif-CVE-2011-2896/giflzw-1-260-259-260-260-0-first_code_valid.gif'). Program received signal SIGSEGV, Segmentation fault. 0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, pixelindex=0x8c23a0, height=10, width=10, image=<optimized out>) at create.c:1384 1384 pixel = pixels[*(iptr++)]; (gdb) bt #0 0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, pixelindex=0x8c23a0, height=10, width=10, image=<optimized out>) at create.c:1384 #1 XpmCreateImageFromXpmImage (display=0x8737d0, image=0x7fffffffd3e0, image_return=0x7fffffffd388, shapeimage_return=0x7fffffffd390, attributes=0x7fffffffd290) at create.c:881 #2 0x00007ffff15b5135 in attachXpmImageImage (image=0x8b3350, xpm=0x7fffffffd3e0) at x11/xconvert.c:468 #3 0x00007ffff15b5394 in readGIFFile (fd=0x8a6660, image=0x8b3350) at x11/xconvert.c:537 [...] (gdb) info locals data = 0x8c25c0 "\377\377\377" y = <optimized out> iptr = 0x8c23a8 pixel = <optimized out> bpl = 40 data_ptr = 0x8c25c8 "\370T\031_7" max_data = 0x8c25e8 "" I guess this is because pl/xpce decodes the GIF image erroneously and decoded image size does not match image bitmap. However this test case is private, so I cannot provide it to upstream. Statement: Vulnerable. This issue affects the versions of cups as shipped with Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact for the cups package. A future update may address this issue in the cups package for Red Hat Enterprise Linux 4, 5, and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1635 https://rhn.redhat.com/errata/RHSA-2011-1635.html (In reply to comment #8) > Additional change is required to fully address the problem in CUPS: > http://www.cups.org/str.php?L3914 > svn diff -c 9865 http://svn.easysw.com/public/cups/ Note this also got a separate CVE CVE-2011-3170, bug #732106. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0302 https://rhn.redhat.com/errata/RHSA-2012-0302.html This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1180 https://rhn.redhat.com/errata/RHSA-2012-1180.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1181 https://rhn.redhat.com/errata/RHSA-2012-1181.html *** Bug 260998 has been marked as a duplicate of this bug. *** Seen from the domain http://volichat.com Page where seen: http://volichat.com/teen-chat-rooms Marked for reference. Resolved as fixed @bugzilla. Affected code is also part of pl as shipped with Red Hat Enterprise Linux 6. That package is only provided via Optional repository with limited support, there is currently no plan to address this issue in future pl package updates in Red Hat Enterprise Linux 6. |