Bug 951257 (CVE-2013-1953)

Summary: CVE-2013-1953 autotrace: buffer overflow when parsing BMP files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, jrusnack, jskarvad, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 07:00:12 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 952668, 979244    
Bug Blocks: 951258    
Attachments:
Description Flags
Proposed fix sent upstream none

Description Vincent Danen 2013-04-11 20:46:39 UTC 
A buffer overflow flaw was reported in autotrace's input_bmp_reader() function.  When autotrace is compiled with FORTIFY_SOURCE, this is caught and turned into a simple denial of service.  As reported:

In input-bmp.c, the input_bmp_reader() function creates a buffer on the 
stack:

91 unsigned char buffer[64];

Later on

169 else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
170 {
171 if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4))

We control Bitmap_File_Head.biSize. A value of 0 meets the <=64 
requirements, and 0 - 4 should result in almost 4294967295 bytes being 
read into the buffer.
Comment 1 Vincent Danen 2013-04-12 05:05:00 UTC 
Acknowledgements:

This issue was discovered by Murray McAllister of Red Hat Security Response Team.
Comment 2 Jan Lieskovsky 2013-04-16 12:00:52 UTC 
The CVE identifier of CVE-2013-1953 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2013/04/16/3
Comment 3 Jan Lieskovsky 2013-04-16 12:03:15 UTC 
Created autotrace tracking bugs for this issue

Affects: fedora-all [bug 952668]
Comment 5 Jaroslav Škarvada 2013-06-28 08:26:45 UTC 
Created attachment 766451 [details]
Proposed fix sent upstream
Comment 6 Fedora Update System 2013-07-09 01:40:38 UTC 
autotrace-0.31.1-34.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-07-09 01:41:14 UTC 
autotrace-0.31.1-34.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.