Bug 951257 (CVE-2013-1953)

Summary: CVE-2013-1953 autotrace: buffer overflow when parsing BMP files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: jlieskov, jrusnack, jskarvad, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20130416,reported=20130410,source=redhat,cvss2=2.1/AV:L/AC:L/Au:N/C:N/I:N/A:P,fedora-all/autotrace=affected,rhel-6/autotrace=wontfix,rhel-7/autotrace=notaffected
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 03:00:12 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 952668, 979244    
Bug Blocks: 951258    
Description Flags
Proposed fix sent upstream none

Description Vincent Danen 2013-04-11 16:46:39 EDT
A buffer overflow flaw was reported in autotrace's input_bmp_reader() function.  When autotrace is compiled with FORTIFY_SOURCE, this is caught and turned into a simple denial of service.  As reported:

In input-bmp.c, the input_bmp_reader() function creates a buffer on the 

91 unsigned char buffer[64];

Later on

169 else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
170 {
171 if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4))

We control Bitmap_File_Head.biSize. A value of 0 meets the <=64 
requirements, and 0 - 4 should result in almost 4294967295 bytes being 
read into the buffer.
Comment 1 Vincent Danen 2013-04-12 01:05:00 EDT

This issue was discovered by Murray McAllister of Red Hat Security Response Team.
Comment 2 Jan Lieskovsky 2013-04-16 08:00:52 EDT
The CVE identifier of CVE-2013-1953 has been assigned to this issue:
Comment 3 Jan Lieskovsky 2013-04-16 08:03:15 EDT
Created autotrace tracking bugs for this issue

Affects: fedora-all [bug 952668]
Comment 5 Jaroslav Škarvada 2013-06-28 04:26:45 EDT
Created attachment 766451 [details]
Proposed fix sent upstream
Comment 6 Fedora Update System 2013-07-08 21:40:38 EDT
autotrace-0.31.1-34.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 7 Fedora Update System 2013-07-08 21:41:14 EDT
autotrace-0.31.1-34.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.