Bug 1652610 - There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.
Summary: There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/sp...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: liblas
Version: 31
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Sandro Mani
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-22 13:15 UTC by shuitao gan
Modified: 2020-04-25 03:00 UTC (History)
1 user (show)

Fixed In Version: liblas-1.8.1-5.fc32 liblas-1.8.1-5.fc31
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-04-25 02:22:29 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)
./las2pg POC1 (440 bytes, application/octet-stream)
2018-11-22 13:15 UTC, shuitao gan 		no flags Details
View All

Description shuitao gan 2018-11-22 13:15:05 UTC 
Created attachment 1507936 [details]
./las2pg POC1

version: libLAS2.4
Summary: 

There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.

Description:

The gdb debug is as follows:

$./las2pg POC1 

=================================================================
==40200==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e400 at pc 0x7ff597100d95 bp 0x7fff485354b0 sp 0x7fff48534c58
READ of size 262208 at 0x60600000e400 thread T0
    #0 0x7ff597100d94 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cd94)
    #1 0x7ff596bf5ffd in ST_SetKey (/usr/lib/x86_64-linux-gnu/libgeotiff.so.2+0x16ffd)
    #2 0x7ff595c23475 in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:518
    #3 0x7ff595c25681 in liblas::SpatialReference::SpatialReference(std::vector<liblas::VariableRecord, std::allocator<liblas::VariableRecord> > const&) /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:102
    #4 0x7ff595c7bd58 in liblas::detail::reader::Header::ReadVLRs() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:389
    #5 0x7ff595c7f53d in liblas::detail::reader::Header::ReadHeader() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:272
    #6 0x7ff595bc91f6 in liblas::ReaderFactory::CreateWithStream(std::istream&) /home/company/real_sanitize/libLAS-master/src/factory.cpp:92
    #7 0x7ff596e47d4f in LASReader_Create /home/company/real_sanitize/libLAS-master/src/c_api.cpp:248
    #8 0x403701 in main /home/company/real_sanitize/libLAS-master/apps/las2pg.c:424
    #9 0x7ff596835a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #10 0x404b88 in _start (/home/company/real_sanitize/libLAS-master/build/install/bin/las2pg+0x404b88)

0x60600000e400 is located 0 bytes to the right of 64-byte region [0x60600000e3c0,0x60600000e400)
allocated by thread T0 here:
    #0 0x7ff59710d8b2 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x998b2)
    #1 0x7ff595c2362b in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x7ff595c2362b in __gnu_cxx::__alloc_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/5/ext/alloc_traits.h:182
    #3 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    #4 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/5/bits/stl_vector.h:185
    #5 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:136
    #6 0x7ff595c2362b in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/include/c++/5/bits/stl_vector.h:320
    #7 0x7ff595c2362b in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:496
    #8 0x7fff48535adf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c7fff9c80:[fa]fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9c90: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff9ca0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9cb0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff9cc0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==40200==ABORTING
Comment 1 Ben Cotton 2019-08-13 16:50:21 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.
Comment 2 Fedora Admin XMLRPC Client 2020-03-04 04:18:56 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 3 Fedora Admin XMLRPC Client 2020-04-14 16:43:17 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 4 Fedora Update System 2020-04-14 20:14:13 UTC 
FEDORA-2020-6dbbecb893 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6dbbecb893
Comment 5 Fedora Update System 2020-04-14 20:14:14 UTC 
FEDORA-2020-b0695fcdf7 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b0695fcdf7
Comment 6 Fedora Update System 2020-04-15 19:57:53 UTC 
FEDORA-2020-b0695fcdf7 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b0695fcdf7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b0695fcdf7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 7 Fedora Update System 2020-04-16 19:27:55 UTC 
FEDORA-2020-6dbbecb893 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6dbbecb893`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6dbbecb893

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
Comment 8 Fedora Update System 2020-04-25 02:22:29 UTC 
FEDORA-2020-6dbbecb893 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 9 Fedora Update System 2020-04-25 03:00:43 UTC 
FEDORA-2020-b0695fcdf7 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.