Bug 1893377 (CVE-2020-25693) - CVE-2020-25693 CImg: multiple integer overflows leading to heap-based buffer-overflows
Summary: CVE-2020-25693 CImg: multiple integer overflows leading to heap-based buffer-...
Keywords:
Status: CLOSED UPSTREAM
Alias: CVE-2020-25693
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1893378
Blocks: 1893312
TreeView+ depends on / blocked
 
Reported: 2020-10-30 22:34 UTC by Todd Cullum
Modified: 2021-02-10 14:07 UTC (History)
2 users (show)

Fixed In Version: CImg 2.9.3
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the CImg library. Multiple integer overflows lead to heap buffer overflows in load_pnm(), which can be triggered by a specially crafted input file processed by CImg. The highest risk from this vulnerability is to integrity and system availability.
Clone Of:
Environment:
Last Closed: 2020-10-31 02:21:14 UTC
Embargoed:


Attachments (Terms of Use)

Description Todd Cullum 2020-10-30 22:34:05 UTC
The CImg.h image library uses an unsafe pattern that is prone to integer overflows to calculate the required heap buffer allocation size. The resulting small heap buffers can be trivially overwritten by a malformed image input. This has been demonstrated at least with the load_pnm() image parsing function.

References:
https://github.com/dtschump/CImg/pull/295
https://bugs.launchpad.net/ubuntu/+source/cimg/+bug/1900983

Comment 1 Todd Cullum 2020-10-30 22:34:08 UTC
Acknowledgments:

Name: Kai Dietrich

Comment 2 Todd Cullum 2020-10-30 22:34:19 UTC
Created CImg tracking bugs for this issue:

Affects: fedora-all [bug 1893378]

Comment 3 Product Security DevOps Team 2020-10-31 02:21:14 UTC
This CVE Bugzilla entry is for community support informational purposes only as it does not affect a package in a commercially supported Red Hat product. Refer to the dependent bugs for status of those individual community products.

Comment 5 Todd Cullum 2020-11-03 19:23:17 UTC
Flaw summary:

In CImg.h, the pattern `(size_t)size_x*size_y*size_z*size_c` is used in multiple locations but it was discovered that it can wrap (called "overflow" in the commit) the resulting `size_t` value. The patch introduces a function called `_safe_size()` which performs the calculations whilst preventing unsigned integer wrap in the result.

Because the above calculations are used in allocation of heap memory, the flaw can lead to arbitrary heap memory write in subsequent code when specially crafted input is provided to CImg. It is more likely to occur on platforms where the `size_t` type is 32-bit.


Note You need to log in before you can comment on or make changes to this bug.