Bug 509531 - (CVE-2009-2295) CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-2009-009)
CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-...
Status: CLOSED RAWHIDE
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Richard W.M. Jones
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-03 06:37 EDT by Tomas Hoger
Modified: 2009-10-16 06:03 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-10-16 06:03:26 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
camlimages-oversized-png-check.patch (1.74 KB, patch)
2009-07-03 09:31 EDT, Richard W.M. Jones
no flags Details | Diff
camlimages-oversized-png-check-CVE-2009-2295.patch (1.85 KB, patch)
2009-07-03 10:20 EDT, Richard W.M. Jones
no flags Details | Diff
camlimages-oversized-png-check-CVE-2009-2295.patch (2.37 KB, patch)
2009-07-03 10:52 EDT, Richard W.M. Jones
no flags Details | Diff

  None (edit)
Description Tomas Hoger 2009-07-03 06:37:04 EDT
oCERT advisory oCERT-2009-009 was published describing a flaw in ocaml-camlimages:

  http://www.ocert.org/advisories/ocert-2009-009.html

  CamlImages, an open source image processing library, suffers from several
  integer overflows which may lead to a potentially exploitable heap
  overflow and result in arbitrary code execution.

  The vulnerability is triggered by PNG image parsing, the read_png_file
  and read_png_file_as_rgb24 functions do not properly validate the width
  and height of the image. Specific PNG images with large width and height
  can be crafted to trigger the vulnerability.

Issue was reported to affect both 2.2 and 3.0.1, which no upstream patch available at the moment.

References:
http://thread.gmane.org/gmane.comp.security.oss.general/1882
http://bugs.gentoo.org/show_bug.cgi?id=276235
Comment 2 Richard W.M. Jones 2009-07-03 07:33:52 EDT
I'll have a look at this one now.
Comment 4 Richard W.M. Jones 2009-07-03 09:31:00 EDT
Created attachment 350433 [details]
camlimages-oversized-png-check.patch

This is a potential fix which checks whether the
numbers we are about to multiply together could
provoke an arithmetic overflow (or are negative,
which would be equally bogus).

It solves the test case that I was given privately.

Note that in any case the bug only manifests on 32 bit
architectures.  On 64 bit, the multiply does not
overflow, but unless you have loads of free memory
you will shortly afterwards get a (safe) Out_of_memory
exception.
Comment 5 Tomas Hoger 2009-07-03 09:59:49 EDT
(In reply to comment #4)
> Created an attachment (id=350433) [details]
> camlimages-oversized-png-check.patch

One note from a very quick look... in general, test like:

  (x) * (y) < (x) || (x) * (y) < (y)

is not sufficient to catch all possible integer overflows in multiplication.  Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit world.  This can still result in small buffer that may be overflown later.

The test is usually written as:

  y != 0  &&  x > (TYPE)_MAX / y

(first part is needed if y can be 0, not needed in cases where y is sizeof(sometype)).
Comment 6 Fedora Update System 2009-07-03 10:03:41 EDT
ocaml-camlimages-3.0.1-7.fc11.1 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-7.fc11.1
Comment 7 Fedora Update System 2009-07-03 10:07:41 EDT
ocaml-camlimages-3.0.1-3.fc10.1 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-3.fc10.1
Comment 8 Richard W.M. Jones 2009-07-03 10:08:41 EDT
(In reply to comment #5)
> (In reply to comment #4)
> > Created an attachment (id=350433) [details] [details]
> > camlimages-oversized-png-check.patch
> 
> One note from a very quick look... in general, test like:
> 
>   (x) * (y) < (x) || (x) * (y) < (y)
> 
> is not sufficient to catch all possible integer overflows in multiplication. 
> Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit
> world.  This can still result in small buffer that may be overflown later.
> 
> The test is usually written as:
> 
>   y != 0  &&  x > (TYPE)_MAX / y
> 
> (first part is needed if y can be 0, not needed in cases where y is
> sizeof(sometype)).  

Yup, someone just found a counterexample on #ocaml.

I'll change the patch and rebuild in a moment.
Comment 9 Richard W.M. Jones 2009-07-03 10:20:52 EDT
Created attachment 350440 [details]
camlimages-oversized-png-check-CVE-2009-2295.patch

Fix overflow detection in the patch.
Comment 10 Tomas Hoger 2009-07-03 10:37:51 EDT
I also see two occurrences of this in pngread.c:

  row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);

While sizeof(png_bytep) is fixed, height comes from the file and it seems possible for it to be 2^32/4 or larger.
Comment 11 Richard W.M. Jones 2009-07-03 10:52:38 EDT
Created attachment 350441 [details]
camlimages-oversized-png-check-CVE-2009-2295.patch

Updated the patch with feedback from comment 10.
Comment 12 Richard W.M. Jones 2009-07-03 14:38:18 EDT
I've pushed new packages for Fedora 10, 11 and Rawhide
with the patch in comment 11.

Note that although we have CVS branches for EL-4 and EL-5,
we don't currently distribute this package (missing build dep).
However I've added the patch to those branches too, so that if
in future we build for EL-4/5 we will have the patch.

I've also discussed this issue and the patch with Debian and
OpenBSD maintainers.

Updates coming shortly.
Comment 13 Fedora Update System 2009-07-03 14:45:14 EDT
ocaml-camlimages-3.0.1-3.fc10.2 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-3.fc10.2
Comment 14 Fedora Update System 2009-07-03 14:45:15 EDT
ocaml-camlimages-3.0.1-7.fc11.2 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-7.fc11.2
Comment 15 Vincent Danen 2009-07-27 12:01:52 EDT
Robert @ Gentoo reported that upstream fixed similar integer overflows in gifread.c and jpegread.c for values that are used in memory allocations and memcpy():

A stripped down [by Alexis Ballier] version of the patch is in Gentoo's BZ:
https://bugs.gentoo.org/show_bug.cgi?id=276235
https://bugs.gentoo.org/attachment.cgi?id=199108
Comment 16 Fedora Update System 2009-08-12 16:53:33 EDT
ocaml-camlimages-3.0.1-7.fc11.2 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 17 Fedora Update System 2009-09-11 19:39:55 EDT
ocaml-camlimages-3.0.1-3.fc10.2 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Richard W.M. Jones 2009-10-16 06:03:26 EDT
Long fixed ...  Closing.

Note You need to log in before you can comment on or make changes to this bug.