Bug 547515 - (CVE-2009-5018, CVE-2010-4694, CVE-2010-4695) CVE-2009-5018 CVE-2010-4694, CVE-2010-4695 gif2png: command-line buffer overflow problem
CVE-2009-5018 CVE-2010-4694, CVE-2010-4695 gif2png: command-line buffer overf...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,source=fulldisclosure,repo...
: Security
Depends On: 547516
Blocks:
  Show dependency treegraph
 
Reported: 2009-12-14 15:39 EST by Vincent Danen
Modified: 2011-01-14 12:28 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-03 16:47:30 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch pulled from debian's package to correct the issue (1.23 KB, patch)
2009-12-14 15:40 EST, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2009-12-14 15:39:11 EST
gif2png suffers from a command-line buffer overflow due to an strcpy(3) call that fails to bounds-check user-supplied data before copying to a fixed size buffer, as reported to Debian [1].

To reproduce:

$ gif2png $(perl -e 'print "A" x 1053')
*** buffer overflow detected ***: gif2png terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3b2d4f6ea7]
/lib64/libc.so.6[0x3b2d4f4ec0]
gif2png[0x402fb9]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3b2d41eb1d]
gif2png[0x401509

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978

Verified to affect Fedora 12.
Comment 1 Vincent Danen 2009-12-14 15:40:04 EST
Created attachment 378342 [details]
patch pulled from debian's package to correct the issue
Comment 3 Fedora Update System 2010-01-01 12:21:33 EST
gif2png-2.5.1-1200.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1200.fc12
Comment 4 Fedora Update System 2010-01-01 12:22:38 EST
gif2png-2.5.1-1100.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1100.fc11
Comment 5 Enrico Scholz 2010-01-01 12:24:31 EST
thx; I applied a modified patch. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978#45 for details.
Comment 6 Fedora Update System 2010-01-03 06:55:27 EST
gif2png-2.5.1-1101.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1101.fc11
Comment 7 Fedora Update System 2010-01-03 06:56:10 EST
gif2png-2.5.1-1201.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1201.fc12
Comment 8 Tomas Hoger 2010-01-04 05:03:02 EST
When I've seen this update in security updates queue + fortify_source crash reports, I was wondering if we really want to call this security.  Long command line argument overflow is usually not treated as security, even less when fortify_source mitigates to a harmless crash.

However, after closer look, fortify_source does not protect in all cases -- strcpy(file_ext, ...) / sprintf(file_ext, ...) effectively avoids protections.  The overflow is limited to an extension string, so the possibilities to an attacker are limited.

It also seems that the latest patch is not fully addressing the sprintf case though.  Patch makes sure there is enough space in name[] / outname[] for an extra ".EXT\0", but longer than 3 char extensions may be used in certain cases (GIF file contains more images, files .png, .p01, .p02, ..., .p99, .p100, ... may get created).  '- sizeof ".gif" - 9' should be enough to cover all int values.
Comment 9 Ken Dreyer 2010-01-04 21:32:04 EST
I'm still getting a buffer overflow with the latest Koji build (gif2png-2.5.1-1101.fc11.i586.rpm)
Comment 10 Tomas Hoger 2010-01-05 03:21:04 EST
F11 does not have the patch applied correctly.  It is in the CVS, but not mentioned in the .spec.
Comment 11 Fedora Update System 2010-01-07 13:48:54 EST
gif2png-2.5.1-1102.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1102.fc11
Comment 12 Fedora Update System 2010-01-07 13:49:56 EST
gif2png-2.5.1-1202.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1202.fc12
Comment 13 Enrico Scholz 2010-01-07 14:02:10 EST
I agree that this is probably not a a security issue for fedora because only a very limited number and set of characters (.gif + 0-9 + -) can be placed on stack.  Rest is caught by fortify-check in strcpy().  

full-disclosure mentions cgi scripts which call 'gif2png' with user input data as an attack vector which is true for non fortified systems.  So, rating the overflow as a security issue is correct but it has probably no impact on fedora.

I do not know the procedure for such cases but will use 'security' tag.


Btw, thanks for catching the sprintf() case and the missed patch in F-11.
Comment 14 Fedora Update System 2010-01-12 18:35:27 EST
gif2png-2.5.1-1102.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 15 Vincent Danen 2010-12-03 16:47:30 EST
This issue was assigned the name CVE-2009-5018:

http://article.gmane.org/gmane.comp.security.oss.general/3816/
Comment 16 Vincent Danen 2011-01-14 12:28:39 EST
For posterity, MITRE assigned an additional two CVEs here.  They are both already corrected in Fedora.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4694 to
the following vulnerability:

Name: CVE-2010-4694
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4694
Assigned: 20110114
Reference: MLIST:[oss-security] 20101121 CVE Request: gif2png: command-line buffer overflow problem
Reference: URL: http://openwall.com/lists/oss-security/2010/11/21/1
Reference: MLIST:[oss-security] 20101121 Re: CVE Request: gif2png: command-line buffer overflow problem
Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/1
Reference: MLIST:[oss-security] 20101121 Re: CVE Request: gif2png: command-line buffer overflow problem
Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/3
Reference: MLIST:[oss-security] 20101122 Re: CVE Request: gif2png: command-line buffer overflow problem
Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/12
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=346501
Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup
Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&view=log
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=547515
Reference: FEDORA:FEDORA-2010-0358
Reference: URL: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051229.html
Reference: GENTOO:GLSA-201101-01
Reference: URL: http://security.gentoo.org/glsa/glsa-201101-01.xml
Reference: SECUNIA:42796
Reference: URL: http://secunia.com/advisories/42796
Reference: VUPEN:ADV-2010-3036
Reference: URL: http://www.vupen.com/english/advisories/2010/3036
Reference: VUPEN:ADV-2011-0023
Reference: URL: http://www.vupen.com/english/advisories/2011/0023

Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow
context-dependent attackers to cause a denial of service (application
crash) or have unspecified other impact via a GIF file that contains
many images, leading to long extensions such as .p100 for PNG output
files, as demonstrated by a CGI program that launches gif2png, a
different vulnerability than CVE-2009-5018.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4695 to
the following vulnerability:

Name: CVE-2010-4695
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4695
Assigned: 20110114
Reference: MISC: https://bugzilla.redhat.com/show_bug.cgi?id=547515
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978
Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&r1=1.1&r2=1.2
Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&view=log
Reference: FEDORA:FEDORA-2010-0358
Reference: URL: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051229.html

A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as
distributed in gif2png-2.5.1-1200.fc12 on Fedora 12 and
gif2png_2.5.2-1 on Debian GNU/Linux, truncates a GIF pathname
specified on the command line, which might allow remote attackers to
create PNG files in unintended directories via a crafted command-line
argument, as demonstrated by a CGI program that launches gif2png, a
different vulnerability than CVE-2009-5018.

Note You need to log in before you can comment on or make changes to this bug.