gif2png suffers from a command-line buffer overflow due to an strcpy(3) call that fails to bounds-check user-supplied data before copying to a fixed size buffer, as reported to Debian [1]. To reproduce: $ gif2png $(perl -e 'print "A" x 1053') *** buffer overflow detected ***: gif2png terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x3b2d4f6ea7] /lib64/libc.so.6[0x3b2d4f4ec0] gif2png[0x402fb9] /lib64/libc.so.6(__libc_start_main+0xfd)[0x3b2d41eb1d] gif2png[0x401509 [1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978 Verified to affect Fedora 12.
Created attachment 378342 [details] patch pulled from debian's package to correct the issue
gif2png-2.5.1-1200.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/gif2png-2.5.1-1200.fc12
gif2png-2.5.1-1100.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/gif2png-2.5.1-1100.fc11
thx; I applied a modified patch. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978#45 for details.
gif2png-2.5.1-1101.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/gif2png-2.5.1-1101.fc11
gif2png-2.5.1-1201.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/gif2png-2.5.1-1201.fc12
When I've seen this update in security updates queue + fortify_source crash reports, I was wondering if we really want to call this security. Long command line argument overflow is usually not treated as security, even less when fortify_source mitigates to a harmless crash. However, after closer look, fortify_source does not protect in all cases -- strcpy(file_ext, ...) / sprintf(file_ext, ...) effectively avoids protections. The overflow is limited to an extension string, so the possibilities to an attacker are limited. It also seems that the latest patch is not fully addressing the sprintf case though. Patch makes sure there is enough space in name[] / outname[] for an extra ".EXT\0", but longer than 3 char extensions may be used in certain cases (GIF file contains more images, files .png, .p01, .p02, ..., .p99, .p100, ... may get created). '- sizeof ".gif" - 9' should be enough to cover all int values.
I'm still getting a buffer overflow with the latest Koji build (gif2png-2.5.1-1101.fc11.i586.rpm)
F11 does not have the patch applied correctly. It is in the CVS, but not mentioned in the .spec.
gif2png-2.5.1-1102.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/gif2png-2.5.1-1102.fc11
gif2png-2.5.1-1202.fc12 has been submitted as an update for Fedora 12. http://admin.fedoraproject.org/updates/gif2png-2.5.1-1202.fc12
I agree that this is probably not a a security issue for fedora because only a very limited number and set of characters (.gif + 0-9 + -) can be placed on stack. Rest is caught by fortify-check in strcpy(). full-disclosure mentions cgi scripts which call 'gif2png' with user input data as an attack vector which is true for non fortified systems. So, rating the overflow as a security issue is correct but it has probably no impact on fedora. I do not know the procedure for such cases but will use 'security' tag. Btw, thanks for catching the sprintf() case and the missed patch in F-11.
gif2png-2.5.1-1102.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
This issue was assigned the name CVE-2009-5018: http://article.gmane.org/gmane.comp.security.oss.general/3816/
For posterity, MITRE assigned an additional two CVEs here. They are both already corrected in Fedora. Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4694 to the following vulnerability: Name: CVE-2010-4694 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4694 Assigned: 20110114 Reference: MLIST:[oss-security] 20101121 CVE Request: gif2png: command-line buffer overflow problem Reference: URL: http://openwall.com/lists/oss-security/2010/11/21/1 Reference: MLIST:[oss-security] 20101121 Re: CVE Request: gif2png: command-line buffer overflow problem Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/1 Reference: MLIST:[oss-security] 20101121 Re: CVE Request: gif2png: command-line buffer overflow problem Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/3 Reference: MLIST:[oss-security] 20101122 Re: CVE Request: gif2png: command-line buffer overflow problem Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/12 Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978 Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=346501 Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&view=log Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=547515 Reference: FEDORA:FEDORA-2010-0358 Reference: URL: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051229.html Reference: GENTOO:GLSA-201101-01 Reference: URL: http://security.gentoo.org/glsa/glsa-201101-01.xml Reference: SECUNIA:42796 Reference: URL: http://secunia.com/advisories/42796 Reference: VUPEN:ADV-2010-3036 Reference: URL: http://www.vupen.com/english/advisories/2010/3036 Reference: VUPEN:ADV-2011-0023 Reference: URL: http://www.vupen.com/english/advisories/2011/0023 Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow context-dependent attackers to cause a denial of service (application crash) or have unspecified other impact via a GIF file that contains many images, leading to long extensions such as .p100 for PNG output files, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018. Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4695 to the following vulnerability: Name: CVE-2010-4695 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4695 Assigned: 20110114 Reference: MISC: https://bugzilla.redhat.com/show_bug.cgi?id=547515 Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978 Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&r1=1.1&r2=1.2 Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&view=log Reference: FEDORA:FEDORA-2010-0358 Reference: URL: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051229.html A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as distributed in gif2png-2.5.1-1200.fc12 on Fedora 12 and gif2png_2.5.2-1 on Debian GNU/Linux, truncates a GIF pathname specified on the command line, which might allow remote attackers to create PNG files in unintended directories via a crafted command-line argument, as demonstrated by a CGI program that launches gif2png, a different vulnerability than CVE-2009-5018.