Bug 547515 (CVE-2009-5018, CVE-2010-4694, CVE-2010-4695) - CVE-2009-5018 CVE-2010-4694, CVE-2010-4695 gif2png: command-line buffer overflow problem
Summary: CVE-2009-5018 CVE-2010-4694, CVE-2010-4695 gif2png: command-line buffer overf...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-5018, CVE-2010-4694, CVE-2010-4695
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=low,source=fulldisclosure,repo...
Depends On: 547516
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-12-14 20:39 UTC by Vincent Danen
Modified: 2019-06-08 12:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-12-03 21:47:30 UTC


Attachments (Terms of Use)
patch pulled from debian's package to correct the issue (1.23 KB, patch)
2009-12-14 20:40 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2009-12-14 20:39:11 UTC
gif2png suffers from a command-line buffer overflow due to an strcpy(3) call that fails to bounds-check user-supplied data before copying to a fixed size buffer, as reported to Debian [1].

To reproduce:

$ gif2png $(perl -e 'print "A" x 1053')
*** buffer overflow detected ***: gif2png terminated
======= Backtrace: =========
/lib64/libc.so.6(__fortify_fail+0x37)[0x3b2d4f6ea7]
/lib64/libc.so.6[0x3b2d4f4ec0]
gif2png[0x402fb9]
/lib64/libc.so.6(__libc_start_main+0xfd)[0x3b2d41eb1d]
gif2png[0x401509

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978

Verified to affect Fedora 12.

Comment 1 Vincent Danen 2009-12-14 20:40:04 UTC
Created attachment 378342 [details]
patch pulled from debian's package to correct the issue

Comment 3 Fedora Update System 2010-01-01 17:21:33 UTC
gif2png-2.5.1-1200.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1200.fc12

Comment 4 Fedora Update System 2010-01-01 17:22:38 UTC
gif2png-2.5.1-1100.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1100.fc11

Comment 5 Enrico Scholz 2010-01-01 17:24:31 UTC
thx; I applied a modified patch. See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978#45 for details.

Comment 6 Fedora Update System 2010-01-03 11:55:27 UTC
gif2png-2.5.1-1101.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1101.fc11

Comment 7 Fedora Update System 2010-01-03 11:56:10 UTC
gif2png-2.5.1-1201.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1201.fc12

Comment 8 Tomas Hoger 2010-01-04 10:03:02 UTC
When I've seen this update in security updates queue + fortify_source crash reports, I was wondering if we really want to call this security.  Long command line argument overflow is usually not treated as security, even less when fortify_source mitigates to a harmless crash.

However, after closer look, fortify_source does not protect in all cases -- strcpy(file_ext, ...) / sprintf(file_ext, ...) effectively avoids protections.  The overflow is limited to an extension string, so the possibilities to an attacker are limited.

It also seems that the latest patch is not fully addressing the sprintf case though.  Patch makes sure there is enough space in name[] / outname[] for an extra ".EXT\0", but longer than 3 char extensions may be used in certain cases (GIF file contains more images, files .png, .p01, .p02, ..., .p99, .p100, ... may get created).  '- sizeof ".gif" - 9' should be enough to cover all int values.

Comment 9 Ken Dreyer 2010-01-05 02:32:04 UTC
I'm still getting a buffer overflow with the latest Koji build (gif2png-2.5.1-1101.fc11.i586.rpm)

Comment 10 Tomas Hoger 2010-01-05 08:21:04 UTC
F11 does not have the patch applied correctly.  It is in the CVS, but not mentioned in the .spec.

Comment 11 Fedora Update System 2010-01-07 18:48:54 UTC
gif2png-2.5.1-1102.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1102.fc11

Comment 12 Fedora Update System 2010-01-07 18:49:56 UTC
gif2png-2.5.1-1202.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/gif2png-2.5.1-1202.fc12

Comment 13 Enrico Scholz 2010-01-07 19:02:10 UTC
I agree that this is probably not a a security issue for fedora because only a very limited number and set of characters (.gif + 0-9 + -) can be placed on stack.  Rest is caught by fortify-check in strcpy().  

full-disclosure mentions cgi scripts which call 'gif2png' with user input data as an attack vector which is true for non fortified systems.  So, rating the overflow as a security issue is correct but it has probably no impact on fedora.

I do not know the procedure for such cases but will use 'security' tag.


Btw, thanks for catching the sprintf() case and the missed patch in F-11.

Comment 14 Fedora Update System 2010-01-12 23:35:27 UTC
gif2png-2.5.1-1102.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 15 Vincent Danen 2010-12-03 21:47:30 UTC
This issue was assigned the name CVE-2009-5018:

http://article.gmane.org/gmane.comp.security.oss.general/3816/

Comment 16 Vincent Danen 2011-01-14 17:28:39 UTC
For posterity, MITRE assigned an additional two CVEs here.  They are both already corrected in Fedora.

Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4694 to
the following vulnerability:

Name: CVE-2010-4694
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4694
Assigned: 20110114
Reference: MLIST:[oss-security] 20101121 CVE Request: gif2png: command-line buffer overflow problem
Reference: URL: http://openwall.com/lists/oss-security/2010/11/21/1
Reference: MLIST:[oss-security] 20101121 Re: CVE Request: gif2png: command-line buffer overflow problem
Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/1
Reference: MLIST:[oss-security] 20101121 Re: CVE Request: gif2png: command-line buffer overflow problem
Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/3
Reference: MLIST:[oss-security] 20101122 Re: CVE Request: gif2png: command-line buffer overflow problem
Reference: URL: http://openwall.com/lists/oss-security/2010/11/22/12
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=346501
Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup
Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&view=log
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=547515
Reference: FEDORA:FEDORA-2010-0358
Reference: URL: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051229.html
Reference: GENTOO:GLSA-201101-01
Reference: URL: http://security.gentoo.org/glsa/glsa-201101-01.xml
Reference: SECUNIA:42796
Reference: URL: http://secunia.com/advisories/42796
Reference: VUPEN:ADV-2010-3036
Reference: URL: http://www.vupen.com/english/advisories/2010/3036
Reference: VUPEN:ADV-2011-0023
Reference: URL: http://www.vupen.com/english/advisories/2011/0023

Buffer overflow in gif2png.c in gif2png 2.5.3 and earlier might allow
context-dependent attackers to cause a denial of service (application
crash) or have unspecified other impact via a GIF file that contains
many images, leading to long extensions such as .p100 for PNG output
files, as demonstrated by a CGI program that launches gif2png, a
different vulnerability than CVE-2009-5018.


Common Vulnerabilities and Exposures assigned an identifier CVE-2010-4695 to
the following vulnerability:

Name: CVE-2010-4695
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4695
Assigned: 20110114
Reference: MISC: https://bugzilla.redhat.com/show_bug.cgi?id=547515
Reference: CONFIRM: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978
Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&r1=1.1&r2=1.2
Reference: CONFIRM: http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?root=extras&view=log
Reference: FEDORA:FEDORA-2010-0358
Reference: URL: http://lists.fedoraproject.org/pipermail/package-announce/2010-November/051229.html

A certain Fedora patch for gif2png.c in gif2png 2.5.1 and 2.5.2, as
distributed in gif2png-2.5.1-1200.fc12 on Fedora 12 and
gif2png_2.5.2-1 on Debian GNU/Linux, truncates a GIF pathname
specified on the command line, which might allow remote attackers to
create PNG files in unintended directories via a crafted command-line
argument, as demonstrated by a CGI program that launches gif2png, a
different vulnerability than CVE-2009-5018.


Note You need to log in before you can comment on or make changes to this bug.