GIF image file format readers in various open source projects are based on the GIF decoder implementation written by David Koblas. This implementation contains a bug in the LZW decompressor, causing it to in correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in this GIF reading code allows code words not only matching, but also exceeding the first free entry. This problem is identical to a bug found in BSD compress (CVE-2011-2895, bug #727624), but given the unclear relationship between BSD compress and GIF decoder code bases, separate CVE is used here. Several projects refer to pbmplus as the source form where GIF reading code was taken: http://www.acme.com/software/pbmplus/ In pbmplus version of the code, the flaw can be found in LWZReadByte(): if (code >= max_code) { *sp++ = firstcode; code = oldcode; } This allows creating a loop in the decompression table, which leads to an "infinite" loop: while (code >= clear_code) { *sp++ = table[1][code]; if (code == table[0][code]) pm_error("circular table entry BIG ERROR"); code = table[0][code]; } where: #define MAX_LWZ_BITS 12 static int table[2][(1<< MAX_LWZ_BITS)]; static int stack[(1<<(MAX_LWZ_BITS))*2], *sp; sp = stack; This results in stack[] buffer overflow. If table[][] is located above stack[], stack[] overflow may further modify decoding table and break infinite loop.
Created attachment 516471 [details] giftoppm.c Local copy of the giftoppm.c, extracted from pbmplus_10dec1991.tar.gz, available from: http://www.acme.com/software/pbmplus/
Created attachment 516472 [details] Test case From bug #714118, already public via http://cups.org/str.php?L3867
As noted above, this GIF reader code is used in several open source projects. Many of them have already correct this bug, either by rejecting code > max_code, or by checking for stack[] overflow. tk - code > max_code check http://core.tcl.tk/tk/artifact/c0026f5eee240f40fe716e235d28c0818b981ab7 gd - stack overflow check http://svn.php.net/viewvc/gd/trunk/libgd/src/gd_gif_in.c?revision=282370&view=markup#l512 gdk-pixbuf - stack overflow check http://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/io-gif.c?id=f8569bb1#n656 CUPS was fixed recently (in 1.4.7) and now does code > max_code check http://cups.org/str.php?L3867 svn diff -c 9840 http://svn.easysw.com/public/cups/ GIMP is still affected: http://git.gnome.org/browse/gimp/tree/plug-ins/common/file-gif-load.c?id=8ff66342#n810 XPCE is still affected: http://www.swi-prolog.org/git/packages/xpce.git/blob/876ce515:/src/img/gifread.c#l507 There are several other projects that contain very similar code, but their relationship to David Koblas' code is unclear. Mentioning them here for the sake of completeness. They contain stack overflow check. They include libpr0n/mozilla/webkit code as well as Qt: http://hg.mozilla.org/mozilla-central/file/c4b84b05c46c/modules/libpr0n/decoders/nsGIFDecoder2.cpp#l500 http://trac.webkit.org/browser/trunk/Source/WebCore/platform/image-decoders/gif/GIFImageReader.cpp?rev=75748#L309 http://qt.gitorious.org/qt/qt/blobs/4.5/src/plugins/imageformats/gif/qgifhandler.cpp#line484
(In reply to comment #4) > CUPS was fixed recently (in 1.4.7) and now does code > max_code check > http://cups.org/str.php?L3867 > svn diff -c 9840 http://svn.easysw.com/public/cups/ Additional change is required to fully address the problem in CUPS: http://www.cups.org/str.php?L3914 svn diff -c 9865 http://svn.easysw.com/public/cups/
Making this public.
Created gimp tracking bugs for this issue Affects: fedora-all [bug 730338]
(In reply to comment #4) > GIMP is still affected: > http://git.gnome.org/browse/gimp/tree/plug-ins/common/file-gif-load.c?id=8ff66342#n810 Upstream git commit: http://git.gnome.org/browse/gimp/commit/plug-ins/common/file-gif-load.c?id=376ad788c1a1c31d40f18494889c383f6909ebfc
(In reply to comment #4) > > XPCE is still affected: > http://www.swi-prolog.org/git/packages/xpce.git/blob/876ce515:/src/img/gifread.c#l507 > I've sent a report to SWI Prolog bug tracking system (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7).
(In reply to comment #12) > I've sent a report to SWI Prolog bug tracking system > (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7). Thank you! Upstream did following commits to address the issue: http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/bb328029beb148691edc031d9db9cf0a503c8247 http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/30fbc4e030cbef5871e1b96c31458116ce3e2ee8 Additionally, a CVE-2006-4484 / CVE-2007-6697 / CVE-2008-0553 / CVE-2008-0554 / CVE-2008-1373 / CVE-2011-2897 -like crash was corrected: http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652
Created pl tracking bugs for this issue Affects: fedora-all [bug 731944]
Created cups tracking bugs for this issue Affects: fedora-all [bug 731951]
(In reply to comment #14) > (In reply to comment #12) > > I've sent a report to SWI Prolog bug tracking system > > (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7). > > Thank you! Upstream did following commits to address the issue: > > http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/bb328029beb148691edc031d9db9cf0a503c8247 > http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/30fbc4e030cbef5871e1b96c31458116ce3e2ee8 > > Additionally, a CVE-2006-4484 / CVE-2007-6697 / CVE-2008-0553 / CVE-2008-0554 / > CVE-2008-1373 / CVE-2011-2897 -like crash was corrected: > > http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652 After applying all three patches on 5.10.2 version from Fedora 15, and loading `Minimal test case with valid first code' test case, I get segfault in PutImagePixels32(), a Xorg libXpm library, after 4 calls of LZWReadByte(): ?- show('xpce-gif-CVE-2011-2896/giflzw-1-260-259-260-260-0-first_code_valid.gif'). Program received signal SIGSEGV, Segmentation fault. 0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, pixelindex=0x8c23a0, height=10, width=10, image=<optimized out>) at create.c:1384 1384 pixel = pixels[*(iptr++)]; (gdb) bt #0 0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, pixelindex=0x8c23a0, height=10, width=10, image=<optimized out>) at create.c:1384 #1 XpmCreateImageFromXpmImage (display=0x8737d0, image=0x7fffffffd3e0, image_return=0x7fffffffd388, shapeimage_return=0x7fffffffd390, attributes=0x7fffffffd290) at create.c:881 #2 0x00007ffff15b5135 in attachXpmImageImage (image=0x8b3350, xpm=0x7fffffffd3e0) at x11/xconvert.c:468 #3 0x00007ffff15b5394 in readGIFFile (fd=0x8a6660, image=0x8b3350) at x11/xconvert.c:537 [...] (gdb) info locals data = 0x8c25c0 "\377\377\377" y = <optimized out> iptr = 0x8c23a8 pixel = <optimized out> bpl = 40 data_ptr = 0x8c25c8 "\370T\031_7" max_data = 0x8c25e8 "" I guess this is because pl/xpce decodes the GIF image erroneously and decoded image size does not match image bitmap. However this test case is private, so I cannot provide it to upstream.
Statement: Vulnerable. This issue affects the versions of cups as shipped with Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact for the cups package. A future update may address this issue in the cups package for Red Hat Enterprise Linux 4, 5, and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1635 https://rhn.redhat.com/errata/RHSA-2011-1635.html
(In reply to comment #8) > Additional change is required to fully address the problem in CUPS: > http://www.cups.org/str.php?L3914 > svn diff -c 9865 http://svn.easysw.com/public/cups/ Note this also got a separate CVE CVE-2011-3170, bug #732106.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:0302 https://rhn.redhat.com/errata/RHSA-2012-0302.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:1180 https://rhn.redhat.com/errata/RHSA-2012-1180.html
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2012:1181 https://rhn.redhat.com/errata/RHSA-2012-1181.html
*** Bug 260998 has been marked as a duplicate of this bug. *** Seen from the domain http://volichat.com Page where seen: http://volichat.com/teen-chat-rooms Marked for reference. Resolved as fixed @bugzilla.
Affected code is also part of pl as shipped with Red Hat Enterprise Linux 6. That package is only provided via Optional repository with limited support, there is currently no plan to address this issue in future pl package updates in Red Hat Enterprise Linux 6.