574406 – media-gfx/graphicsmagick: out-of-bound read

Bug 574406 - media-gfx/graphicsmagick: out-of-bound read

Summary: media-gfx/graphicsmagick: out-of-bound read

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	~2 [noglsa]
Keywords:

Depends on:
Blocks:

Reported:	2016-02-11 10:37 UTC by Agostino Sarubbo
Modified:	2017-09-20 00:41 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2016-02-11 10:37:18 UTC

From ${URL} :

We found a read out-of-bound in the parsing of gif files using
GraphicsMagick. This issue was tested in Ubuntu 14.04 (x86_64) using
GraphicsMagick 1.3.18. Find attached a specially crafted file to reproduce
this issue. The AddressSanitizer report showing the faulty code is here:

$ ./gm identify overflow.gif
=================================================================
==3173==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x6210000037be at pc 0x0000007e5f56 bp 0x7fffffffa940 sp 0x7fffffffa938
READ of size 1 at 0x6210000037be thread T0
    #0 0x7e5f55 in DecodeImage coders/gif.c:276
    #1 0x7ebdac in ReadGIFImage coders/gif.c:1075
    #2 0x490fc6 in ReadImage magick/constitute.c:1600
    #3 0x48fcd0 in PingImage magick/constitute.c:1363
    #4 0x43fc25 in IdentifyImageCommand magick/command.c:8350
    #5 0x4427b9 in MagickCommand magick/command.c:8840
    #6 0x47c4d6 in GMCommandSingle magick/command.c:17253
    #7 0x47c79c in GMCommand magick/command.c:17306
    #8 0x40c8c5 in main utilities/gm.c:61
    #9 0x7ffff3739ec4 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21ec4)
    #10 0x40c7d8
(/home/vagrant/repos/graphicsmagick-1.3.18/utilities/gm+0x40c7d8)
AddressSanitizer can not describe address in more detail (wild memory
access suspected).
SUMMARY: AddressSanitizer: heap-buffer-overflow coders/gif.c:276 DecodeImage
Shadow bytes around the buggy address:
  0x0c427fff86a0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff86b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff86c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff86d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff86e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
=>0x0c427fff86f0: fa fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa
  0x0c427fff8700: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8710: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8720: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8730: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c427fff8740: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==3173==ABORTING

This issue is caused by the use of unintialized memory in DecodeImage and
fortunately it was fixed here:

http://marc.info/?l=graphicsmagick-commit&m=142283721604323&w=2


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-09-20 00:41:07 UTC

Already fixed. Marking as FIXED.

Gentoo Security Padawan
ChrisADR