Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276235 (CVE-2009-2295) - <dev-ml/camlimages-3.0.1 integer overflows (CVE-2009-{2295,2660})
Summary: <dev-ml/camlimages-3.0.1 integer overflows (CVE-2009-{2295,2660})
Status: RESOLVED FIXED
Alias: CVE-2009-2295
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.ocert.org/advisories/ocert...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-02 13:48 UTC by Robert Buchholz (RETIRED)
Modified: 2010-06-01 15:44 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
camlimages-3.0.1-CVE-2009-2295.patch (camlimages-3.0.1-CVE-2009-2295.patch,4.25 KB, patch)
2009-07-25 11:38 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff
testsuite for PoC (CVE-2009-2295.tar.gz,433.33 KB, text/plain)
2009-08-19 12:03 UTC, Steffen Joeris
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-02 13:48:04 UTC
oCERT #2009-009 CamlImages integer overflows

CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.

The vulnerability is triggered by PNG image parsing, the read_png_file and read_png_file_as_rgb24 functions do not properly validate the width and height of the image. Specific PNG images with large width and height can be crafted to trigger the vulnerability.

Affected version:

CamlImages <= 2.2

Fixed version:

Unfortunately oCERT has been unable to get feedback from CamlImages maintainers and the package seems unmaintained, it's therefore suggested to avoid CamlImages usage on production or any environment where strong security is needed.

Credit: vulnerability report and PoC code received from Tielei Wang <wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.

CVE: CVE-2009-2295
Timeline:

2009-05-21: vulnerability reported received
2009-05-21: contacted camlimages maintainers
2009-06-30: due to lack of feedback oCERT asks reporter to disclose the issue
2009-07-01: reporter agrees to disclosure
2009-07-02: assigned CVE
2009-07-02: advisory release
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-07-02 13:55:00 UTC
ml: app-text/active-dvi seems to be using this library, so in case of removal, both would have to go. Do you have contact to upstream?
Comment 2 Alexis Ballier gentoo-dev 2009-07-02 14:16:50 UTC
There is a new version (3.0.1) at http://gallium.inria.fr/camlimages/ (it seems it has been released a long time ago: 2007-10-11 according to the tarball mtime)
Is it also exploitable?
Considering the timeline I'd suspect it is, but the advisory is about <=2.2.
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2009-07-03 07:19:45 UTC
The advisory has been updates to reflect that 3.0.1 is also affected. Alexis, I forwarded the reproducer to you. The email to upstream bounced for one of the two authors (Jun.Furuse).
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-05 23:27:07 UTC
CVE-2009-2295 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2295):
  Multiple integer overflows in CamlImages 2.2 and earlier might allow
  context-dependent attackers to execute arbitrary code via a crafted
  PNG image with large width and height values that trigger a
  heap-based buffer overflow in the (1) read_png_file or (2)
  read_png_file_as_rgb24 function.

Comment 5 Alexis Ballier gentoo-dev 2009-07-24 20:52:12 UTC
3.0.1 in tree with upstream patches; it checks for oversized images in gif, jpeg and png so maybe there were other vulns. in jpeg & gif readers.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2009-07-25 11:38:38 UTC
Created attachment 199108 [details, diff]
camlimages-3.0.1-CVE-2009-2295.patch

Fixes for CVE-2009-2295 and gif/jpeg overflows.
Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-25 12:25:34 UTC
Arches, please test and mark stable:
=dev-ml/camlimages-3.0.1
Target keywords : "ppc x86"
Comment 8 Markus Meier gentoo-dev 2009-07-27 22:01:34 UTC
this will break it's only reverse-dep app-text/active-dvi-1.7.3:

/usr/bin/ocamlc.opt  -I /usr/lib/ocaml/lablgtk2 -I /usr/lib/ocaml -I /usr/lib/ocaml/site-packages/camlimages -o dvi.cmo -c dvi.ml
/usr/bin/ocamlc.opt  -I /usr/lib/ocaml/lablgtk2 -I /usr/lib/ocaml -I /usr/lib/ocaml/site-packages/camlimages -o drawimage.cmo -c drawimage.ml
File "drawimage.ml", line 304, characters 8-18:
Unbound value Ps.load_ps
make[2]: *** [drawimage.cmo] Error 2
make[2]: *** Waiting for unfinished jobs....
make[2]: Leaving directory `/var/tmp/portage/app-text/active-dvi-1.7.3/work/advi-1.7.3/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/var/tmp/portage/app-text/active-dvi-1.7.3/work/advi-1.7.3/src'
make: *** [all-recursive] Error 1
 * 
 * ERROR: app-text/active-dvi-1.7.3 failed.
 * Call stack:
 *               ebuild.sh, line   49:  Called src_compile
 *             environment, line 2672:  Called die
 * The specific snippet of code:
 *       emake || die "emake failed";
 *  The die message:
 *   emake failed

[ebuild   R   ] dev-ml/camlimages-3.0.1  USE="gif gtk jpeg tiff truetype -doc -gs -xpm" 0 kB
[ebuild   R   ] app-text/active-dvi-1.7.3  USE="ocamlopt -tk" 0 kB

Portage 2.1.6.13 (default/linux/x86/2008.0/desktop, gcc-4.3.2, glibc-2.9_p20081201-r2, 2.6.30.1 i686)
=================================================================
System uname: Linux-2.6.30.1-i686-Intel-R-_Core-TM-2_Duo_CPU_T8300_@_2.40GHz-with-glibc2.0
Timestamp of tree: Mon, 27 Jul 2009 21:00:01 +0000
app-shells/bash:     3.2_p39
dev-java/java-config: 2.1.7
dev-lang/python:     2.5.4-r3
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4
sys-apps/baselayout: 1.12.11.1
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.4_p6, 1.5, 1.7.9-r1, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   1.5.26
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/config"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="collision-protect distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict test unmerge-orphans userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LDFLAGS="-Wl,-O1"
LINGUAS="en en_GB de"
MAKEOPTS="-j2"
PKGDIR="/mnt/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X acl acpi alsa apache2 avahi berkdb bluetooth branding bzip2 cairo cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode esd evo examples fam firefox fortran gdbm gif gnome gpm gstreamer gtk hal iconv ipv6 isdnlog jpeg kde ldap libnotify mad midi mikmod mp3 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcre pdf perl png ppds pppd python qt3 qt3support qt4 quicktime readline reflection sdl session source spell spl ssl startup-notification svg sysfs tcpd test tiff truetype unicode usb vorbis win32codecs x86 xml xorg xulrunner xv zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en en_GB de" USERLAND="GNU" VIDEO_CARDS="fbdev glint i810 intel mach64 mga neomagic nv r128 radeon savage sis tdfx trident vesa vga via vmware voodoo"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 9 Alexis Ballier gentoo-dev 2009-07-27 22:28:23 UTC
Its just missing usedeps from advi part; added active-dvi-1.7.3-r1 that fixes that. Please mark it stable together with camlimages 3.0.1 and remove the old active-dvi revision while at it.
Comment 10 Markus Meier gentoo-dev 2009-07-29 21:18:00 UTC
x86 stable
Comment 11 Robert Buchholz (RETIRED) gentoo-dev 2009-08-07 17:21:46 UTC
CVE-2009-2660 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2660):
  Multiple integer overflows in CamlImages 2.2 might allow
  context-dependent attackers to execute arbitrary code via images
  containing large width and height values that trigger a heap-based
  buffer overflow, related to (1) crafted GIF files (gifread.c) and (2)
  crafted JPEG files (jpegread.c), a different vulnerability than
  CVE-2009-2295.

Comment 12 nixnut (RETIRED) gentoo-dev 2009-08-09 13:12:28 UTC
ppc stable
Comment 13 Greg Roelofs 2009-08-14 20:53:33 UTC
The PNG patch appears to be incomplete (rowbytes itself is never checked, unless in libpng; I personally would always include my own, explicit check), and oversized() seems unnecessarily complex (why not check for x and y <= 0 and avoid the explicit "y != 0" in the third clause?  images with zero-dimensions aren't valid, either).  The GIF and JPEG checks appear to depend on third-party data structures and may break in the future if those ever switch to unsigned values (though I imagine that's unlikely).
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2009-08-15 23:49:56 UTC
(In reply to comment #13)
> The PNG patch appears to be incomplete (rowbytes itself is never checked,
> unless in libpng; I personally would always include my own, explicit check),

I'm not sure I'm following. rowbytes is declared as size_t and libpng's png_get_rowbytes() returns a uint_32, which is an identical type. What else do you want to check?
rowbytes is only used in memory allocations or access in multiplications with height, and that case is checked.


> and oversized() seems unnecessarily complex (why not check for x and y <= 0 and
> avoid the explicit "y != 0" in the third clause?  images with zero-dimensions
> aren't valid, either). 

0 height or width are certainly not errors to cause an overflow message, so the additional case of oversized() returning false for x=0 or y=0 seems sane to me.


> The GIF and JPEG checks appear to depend on third-party
> data structures and may break in the future if those ever switch to unsigned
> values (though I imagine that's unlikely).

The members of the GifFileType struct and the jpeg_decompress_struct that are accessed are explicitly not marked private. How else should camlimages get access to these values?
Comment 15 Greg Roelofs 2009-08-18 20:36:40 UTC
(In reply to comment #14)
>> The PNG patch appears to be incomplete (rowbytes itself is never checked,
>> unless in libpng; I personally would always include my own, explicit check),

> I'm not sure I'm following. rowbytes is declared as size_t and libpng's
> png_get_rowbytes() returns a uint_32, which is an identical type. What
> else do you want to check?  rowbytes is only used in memory allocations
> or access in multiplications with height, and that case is checked.

rowbytes itself is a product, and you never check that.  Consider an RGB
image with w = 1431655766:  rowbytes = 2.  Does libpng catch the overflow?
Maybe so, maybe not, or maybe now but not in the future due to an oversight;
the point is that you're depending on it to do so, and I'm saying that's not
a very good approach to security.  (As you noted, you're using rowbytes in
memory allocations, but none of your rowbytes*h checks will catch the problem.
Oopsie.)

>> and oversized() seems unnecessarily complex (why not check for x and y <= 0 and
>> avoid the explicit "y != 0" in the third clause?  images with zero-dimensions
>> aren't valid, either).

> 0 height or width are certainly not errors to cause an overflow message,
> so the additional case of oversized() returning false for x=0 or y=0
> seems sane to me.

The point is simply that zero-dimensioned images serve no valid purpose, and
you can save a few clock cycles by disallowing them:

#define oversized(x, y)    ((x) <= 0 || (y) <= 0 || (x) > INT_MAX / (y))

Cheap optimization, though undoubtedly not measurable...

>> The GIF and JPEG checks appear to depend on third-party
>> data structures and may break in the future if those ever switch to unsigned
>> values (though I imagine that's unlikely).

> The members of the GifFileType struct and the jpeg_decompress_struct
> that are accessed are explicitly not marked private. How else should
> camlimages get access to these values?

Simply by copying to your own integer variables.  I'm not claiming you
necessarily gain anything by doing so--nothing in the patch screams at me
"I will break if x is unsigned"--but I have seen other, similar (security)
code depend on the signedness of integers that turned out not to be signed.
You may want to do a quick mini-audit and make sure there are no signed/
unsigned dependencies in nearby code.
Comment 16 Steffen Joeris 2009-08-19 12:01:31 UTC
Hi
(My first post to gentoo's bugzilla :) )

Just a general remark on this bug, has anyone checked tiffread.c? I can't find any validation checking in there and was wondering, whether it is required.
Also, I am still getting a segmentation fault for the crafted jpeg image that was sent as a PoC via vendor-sec (I can hand that out via private email).
Just wondering, whether someone checked it. I am attaching some code to test it, provided by our camlimages maintainer, maybe it's useful.

Cheers
Steffen
Comment 17 Steffen Joeris 2009-08-19 12:03:11 UTC
Created attachment 201702 [details]
testsuite for PoC
Comment 18 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-23 10:01:07 UTC
(In reply to comment #16)
> Just a general remark on this bug, has anyone checked tiffread.c?

I think those issues are confirmed now, bug 290222. ;)

Comment 19 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-01 15:44:34 UTC
GLSA 201006-02