Headline
CVE-2011-2896: 727800 – (CVE-2011-2896) CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895.
Description Tomas Hoger 2011-08-03 09:22:38 UTC
GIF image file format readers in various open source projects are based on the GIF decoder implementation written by David Koblas. This implementation contains a bug in the LZW decompressor, causing it to in correctly handle compressed streams that contain code words that were not yet added to the decompression table. LZW decompression has a special case (a KwKwK string) when code word may match the first free entry in the decompression table. The implementation used in this GIF reading code allows code words not only matching, but also exceeding the first free entry.
This problem is identical to a bug found in BSD compress (CVE-2011-2895, bug #727624), but given the unclear relationship between BSD compress and GIF decoder code bases, separate CVE is used here.
Several projects refer to pbmplus as the source form where GIF reading code was taken:
http://www.acme.com/software/pbmplus/
In pbmplus version of the code, the flaw can be found in LWZReadByte():
if (code >= max\_code) {
\*sp++ = firstcode;
code = oldcode;
}
This allows creating a loop in the decompression table, which leads to an “infinite” loop:
while (code >= clear\_code) {
\*sp++ = table\[1\]\[code\];
if (code == table\[0\]\[code\])
pm\_error("circular table entry BIG ERROR");
code = table\[0\]\[code\];
}
where:
#define MAX_LWZ_BITS 12 static int table[2][(1<< MAX_LWZ_BITS)]; static int stack[(1<<(MAX_LWZ_BITS))*2], *sp; sp = stack;
This results in stack[] buffer overflow. If table[][] is located above stack[], stack[] overflow may further modify decoding table and break infinite loop.
Comment 9 Tomas Hoger 2011-08-10 18:14:09 UTC
Making this public.
Comment 10 Josh Bressers 2011-08-12 14:25:18 UTC
Created gimp tracking bugs for this issue
Affects: fedora-all [bug 730338]
Comment 15 Tomas Hoger 2011-08-19 08:08:21 UTC
Created pl tracking bugs for this issue
Affects: fedora-all [bug 731944]
Comment 16 Tomas Hoger 2011-08-19 08:54:47 UTC
Created cups tracking bugs for this issue
Affects: fedora-all [bug 731951]
Comment 17 Petr Pisar 2011-08-19 13:59:41 UTC
(In reply to comment #14) > (In reply to comment #12)
I’ve sent a report to SWI Prolog bug tracking system (http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=7).
Thank you! Upstream did following commits to address the issue:
http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/bb328029beb148691edc031d9db9cf0a503c8247 http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/30fbc4e030cbef5871e1b96c31458116ce3e2ee8
Additionally, a CVE-2006-4484 / CVE-2007-6697 / CVE-2008-0553 / CVE-2008-0554 / CVE-2008-1373 / CVE-2011-2897 -like crash was corrected:
http://www.swi-prolog.org/git/packages/xpce.git/commitdiff/785efb7b94d28c7dbb5b4f2b6f5a908092cf7652
After applying all three patches on 5.10.2 version from Fedora 15, and loading `Minimal test case with valid first code’ test case, I get segfault in PutImagePixels32(), a Xorg libXpm library, after 4 calls of LZWReadByte():
?- show(‘xpce-gif-CVE-2011-2896/giflzw-1-260-259-260-260-0-first_code_valid.gif’).
Program received signal SIGSEGV, Segmentation fault. 0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, pixelindex=0x8c23a0, height=10, width=10, image=<optimized out>) at create.c:1384 1384 pixel = pixels[*(iptr++)]; (gdb) bt #0 0x000000376ca093c6 in PutImagePixels32 (pixels=0x8c2540, pixelindex=0x8c23a0, height=10, width=10, image=<optimized out>) at create.c:1384 #1 XpmCreateImageFromXpmImage (display=0x8737d0, image=0x7fffffffd3e0, image_return=0x7fffffffd388, shapeimage_return=0x7fffffffd390, attributes=0x7fffffffd290) at create.c:881 #2 0x00007ffff15b5135 in attachXpmImageImage (image=0x8b3350, xpm=0x7fffffffd3e0) at x11/xconvert.c:468 #3 0x00007ffff15b5394 in readGIFFile (fd=0x8a6660, image=0x8b3350) at x11/xconvert.c:537 […]
(gdb) info locals data = 0x8c25c0 “\377\377\377” y = <optimized out> iptr = 0x8c23a8 pixel = <optimized out> bpl = 40 data_ptr = 0x8c25c8 “\370T\031_7” max_data = 0x8c25e8 “”
I guess this is because pl/xpce decodes the GIF image erroneously and decoded image size does not match image bitmap. However this test case is private, so I cannot provide it to upstream.
Comment 18 Jan Lieskovsky 2011-11-08 15:40:16 UTC
Statement:
Vulnerable. This issue affects the versions of cups as shipped with Red Hat Enterprise Linux 4, 5, and 6. The Red Hat Security Response Team has rated this issue as having moderate security impact for the cups package. A future update may address this issue in the cups package for Red Hat Enterprise Linux 4, 5, and 6. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.
Comment 29 Tomas Hoger 2014-06-23 08:35:57 UTC
Affected code is also part of pl as shipped with Red Hat Enterprise Linux 6. That package is only provided via Optional repository with limited support, there is currently no plan to address this issue in future pl package updates in Red Hat Enterprise Linux 6.