Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2017-6960: #854367 - apng2gif: CVE-2017-6960: Integer overflow resulting in heap buffer overflow

An issue was discovered in apng2gif 1.7. There is an integer overflow resulting in a heap-based buffer over-read, related to the load_apng function and the imagesize variable.

CVE
Open in Source
#vulnerability#mac#linux#debian#c++#buffer_overflow#auth

Reported by: Dileep Kumar Jallepalli [email protected]

Date: Mon, 6 Feb 2017 12:21:03 UTC

Severity: serious

Tags: security, upstream

Found in versions apng2gif/1.5-1, apng2gif/1.7-1

Fixed in version apng2gif/1.8-0.1

Done: Reiner Herrmann [email protected]

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to [email protected], [email protected], Jari Aalto [email protected]:
Bug#854367; Package apng2gif. (Mon, 06 Feb 2017 12:21:05 GMT) (full text, mbox, link).

Acknowledgement sent to Dileep Kumar Jallepalli [email protected]:
New Bug report received and forwarded. Copy sent to [email protected], Jari Aalto [email protected]. (Mon, 06 Feb 2017 12:21:05 GMT) (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: apng2gif Version: 1.7-1 Severity: important

Dear Maintainer,

Q.) What led up to the situation? A.) In load_apng function, the imagesize variable is prone to integer overflow vulnerability (It is basically calculated from w and h variables which are in the hands of the user input). And then frameRaw.p and frameCur.p are assigned an lower amount of memory because of this vulnerability which will result in unallocated memory pointers in frameRaw.rows and frameCur.rows whose dereference can cause heap buffer overflow read/write.

Q.) What exactly did you do (or not do) that was effective (or ineffective)? A.) Just have to modify the relavent offsets in the png file so that the h and w variables can result in an overflow of the imagesize variable.

Steps to reproduce:
    Use the makefile in the attachment and compile the program to get the

program in asan mode. Use the input.png file in the attachment as input to the program and run it: apng2gif input.png

Q.) What was the outcome of this action? A.) Heap buffer overflow read at memcpy in the if condition bop==0 in compose_frame function for example. But theoretically, This can result in an heap overflow write in some memcpy too under specific conditions.

Sample ASAN Output:

apng2gif 1.7

Reading './crashes_submitted/integeroverflow/input.png’…

==16318== ERROR: AddressSanitizer: heap-buffer-overflow on address 0xb57ff8ff at pc 0x804a7e2 bp 0xbfe89908 sp 0xbfe898fc READ of size 1 at 0xb57ff8ff thread T0 #0 0x804a7e1 (apng2gif/1.7/gccasanbuild/apng2gif+0x804a7e1) #1 0x80582bb (apng2gif/1.7/gccasanbuild/apng2gif+0x80582bb) #2 0x804938b (apng2gif/1.7/gccasanbuild/apng2gif+0x804938b) #3 0xb5e2baf2 (/lib/i386-linux-gnu/libc-2.19.so+0x19af2) #4 0x804a0c1 (apng2gif/1.7/gccasanbuild/apng2gif+0x804a0c1) 0xb57ff8ff is located 255 bytes to the right of 67375104-byte region [0xb17be800,0xb57ff800) allocated by thread T0 here: #0 0xb61006a4 (/usr/lib/i386-linux-gnu/libasan.so.0.0.0+0x116a4) #1 0x805626a (apng2gif/1.7/gccasanbuild/apng2gif+0x805626a) #2 0x804938b (apng2gif/1.7/gccasanbuild/apng2gif+0x804938b) #3 0xb5e2baf2 (/lib/i386-linux-gnu/libc-2.19.so+0x19af2) Shadow bytes around the buggy address: 0x36affec0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36affed0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36affee0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36affef0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0x36afff00: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x36afff10: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa[fa] 0x36afff20:fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36afff30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36afff40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36afff50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x36afff60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap righ redzone: fb Freed Heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 ASan internal: fe ==16318== ABORTING

Q.) What outcome did you expect instead? A.) Maybe some check to see if each pointer in frameRaw.rows/frameCur.rows is less than or equal to frameCur.p + imagesize before trying to dereference them. Or may be something to get rid of interger overflow in the first place

– System Information: Debian Release: jessie/sid APT prefers trusty-updates APT policy: (500, ‘trusty-updates’), (500, ‘trusty-security’), (500, ‘trusty’), (100, ‘trusty-backports’) Architecture: i386 (i686)

Kernel: Linux 3.13.0-32-generic (SMP w/2 CPU cores)

[input.png (image/png, attachment)]

[Makefile (text/x-makefile, attachment)]

Information forwarded to [email protected], Jari Aalto [email protected]:
Bug#854367; Package apng2gif. (Wed, 15 Feb 2017 07:18:03 GMT) (full text, mbox, link).

Acknowledgement sent to Dileep Kumar [email protected]:
Extra info received and forwarded to list. Copy sent to Jari Aalto [email protected]. (Wed, 15 Feb 2017 07:18:03 GMT) (full text, mbox, link).

Message #10 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

Is there any update on this bug. Im new to submitting bugs in debian packages, hence not sure if I had done it correctly and if it had been assigned to the maintainer or not.

-Dileep

[Message part 2 (text/html, inline)]

Added tag(s) security. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Thu, 16 Mar 2017 19:09:03 GMT) (full text, mbox, link).

Changed Bug title to ‘apng2gif: CVE-2017-6960: Integer overflow resulting in heap buffer overflow’ from 'apng2gif: Integer overflow resulting in heap buffer overflow’. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Fri, 17 Mar 2017 11:27:08 GMT) (full text, mbox, link).

Added tag(s) upstream. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Fri, 17 Mar 2017 11:30:04 GMT) (full text, mbox, link).

Information forwarded to [email protected], Jari Aalto [email protected]:
Bug#854367; Package apng2gif. (Mon, 20 Mar 2017 22:12:03 GMT) (full text, mbox, link).

Acknowledgement sent to Ola Lundqvist [email protected]:
Extra info received and forwarded to list. Copy sent to Jari Aalto [email protected]. (Mon, 20 Mar 2017 22:12:03 GMT) (full text, mbox, link).

Message #21 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi

I just want to inform that the problem was easy to reproduce on wheezy, jessie and sid.

Sid: (sid_chroot)root@tigereye:/# apng2gif input-854367.png apng2gif 1.7 Reading 'input-854367.png’… Segmentation fault

Wheezy and jessie looks similar: (wheezy_chroot)root@tigereye:/# apng2gif input-854367.png apng2gif 1.5 Reading 'input-854367.png’… Segmentation fault

Best regards

// Ola

– — Inguza Technology AB — MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /

[Message part 2 (text/html, inline)]

Information forwarded to [email protected], Jari Aalto [email protected]:
Bug#854367; Package apng2gif. (Tue, 21 Mar 2017 19:48:06 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso [email protected]:
Extra info received and forwarded to list. Copy sent to Jari Aalto [email protected]. (Tue, 21 Mar 2017 19:48:06 GMT) (full text, mbox, link).

Message #26 received at [email protected] (full text, mbox, reply):

Control: found -1 1.5-1

Hi

although the code has changed a lot after 1.5 this seem in similar form presend as well in LoadAPNG (triggerable e.g. on line 623), as

==6087==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fac2f9ff800 at pc 0x7fac3356673c bp 0x7ffd048d8520 sp 0x7ffd048d7cd0 WRITE of size 1090585600 at 0x7fac2f9ff800 thread T0 […] so even as heap-buffer-overflow WRITE.

Updating found version accordingly.

Regards, Salvatore

Marked as found in versions apng2gif/1.5-1. Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Tue, 21 Mar 2017 19:48:06 GMT) (full text, mbox, link).

Message sent on to Dileep Kumar Jallepalli [email protected]:
Bug#854367. (Tue, 21 Mar 2017 19:48:08 GMT) (full text, mbox, link).

Information forwarded to [email protected], Jari Aalto [email protected]:
Bug#854367; Package apng2gif. (Fri, 24 Mar 2017 22:03:02 GMT) (full text, mbox, link).

Acknowledgement sent to Chris Lamb [email protected]:
Extra info received and forwarded to list. Copy sent to Jari Aalto [email protected]. (Fri, 24 Mar 2017 22:03:03 GMT) (full text, mbox, link).

Message #36 received at [email protected] (full text, mbox, reply):

Hi,

apng2gif: CVE-2017-6960: Integer overflow resulting in heap buffer overflow

Do we have an upstream-blessed patch for this yet, out of interest?

Regards,

– ,’’`. : :’ : Chris Lamb `. `’` [email protected] / chris-lamb.co.uk `-

Message sent on to Dileep Kumar Jallepalli [email protected]:
Bug#854367. (Thu, 25 May 2017 15:03:03 GMT) (full text, mbox, link).

Message #39 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi,

I have prepared a patch for apng2gif 1.5.

Testing did not reveal any problem, but I’m sure it can still be improved.

Could anybody take a look at it ?

Debdiff for wheezy is in attachment (a test package for wheezy is also available here[0]).

This patch should also fix the issue in Jessie, but I did not test it. I can build a test package if needed.

Cheers, Hugo

[0] https://people.debian.org/~hle/lts/apng2gif_1.5-1+deb7u1_amd64.changes

– Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

[debdiff (text/plain, attachment)]

[signature.asc (application/pgp-signature, inline)]

Information forwarded to [email protected], Jari Aalto [email protected]:
Bug#854367; Package apng2gif. (Thu, 25 May 2017 15:27:05 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso [email protected]:
Extra info received and forwarded to list. Copy sent to Jari Aalto [email protected]. (Thu, 25 May 2017 15:27:05 GMT) (full text, mbox, link).

Message #44 received at [email protected] (full text, mbox, reply):

All of those should be fixed in the new upstream version 1.8 according to the upstream author.

Message sent on to Dileep Kumar Jallepalli [email protected]:
Bug#854367. (Wed, 31 May 2017 20:51:04 GMT) (full text, mbox, link).

Message #47 received at [email protected] (full text, mbox, reply):

Hi Hugo

I have reviewed your code and it looks good to me. I do not know this library very well however so may have overlooked something. But the checks looks ok.

What I’m not sure of is the break statement, but I guess you have control over that part.

Have you tested that the solution work against some test image that breaked it in earlier version? Have you done any form of regression test?

Best regards

// Ola

On 25 May 2017 at 17:01, Hugo Lefeuvre [email protected] wrote:

Hi,

I have prepared a patch for apng2gif 1.5.

Testing did not reveal any problem, but I’m sure it can still be improved.

Could anybody take a look at it ?

Debdiff for wheezy is in attachment (a test package for wheezy is also available here[0]).

This patch should also fix the issue in Jessie, but I did not test it. I can build a test package if needed.

Cheers, Hugo

[0] https://people.debian.org/~hle/lts/apng2gif_1.5-1+deb7u1_amd64.changes

– Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

– — Inguza Technology AB — MSc in Information Technology ---- / [email protected] Folkebogatan 26 \ | [email protected] 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 /

Message sent on to Dileep Kumar Jallepalli [email protected]:
Bug#854367. (Fri, 02 Jun 2017 07:33:13 GMT) (full text, mbox, link).

Message #50 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Hi Ola,

I have reviewed your code and it looks good to me. I do not know this library very well however so may have overlooked something. But the checks looks ok.

What I’m not sure of is the break statement, but I guess you have control over that part.

Thanks for your review !

This code is executed in a big do-while structure, that’s why we break in case of errors (upstream did it at line 620 for example). The return value res is initialized with value 1 (=error) at line 524 so we return error. Error handling is then realised at line 1891.

Have you tested that the solution work against some test image that breaked it in earlier version? Have you done any form of regression test?

I have tested with the original reproducer and crafted myself other malicious apng files to trigger the case where (h > UINT_MAX/(4*(frames+1))) or (w > UINT_MAX/(4*(frames+1))) which I forgot to handle at the beginning.

regression tests with two “normal” apng files, everything was working fine.

If nobody is against it, I’d upload this patch now.

Cheers, Hugo

– Hugo Lefeuvre (hle) | www.owl.eu.com 4096/ ACB7 B67F 197F 9B32 1533 431C AC90 AC3E C524 065E

[signature.asc (application/pgp-signature, inline)]

Information forwarded to [email protected], Jari Aalto [email protected]:
Bug#854367; Package apng2gif. (Sun, 01 Oct 2017 09:48:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff [email protected]:
Extra info received and forwarded to list. Copy sent to Jari Aalto [email protected]. (Sun, 01 Oct 2017 09:48:03 GMT) (full text, mbox, link).

Message #55 received at [email protected] (full text, mbox, reply):

On Thu, May 25, 2017 at 05:25:09PM +0200, Salvatore Bonaccorso wrote:

All of those should be fixed in the new upstream version 1.8 according to the upstream author.

What’s the status? This is unfixed for quite a while now?

Cheers, Moritz

Severity set to ‘serious’ from ‘important’ Request was from Salvatore Bonaccorso [email protected] to [email protected]. (Sun, 01 Oct 2017 09:48:11 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Stephen Kitt [email protected] to [email protected]. (Thu, 07 Dec 2017 19:51:08 GMT) (full text, mbox, link).

Removed tag(s) pending. Request was from Stephen Kitt [email protected] to [email protected]. (Thu, 07 Dec 2017 22:09:03 GMT) (full text, mbox, link).

Information forwarded to [email protected], Jari Aalto [email protected]:
Bug#854367; Package apng2gif. (Sat, 27 Oct 2018 12:57:02 GMT) (full text, mbox, link).

Acknowledgement sent to [email protected]:
Extra info received and forwarded to list. Copy sent to Jari Aalto [email protected]. (Sat, 27 Oct 2018 12:57:02 GMT) (full text, mbox, link).

Message #66 received at [email protected] (full text, mbox, reply):

Control: tags 854367 + pending Control: tags 854441 + pending Control: tags 854447 + pending

Dear maintainer,

I’ve prepared an NMU for apng2gif (versioned as 1.8-0.1) and uploaded it to DELAYED/2. Please feel free to tell me if I should delay it longer.

Regards. Reiner

Added tag(s) pending. Request was from [email protected] to [email protected]. (Sat, 27 Oct 2018 12:57:02 GMT) (full text, mbox, link).

Reply sent to Reiner Herrmann [email protected]:
You have taken responsibility. (Mon, 29 Oct 2018 13:06:07 GMT) (full text, mbox, link).

Notification sent to Dileep Kumar Jallepalli [email protected]:
Bug acknowledged by developer. (Mon, 29 Oct 2018 13:06:07 GMT) (full text, mbox, link).

Message #73 received at [email protected] (full text, mbox, reply):

Source: apng2gif Source-Version: 1.8-0.1

We believe that the bug you reported is fixed in the latest version of apng2gif, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Reiner Herrmann [email protected] (supplier of updated apng2gif package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Format: 1.8 Date: Sat, 27 Oct 2018 14:15:49 +0200 Source: apng2gif Binary: apng2gif Architecture: source Version: 1.8-0.1 Distribution: unstable Urgency: medium Maintainer: Jari Aalto [email protected] Changed-By: Reiner Herrmann [email protected] Description: apng2gif - tool for converting APNG images to animated GIF format Closes: 854367 854441 854447 Changes: apng2gif (1.8-0.1) unstable; urgency=medium . * Non-maintainer upload. * New upstream release. - Fixes CVE-2017-6960 (Closes: #854367). - Fixes CVE-2017-6961 (Closes: #854441). - Fixes CVE-2017-6962 (Closes: #854447). Checksums-Sha1: 2d6fdc91c41949e7c1707f4f2a1e70c1d43b059f 1886 apng2gif_1.8-0.1.dsc f1f24e5ece9b6880334ba218c5ff7dadf91aedda 437914 apng2gif_1.8.orig.tar.gz d34cc6d4258909a473752a88eb04405f404f5f22 6724 apng2gif_1.8-0.1.debian.tar.xz 69f724c185a3620421d84967dee31f72c77f5df3 5548 apng2gif_1.8-0.1_powerpc.buildinfo Checksums-Sha256: e43a8f19ddced85f005478ea8c7be96f202622328d23bd3c90554d9e78fb0679 1886 apng2gif_1.8-0.1.dsc 4d47a2c0e6656bbc5afeecccc62b22f885a6b0434944bd52824126a156959649 437914 apng2gif_1.8.orig.tar.gz 8592fc133ea42694c79cfffa5ad31526cb8ab0c0045f1552e246757fd9a1e0be 6724 apng2gif_1.8-0.1.debian.tar.xz 5e66e72e7073d06871e3793f22c3396df687ce6f63919e4d826ce2e6c6fa43ef 5548 apng2gif_1.8-0.1_powerpc.buildinfo Files: 839d4f7f3f0d2a869484e53b0f6de19b 1886 graphics optional apng2gif_1.8-0.1.dsc 4cf980234840ce2aa856cf328c644e85 437914 graphics optional apng2gif_1.8.orig.tar.gz 50b9332ec64e1541522fe109244f8d61 6724 graphics optional apng2gif_1.8-0.1.debian.tar.xz eaa7b7aac0edb69c1d1fdda722e916a0 5548 graphics optional apng2gif_1.8-0.1_powerpc.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEWXMI+726A12MfJXdxCxY61kUkv0FAlvUXCQACgkQxCxY61kU kv1JaRAAsFYXg6vhnRAqwdnRYkr1OTBbmm4fsjglS4I/fzixylAXQdpGHNakbrkb YWjxuOpPwefVzOF15o++MGunIRQMO4C0DBFah6Qf4Ioz+Wtx8Lmo6d/TZKG2R80X 7ekCOSgmE5SDkl+xfY0RrJqTTY8bLkhsplzaQsY/fyyf3isRCbkkhOZRfSWOCewa Zft8c8U9lUVmKgGyh5AP3keJDVhgZiuU2buDswUq2VTsuQaBTwyXIICGWbIWjE0u F0ayKvzCQKgWTHg8PSAY4m884/DyDupEofHxfYuzSp5rH4iEk4O24oJuCv6vnKyg r1M4kiauBW0arqW4H/u4J5yKmywXxrppXRYQ+O3eu9y6sC3Vxee0rZgtNgv7GPTP EBJik9qHLuB34TmDi5ynAx96QjQkvutMHTZsF6dksSkyasoVZ217UaL/9glAqrVN 4DvE0c6TrLsP4HTySatZJfoEze1NigJPrO9k1m5C6TEV/gKZfKXneba7IRcGxPNE cApUjza56COd7MG2x82XpnI+vGCZChU8gVde3VnKUTLJAXJxa9tjg/zmdgtMi3GS V5yYNYTkDY9NKzOF7vpSxRQgna0RXSg6XkMM77b/OEaxL217/Xeg6nwXrlsucCN4 mfIZm1rg9DsIBdMAvuIByMLNg6lD111OnSerGNvMmTMU0PUuabM= =kXuG -----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request [email protected] to [email protected]. (Sun, 07 Jul 2019 07:51:43 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Fri Jan 20 15:03:28 2023; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE