Headline
CVE-2021-3624: #984761 - dcraw: CVE-2021-3624: buffer-overflow caused by integer-overflow in foveon_load_camf()
There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim’s system.
Reported by: Wooseok Kang [email protected]
Date: Mon, 8 Mar 2021 04:42:02 UTC
Severity: normal
Tags: security, upstream
Found in version dcraw/9.28-2
Fixed in version dcraw/9.28-3
Done: Filip Hroch [email protected]
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded to [email protected], [email protected], Debian Astronomy Team <[email protected]>
:
Bug#984761
; Package dcraw
. (Mon, 08 Mar 2021 04:42:04 GMT) (full text, mbox, link).
Acknowledgement sent to Wooseok Kang <[email protected]>
:
New Bug report received and forwarded. Copy sent to [email protected], Debian Astronomy Team <[email protected]>
. (Mon, 08 Mar 2021 04:42:05 GMT) (full text, mbox, link).
Message #5 received at [email protected] (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: dcraw Version: 9.28-2 Severity: normal X-Debbugs-Cc: [email protected]
Dear Maintainer,
There is an integer overflow vulnerability in dcraw. When the victim runs dcraw with a maliciously crafted X3F input image, arbitrary code may be executed in the victim’s system.
The vulnerability resides in foveon_load_camf() function in dcraw.c file. The program reads data from the input image using get4().
type = get4(); get4(); get4(); wide = get4(); high = get4();
Since there is no sanitization for these variables, we can set their values freely. Let type=4, and wide and high are enough large values which can make overflow. Then, it will lead to small memory allocation at the below code.
} else if (type == 4) { free (meta_data); meta_length = wide*high*3/2; meta_data = (char *) malloc (meta_length);
Therefore, when we read data to this allocated buffer, it causes the buffer overrun which may lead to arbitrary code execution or program crash.
I attach the maliciously crafted X3F file which crashes dcraw like below.
dcraw dcraw-poc.X3F dcraw-poc.X3F: Corrupt data near 0x651 [1] 1251 segmentation fault dcraw dcraw-poc.X3F
Thank you.
– System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, ‘testing’) Architecture: amd64 (x86_64)
Kernel: Linux 5.4.72-microsoft-standard-WSL2 (SMP w/16 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect
Versions of packages dcraw depends on: ii libc6 2.31-9 ii libjpeg62-turbo 1:2.0.6-2 ii liblcms2-2 2.12~rc1-2
dcraw recommends no packages.
Versions of packages dcraw suggests: pn gphoto2 <none> pn netpbm <none>
– no debconf information
[dcraw-poc.X3F (image/x-x3f, attachment)]
Information forwarded to [email protected], Debian Astronomy Team <[email protected]>
:
Bug#984761
; Package dcraw
. (Tue, 09 Mar 2021 16:54:02 GMT) (full text, mbox, link).
Acknowledgement sent to Filip Hroch <[email protected]>
:
Extra info received and forwarded to list. Copy sent to Debian Astronomy Team <[email protected]>
. (Tue, 09 Mar 2021 16:54:02 GMT) (full text, mbox, link).
Message #10 received at [email protected] (full text, mbox, reply):
Dear Wooseok,
I’ll look on this.
Note, that I’m maintaining only Debian packaging. I am not upstream autor; I can fix only the bugs which does not induce extensive changes in whole structure of the source code.
FH
F. Hroch [email protected], Masaryk University, Brno, Czechia. Dept. of theor. physics and astrophysics, Kotlarska 2, CZ-611 37.
Added tag(s) security. Request was from Adrian Bunk <[email protected]>
to [email protected]
. (Mon, 31 May 2021 20:51:02 GMT) (full text, mbox, link).
Information forwarded to [email protected], Debian Astronomy Team <[email protected]>
:
Bug#984761
; Package dcraw
. (Wed, 02 Jun 2021 20:42:02 GMT) (full text, mbox, link).
Acknowledgement sent to Salvatore Bonaccorso <[email protected]>
:
Extra info received and forwarded to list. Copy sent to Debian Astronomy Team <[email protected]>
. (Wed, 02 Jun 2021 20:42:02 GMT) (full text, mbox, link).
Message #17 received at [email protected] (full text, mbox, reply):
Hi Filip, Wooseok
On Tue, Mar 09, 2021 at 05:41:51PM +0100, Filip Hroch wrote:
Dear Wooseok,
I’ll look on this.
Note, that I’m maintaining only Debian packaging. I am not upstream autor; I can fix only the bugs which does not induce extensive changes in whole structure of the source code.
Can you please report the issue upstream? Or was this reported upstream?
Regards, Salvatore
Message sent on to Wooseok Kang <[email protected]>
:
Bug#984761. (Wed, 02 Jun 2021 20:42:07 GMT) (full text, mbox, link).
Information forwarded to [email protected], Debian Astronomy Team <[email protected]>
:
Bug#984761
; Package dcraw
. (Thu, 03 Jun 2021 10:45:03 GMT) (full text, mbox, link).
Acknowledgement sent to Filip Hroch <[email protected]>
:
Extra info received and forwarded to list. Copy sent to Debian Astronomy Team <[email protected]>
. (Thu, 03 Jun 2021 10:45:03 GMT) (full text, mbox, link).
Message #25 received at [email protected] (full text, mbox, reply):
Dear Salvatore,
unfortunatelly, I have not fixed it yet.
I suppose to report it to upstream author – Mr. Coffin. In past, I send patches without any response.
The last upstream version of dcraw has been issued tree years ago, so I’ve some worry about him.
Regards, FH
Salvatore Bonaccorso [email protected] writes:
Hi Filip, Wooseok
On Tue, Mar 09, 2021 at 05:41:51PM +0100, Filip Hroch wrote:
Dear Wooseok,
I’ll look on this.
Note, that I’m maintaining only Debian packaging. I am not upstream autor; I can fix only the bugs which does not induce extensive changes in whole structure of the source code.
Can you please report the issue upstream? Or was this reported upstream?
Regards, Salvatore
– F. Hroch [email protected], Masaryk University, Dept. of theor. physics and astrophysics, Brno, Moravia, CZ
Message sent on to Wooseok Kang <[email protected]>
:
Bug#984761. (Thu, 03 Jun 2021 10:45:06 GMT) (full text, mbox, link).
Changed Bug title to 'dcraw: CVE-2021-3624: buffer-overflow caused by integer-overflow in foveon_load_camf()' from 'dcraw: buffer-overflow caused by integer-overflow in foveon_load_camf()'. Request was from Salvatore Bonaccorso <[email protected]>
to [email protected]
. (Tue, 29 Jun 2021 05:45:05 GMT) (full text, mbox, link).
Reply sent to Filip Hroch <[email protected]>
:
You have taken responsibility. (Thu, 25 Nov 2021 13:06:14 GMT) (full text, mbox, link).
Notification sent to Wooseok Kang <[email protected]>
:
Bug acknowledged by developer. (Thu, 25 Nov 2021 13:06:15 GMT) (full text, mbox, link).
Message #35 received at [email protected] (full text, mbox, reply):
Source: dcraw Source-Version: 9.28-3 Done: Filip Hroch [email protected]
We believe that the bug you reported is fixed in the latest version of dcraw, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is attached.
Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software pp. Filip Hroch [email protected] (supplier of updated dcraw package)
(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
Format: 1.8 Date: Sun, 21 Nov 2021 23:15:39 +0100 Source: dcraw Architecture: source Version: 9.28-3 Distribution: unstable Urgency: medium Maintainer: Debian Astronomy Team [email protected] Changed-By: Filip Hroch [email protected] Closes: 478701 914447 914453 914454 914459 984761 Changes: dcraw (9.28-3) unstable; urgency=medium . * Written wrappers of fread(),fwrite(),fseek() library functions which checks their return values. If an input/output failure is detected, dcraw immediately exits with non-zero status and prints a descriptive message. Closes: #478701, #914447, #914453, #914454, #914459, #984761 * Updated links; upstream has been moved to a new site. * Updated packaging: evolving standards, added metadata, lintian. Checksums-Sha1: 25dc6466c9400cbb583545d7ee4311352286ad05 1978 dcraw_9.28-3.dsc cb2b167a49544b5bf879d4a2ef8970b9390b0631 6865640 dcraw_9.28-3.debian.tar.xz Checksums-Sha256: 9927b846c8f93188ae84bcd7831d6d61bc83561dba7ba2440b6dafd18ca4b74d 1978 dcraw_9.28-3.dsc 357ef76c9ad7c0f16f12a29d81a1dc3ee8dff1099c30636fc38fb4109f6a3db6 6865640 dcraw_9.28-3.debian.tar.xz Files: da4d8776a65a9ac1e37c5ee6a272fd5b 1978 graphics optional dcraw_9.28-3.dsc d05b8ef6e95acc707c5d43b82bb9ee02 6865640 graphics optional dcraw_9.28-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEuvxshffLFD/utvsVcRWv0HcQ3PcFAmGfguIACgkQcRWv0HcQ 3PfJLg/+McreFSi3qAg/tpwPYNMXhrQIrhK3KaCdQaJFxkTajhI2j9MeESE4UZYk V1uDMqtcvbUJP9vSCQDr9z2q66h4u877ckI3nys/ueNKSQM5NRyTcWjzuqCMZdSz 0LZ6qO/UftRIn3HxYWWYZDgO+36I7u5Ua4wPNm+dYCqNED2sALK3sZKBd2WiVfhE HMbHnpiMLwPVCO4RUVG1uDht0fsHPaV4rPEo0JPvipwHnpgrAKcGP55r+5EGbPdL HuTahEDiZKhl4MBIEVHAuC2wN8HPhTpONhxIvDbrQm/HLIwm/XPt/N9QTXbv0miW b204OoXkT33LP8eRz+U3tDpGxQU/dnEZ05sClfV+85n1Tw9Atzle/tqyeg8dVscv jUmCu10q3ESubpnU4Opdxcm5qt5QB59z6gFnd5wzyaVQehRcGg/luUaeneqguWxz U82aiwosXEmioXPYeDAzmkjULD1iguwAnSx6BNVGzf/t3XReVW07bFXsnpT8XASc 0LzzKA3Mzjt0y8UM9YvV9vs0SIXuxWLQa5WUfK41TG1wza8wBMewuUQJ2+r16lmG mYrXb2vz8/8nU2jz+RdUQvhYXSWrRaiQ3Vj+Qcx8eSrveaCLM8RZqgKf6m6STev5 zIz4iwhJZVz78n+M2aci/tjZ+Fhr9RLCuZRDakQFOv5Cq5XzJJk= =3QxF -----END PGP SIGNATURE-----
Bug archived. Request was from Debbugs Internal Request <[email protected]>
to [email protected]
. (Sat, 25 Dec 2021 07:29:15 GMT) (full text, mbox, link).
Bug unarchived. Request was from Salvatore Bonaccorso <[email protected]>
to [email protected]
. (Wed, 13 Apr 2022 05:00:02 GMT) (full text, mbox, link).
Added tag(s) upstream. Request was from Salvatore Bonaccorso <[email protected]>
to [email protected]
. (Wed, 13 Apr 2022 05:00:03 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <[email protected]>. Last modified: Mon Apr 25 16:12:34 2022; Machine Name: bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.
Related news
An update is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
An update for kernel is now available for Red Hat Enterprise Linux 6 Extended Lifecycle Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-0466: kernel: use after free in eventpoll.c may lead to escalation of privilege * CVE-2021-0920: kernel: Use After Free in unix_gc() which could result in a local privilege escalation * CVE-2021-4155: kernel: xfs: raw block device data leak in XFS_IOC_ALLOCSP IOCTL * CVE-2022-0492: kernel: cgroups v1 release_agent feature may ...
An update for the container-tools:2.0 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-27649: podman: Default inheritable capabilities for linux container should be empty * CVE-2022-27651: buildah: Default inheritable capabilities for linux container should be empty
An update for the 389-ds:1.4 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4091: 389-ds-base: double free of the virtual attribute context in persistent search
Invicti Acunetix before 14 allows CSV injection via the Description field on the Add Targets page, if the Export CSV feature is used.
An update for kernel-rt is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-4083: kernel: fget: check that the fd still exists after getting a ref to it * CVE-2022-0492: kernel: cgroups v1 release_agent feature may allow privilege escalation * CVE-2022-25636: kernel: heap out of bounds write in nf_dup_netdev.c
Red Hat OpenShift Virtualization release 2.6.10 is now available with updates to packages and images that fix several bugs and add enhancements. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-33195: golang: net: lookup functions may return invalid host names * CVE-2021-33197: golang: net/http/httputil: ReverseProxy forwards connection headers if first one is empty * CVE-2021-33198: golang: math/big.Rat: may cause a panic or an unrecoverable fatal error if passed inputs...
An Access Control vulnerability exists in Desire2Learn/D2L Learning Management System (LMS) 20.21.7 via the quizzing feature, which allows a remote malicious user to disable the Disable right click control.
A SQL injection vulnerability exists in Microfinance Management System 1.0 when MySQL is being used as the application database. An attacker can issue SQL commands to the MySQL database through the vulnerable course_code and/or customer_number parameter.
An update is now available for Red Hat Ceph Storage 3. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-20288: ceph: Unauthorized global_id reuse in cephx
The Migration Toolkit for Containers (MTC) 1.5.4 is now available. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-36221: golang: net/http/httputil: panic due to racy read of persistConn after handler panic
Swimlane’s Asia-Pacific presence grows 173%, highlighting rising demand for low-code security automation.
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. This affects WSO2 API Manager 2.2.0 and above through 4.0.0; WSO2 Identity Server 5.2.0 and above through 5.11.0; WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0, and 5.6.0; WSO2 Identity Server as Key Manager 5.3.0 and above through 5.10.0; and WSO2 Enterprise Integrator 6.2.0 and above through 6.6.0.
Google and other firms are adding security configuration to software so cloud applications and services have well-defined security settings — a key component of DevSecOps.
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.
IT departments must account for the business impact and security risks such applications introduce.
Multiple SQL injection vulnerabilities exist in phpGACL 3.3.7. A specially crafted HTTP request can lead to a SQL injection. An attacker can send an HTTP request to trigger this vulnerability.
An exploitable vulnerability exists in the way Pixar OpenUSD 20.05 handles file offsets in binary USD files. A specially crafted malformed file can trigger an arbitrary out-of-bounds memory access that could lead to the disclosure of sensitive information. This vulnerability could be used to bypass mitigations and aid additional exploitation. To trigger this vulnerability, the victim needs to access an attacker-provided file.
An exploitable code execution vulnerability exists in the file format parsing functionality of Graphisoft BIMx Desktop Viewer 2019.2.2328. A specially crafted file can cause a heap buffer overflow resulting in a code execution. An attacker can provide a malicious file to trigger this vulnerability.
A flaw was found in Ansible Galaxy Collections. When collections are built manually, any files in the repository directory that are not explicitly excluded via the ``build_ignore`` list in "galaxy.yml" include files in the ``.tar.gz`` file. This contains sensitive info, such as the user's Ansible Galaxy API key and any secrets in ``ansible`` or ``ansible-playbook`` verbose output without the``no_log`` redaction. Currently, there is no way to deprecate a Collection Or delete a Collection Version. Once published, anyone who downloads or installs the collection can view the secrets.
A flaw was found in WildFly Elytron. A variation to the use of a session fixation exploit when using Undertow was found despite Undertow switching the session ID after authentication.
A heap double free issue was found in Opensc before version 0.22.0 in sc_pkcs15_free_tokeninfo.
Heap buffer overflow issues were found in Opensc before version 0.22.0 in pkcs15-oberthur.c that could potentially crash programs using the library.
The ongoing war in Ukraine means that defenses are only as good and as strong as those with whom we partner.