Debian Bug report logs - #550978
gif2png: Command line buffer overflow

version graph

Package: gif2png; Maintainer for gif2png is Erik Schanze <eriks@debian.org>; Source for gif2png is src:gif2png.

Reported by: Patroklos Argyroudis <argp@census-labs.com>

Date: Wed, 14 Oct 2009 15:36:02 UTC

Severity: normal

Found in version gif2png/2.5.1-3

Fixed in version gif2png/2.5.2-2

Done: Erik Schanze <eriks@debian.org>

Bug is archived. No further changes may be made.

Forwarded to esr@thyrsus.com

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>:
Bug#550978; Package gif2png. (Wed, 14 Oct 2009 15:36:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Patroklos Argyroudis <argp@census-labs.com>:
New Bug report received and forwarded. Copy sent to Erik Schanze <eriks@debian.org>. (Wed, 14 Oct 2009 15:36:05 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Patroklos Argyroudis <argp@census-labs.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gif2png: Command line buffer overflow
Date: Wed, 14 Oct 2009 18:30:31 +0300
Package: gif2png
Version: 2.5.1-3
Severity: normal


gif2png is prone to a command line buffer overflow since there is an
strcpy(3) call that fails to bounds-check user-supplied data before copying
them to a fixed size buffer.  Here is a transcript:

[argp@hegel /tmp]$ gif2png `python -c 'print "A"*2048'`
Segmentation fault (core dumped)
[argp@hegel /tmp]$ gdb -q gif2png -c core
(no debugging symbols found)

warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libpng12.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpng12.so.0
Reading symbols from /lib/i686/cmov/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/cmov/libm.so.6
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/i686/cmov/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
(no debugging symbols found)
Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0  0xb7e6c6ed in ?? () from /lib/i686/cmov/libc.so.6
gdb $ i r
eax            0x41414141   0x41414141
ecx            0xb7f5960c   0xb7f5960c
edx            0xbfffe960   0xbfffe960
ebx            0xb7f57ff4   0xb7f57ff4
esp            0xbfffe384   0xbfffe384
ebp            0xbfffe3d8   0xbfffe3d8
esi            0xb7f3b1da   0xb7f3b1da
edi            0xb7f3b1e4   0xb7f3b1e4
eip            0xb7e6c6ed   0xb7e6c6ed
eflags         0x10206  [ PF IF RF ]
cs             0x73 0x73
ss             0x7b 0x7b
ds             0x7b 0x7b
es             0x7b 0x7b
fs             0x0  0x0
gs             0x33 0x33

The bug is located at file gif2png.c, line number 901
(strcpy(name, argv[i])) where name is a fixed size char array.  This may
have security repercussions if gif2png is configured as a handler for
other applications that can pass user-supplied filenames as command line
input to gif2png (e.g. from a CGI or other).

-- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-1-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages gif2png depends on:
ii  libc6                  2.9-25            GNU C Library: Shared libraries
ii  libpng12-0             1.2.39-1          PNG library - runtime
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

Versions of packages gif2png recommends:
ii  python                        2.5.4-2    An interactive high-level object-o

gif2png suggests no packages.

-- no debconf information




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#550978; Package gif2png. (Tue, 10 Nov 2009 21:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Erik Schanze <eriks@debian.org>:
Extra info received and forwarded to list. (Tue, 10 Nov 2009 21:21:04 GMT) Full text and rfc822 format available.

Message #10 received at 550978@bugs.debian.org (full text, mbox):

From: Erik Schanze <schanzi_@gmx.de>
To: esr@thyrsus.com
Cc: Patroklos Argyroudis <argp@census-labs.com>, 550978@bugs.debian.org, 550978-forwarded@bugs.debian.org
Subject: Re: Bug#550978: gif2png: Command line buffer overflow
Date: Tue, 10 Nov 2009 22:17:32 +0100
Hi Eric,

[please let 550978-forwarded@bugs.debian.org on CC:]

I'm the maintainer of Gif2png's Debian package.

A Debian GNU/Linux user had reported a bug describe below.
Could you please have a look at it and fix it upstream?

Thank you in advance.

Patroklos Argyroudis Patroklos Argyroudis <argp@census-labs.com>:
> Package: gif2png
> Version: 2.5.1-3
> Severity: normal
> 
> 
> gif2png is prone to a command line buffer overflow since there is an
> strcpy(3) call that fails to bounds-check user-supplied data before copying
> them to a fixed size buffer.  Here is a transcript:
> 
> [argp@hegel /tmp]$ gif2png `python -c 'print "A"*2048'`
> Segmentation fault (core dumped)
> [argp@hegel /tmp]$ gdb -q gif2png -c core
> (no debugging symbols found)
> 
> warning: Can't read pathname for load map: Input/output error.
> Reading symbols from /usr/lib/libpng12.so.0...(no debugging symbols found)...done.
> Loaded symbols for /usr/lib/libpng12.so.0
> Reading symbols from /lib/i686/cmov/libm.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib/i686/cmov/libm.so.6
> Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
> Loaded symbols for /usr/lib/libz.so.1
> Reading symbols from /lib/i686/cmov/libc.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib/i686/cmov/libc.so.6
> Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
> Loaded symbols for /lib/ld-linux.so.2
> (no debugging symbols found)
> Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
> Program terminated with signal 11, Segmentation fault.
> #0  0xb7e6c6ed in ?? () from /lib/i686/cmov/libc.so.6
> gdb $ i r
> eax            0x41414141   0x41414141
> ecx            0xb7f5960c   0xb7f5960c
> edx            0xbfffe960   0xbfffe960
> ebx            0xb7f57ff4   0xb7f57ff4
> esp            0xbfffe384   0xbfffe384
> ebp            0xbfffe3d8   0xbfffe3d8
> esi            0xb7f3b1da   0xb7f3b1da
> edi            0xb7f3b1e4   0xb7f3b1e4
> eip            0xb7e6c6ed   0xb7e6c6ed
> eflags         0x10206  [ PF IF RF ]
> cs             0x73 0x73
> ss             0x7b 0x7b
> ds             0x7b 0x7b
> es             0x7b 0x7b
> fs             0x0  0x0
> gs             0x33 0x33
> 
> The bug is located at file gif2png.c, line number 901
> (strcpy(name, argv[i])) where name is a fixed size char array.  This may
> have security repercussions if gif2png is configured as a handler for
> other applications that can pass user-supplied filenames as command line
> input to gif2png (e.g. from a CGI or other).
> 
> -- System Information:
> Debian Release: squeeze/sid
>   APT prefers testing
>   APT policy: (500, 'testing')
> Architecture: i386 (i686)
> 
> Kernel: Linux 2.6.26-1-686-bigmem (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
> 
> Versions of packages gif2png depends on:
> ii  libc6                  2.9-25            GNU C Library: Shared libraries
> ii  libpng12-0             1.2.39-1          PNG library - runtime
> ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime
> 
> Versions of packages gif2png recommends:
> ii  python                        2.5.4-2    An interactive high-level object-o
> 
> gif2png suggests no packages.
> 
> -- no debconf information
> 
> 

Bye,

Erik


-- 
 www.ErikSchanze.de *********************************************
 Bitte keine HTML-E-Mails! No HTML mails, please! Limit: 100 kB *
         - Linux-Info-Tag in Dresden auch 2010 wieder           *
             Info: http://www.linux-info-tag.de/                *




Reply sent to Erik Schanze <eriks@debian.org>:
You have marked Bug as forwarded. (Tue, 10 Nov 2009 21:21:09 GMT) Full text and rfc822 format available.

Reply sent to Erik Schanze <eriks@debian.org>:
You have taken responsibility. (Sun, 06 Dec 2009 12:51:24 GMT) Full text and rfc822 format available.

Notification sent to Patroklos Argyroudis <argp@census-labs.com>:
Bug acknowledged by developer. (Sun, 06 Dec 2009 12:51:24 GMT) Full text and rfc822 format available.

Message #18 received at 550978-close@bugs.debian.org (full text, mbox):

From: Erik Schanze <eriks@debian.org>
To: 550978-close@bugs.debian.org
Subject: Bug#550978: fixed in gif2png 2.5.2-1
Date: Sun, 06 Dec 2009 12:50:11 +0000
Source: gif2png
Source-Version: 2.5.2-1

We believe that the bug you reported is fixed in the latest version of
gif2png, which is due to be installed in the Debian FTP archive:

gif2png_2.5.2-1.diff.gz
  to main/g/gif2png/gif2png_2.5.2-1.diff.gz
gif2png_2.5.2-1.dsc
  to main/g/gif2png/gif2png_2.5.2-1.dsc
gif2png_2.5.2-1_i386.deb
  to main/g/gif2png/gif2png_2.5.2-1_i386.deb
gif2png_2.5.2.orig.tar.gz
  to main/g/gif2png/gif2png_2.5.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550978@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Erik Schanze <eriks@debian.org> (supplier of updated gif2png package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 04 Dec 2009 23:29:18 +0100
Source: gif2png
Binary: gif2png
Architecture: source i386
Version: 2.5.2-1
Distribution: unstable
Urgency: low
Maintainer: Erik Schanze <eriks@debian.org>
Changed-By: Erik Schanze <eriks@debian.org>
Description: 
 gif2png    - GIF -> PNG conversions
Closes: 550978
Changes: 
 gif2png (2.5.2-1) unstable; urgency=low
 .
   * New upstream release
     + Removed 10_write_text_comment.dpatch and
       20_manpage_fixes.dpatch, included upstream
   * Added 10_fix_gif2png_c.dpatch, closes: #550978
   * Added dpatch 20_remove_unneeded_libs to remove unneeded lib depends
     (was shown by checklib)
   * debian/control:
     + Updated to Standard version 3.8.3
     + Move Homepage into header
     + Increased debhelper version to 5
     + Added Build-Dep for xmlto, removed autotools
   * Added debian/compat and debian/README.source files
   * debian/rules:
     + Fix clean target, adapt and extend DEB_BUILD_OPTIONS
     + Reintroduced German manpage creation with xmlto, removed autotools stuff
Checksums-Sha1: 
 e866a684e5e4e5fe5ccf6c103640a3ff923c7ad1 1010 gif2png_2.5.2-1.dsc
 0e9e66d6728fe7e2dcde61ad0e398a60894946b3 171740 gif2png_2.5.2.orig.tar.gz
 01f1b327dfad3edb17995d7f06c7acefa0ab9023 13620 gif2png_2.5.2-1.diff.gz
 1dc99ca4662d83f0c880f64948708d249e31eda2 38338 gif2png_2.5.2-1_i386.deb
Checksums-Sha256: 
 71f82ae08a80a7506d00dae51f6ca3186c6ec6b023d51e3e356d151d6aa3ed88 1010 gif2png_2.5.2-1.dsc
 c1b4066ad37cdcb8681cecedd63daed8cb5c827344da465270f324bc12ff3ed7 171740 gif2png_2.5.2.orig.tar.gz
 8d414e375274da33b810b3d43b532519d90c97ff6fca1901debec093b604d10b 13620 gif2png_2.5.2-1.diff.gz
 e0ad06af9b40c9098251f84324fc7c2c07606db85615057d6603a686c62515c4 38338 gif2png_2.5.2-1_i386.deb
Files: 
 6bb50760e8fc28e298fff220713a05b2 1010 graphics optional gif2png_2.5.2-1.dsc
 2200841f027c8481c4b8519dabf745b0 171740 graphics optional gif2png_2.5.2.orig.tar.gz
 e295787637932a1e95f3a0f10b02a7de 13620 graphics optional gif2png_2.5.2-1.diff.gz
 5cf8a23779f5a6bd74e105c768d9fdb1 38338 graphics optional gif2png_2.5.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAksbioYACgkQwAfeuzCCU0Uq2ACgpy5jwx3lzuuwcWfcUtxi0J94
OdkAoKiXiomQ2gODmgIfEbw/1vqX+2U4
=RzQk
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>:
Bug#550978; Package gif2png. (Sun, 13 Dec 2009 15:57:05 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Erik Schanze <eriks@debian.org>. (Sun, 13 Dec 2009 15:57:05 GMT) Full text and rfc822 format available.

Message #23 received at 550978@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 550978@bugs.debian.org, control@bugs.debian.org
Subject: Incomplete fix?
Date: Sun, 13 Dec 2009 10:54:09 -0500
reopen 550978
thanks

Hi,

It is claimed that 2.5.2-1 is still affected by this issue [0].  
Please check.  Thank you.

Mike

[0] http://lists.grok.org.uk/pipermail/full-disclosure/2009-December/072009.html




Bug No longer marked as fixed in versions gif2png/2.5.2-1 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 13 Dec 2009 15:57:06 GMT) Full text and rfc822 format available.

Reply sent to Raphael Geissert <geissert@debian.org>:
You have taken responsibility. (Sun, 13 Dec 2009 18:27:05 GMT) Full text and rfc822 format available.

Notification sent to Patroklos Argyroudis <argp@census-labs.com>:
Bug acknowledged by developer. (Sun, 13 Dec 2009 18:27:05 GMT) Full text and rfc822 format available.

Message #30 received at 550978-done@bugs.debian.org (full text, mbox):

From: Raphael Geissert <geissert@debian.org>
To: 550978-done@bugs.debian.org, Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#550978: fixed in gif2png 2.5.2-1
Date: Sun, 13 Dec 2009 12:25:09 -0600
Source-Version: 2.5.2-1

> It is claimed that 2.5.2-1 is still affected by this issue [0].
> Please check.  Thank you.

Debian version 2.5.2-1 is not, upstream 2.5.2 is.

Regards,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#550978; Package gif2png. (Sun, 13 Dec 2009 19:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Erik Schanze <eriks@debian.org>:
Extra info received and forwarded to list. (Sun, 13 Dec 2009 19:36:03 GMT) Full text and rfc822 format available.

Message #35 received at 550978@bugs.debian.org (full text, mbox):

From: Erik Schanze <schanzi_@gmx.de>
To: Michael Gilbert <michael.s.gilbert@gmail.com>, 550978@bugs.debian.org
Subject: Re: Bug#550978: Incomplete fix?
Date: Sun, 13 Dec 2009 20:32:25 +0100
Hi Michael,

Michael Gilbert <michael.s.gilbert@gmail.com>:
> It is claimed that 2.5.2-1 is still affected by this issue [0].  
> Please check.  Thank you.
> 

Please have a look on package changelog:
* Added 10_fix_gif2png_c.dpatch, closes: #550978

Because upstream didn't answer my bug forwarding, I added a fix for this
issue as a dpatch in the package by myself.

Afterwards I checked with the suggested exploit:
--------------------8<---------------------------------------8<------------------------
es@neo:~$ gif2png `python -c 'print "A"*2048'`      
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: File name too long
--------------------8<---------------------------------------8<------------------------


Kind regards,

Erik


-- 
 www.ErikSchanze.de *********************************************
 Bitte keine HTML-E-Mails! No HTML mails, please! Limit: 100 kB *
         - Linux-Info-Tag in Dresden auch 2010 wieder           *
             Info: http://www.linux-info-tag.de/                *




Information forwarded to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>:
Bug#550978; Package gif2png. (Sun, 13 Dec 2009 20:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Erik Schanze <eriks@debian.org>. (Sun, 13 Dec 2009 20:36:03 GMT) Full text and rfc822 format available.

Message #40 received at 550978@bugs.debian.org (full text, mbox):

From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 550978@bugs.debian.org
Subject: Re: Bug#550978: Incomplete fix?
Date: Sun, 13 Dec 2009 15:32:49 -0500
On Sun, 13 Dec 2009 20:32:25 +0100 Erik Schanze wrote:

> Hi Michael,
> 
> Michael Gilbert <michael.s.gilbert@gmail.com>:
> > It is claimed that 2.5.2-1 is still affected by this issue [0].  
> > Please check.  Thank you.
> > 
> 
> Please have a look on package changelog:
> * Added 10_fix_gif2png_c.dpatch, closes: #550978
> 
> Because upstream didn't answer my bug forwarding, I added a fix for this
> issue as a dpatch in the package by myself.
> 
> Afterwards I checked with the suggested exploit:
> --------------------8<---------------------------------------8<------------------------
> es@neo:~$ gif2png `python -c 'print "A"*2048'`      
[...]
>  File name too long
> --------------------8<---------------------------------------8<------------------------

ok, i just wanted to see if there was any validity to the full
disclosure claims.  they said they tested against 2.5.2-1, but they
very well could have been mistaken.  looks like this can be safely
closed.

mike




Information forwarded to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>:
Bug#550978; Package gif2png. (Fri, 01 Jan 2010 16:24:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>:
Extra info received and forwarded to list. Copy sent to Erik Schanze <eriks@debian.org>. (Fri, 01 Jan 2010 16:24:03 GMT) Full text and rfc822 format available.

Message #45 received at 550978@bugs.debian.org (full text, mbox):

From: Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
To: 550978@bugs.debian.org
Subject: Re: Bug#550978: patch incomplete
Date: Fri, 01 Jan 2010 17:21:43 +0100
Hi,

I am the Fedora maintainer of gif2png and think that the supplied patch
is incomplete.  In main(), there is done

| -	    strcpy(name, argv[i]);
| +	    strncpy( name, argv[i], sizeof( name ) );
|             ...
|  		strcat(name, ".gif");

which could still overflow 'name'.  I think that

  http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup

solves the issue better. It omits the changes in processfile() because
main() guarantees that 'fname' is short enough.


FWIW, 2.5.2 *is* affected; the -ENAMETOOLONG comes from the open(2)
call.  Applying a modified exploit like

  gif2png `perl -e "print '/' x 1024"`/a

still triggers the issue.



Enrico




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#550978; Package gif2png. (Fri, 01 Jan 2010 21:18:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Erik Schanze <eriks@debian.org>:
Extra info received and forwarded to list. (Fri, 01 Jan 2010 21:18:06 GMT) Full text and rfc822 format available.

Message #50 received at 550978@bugs.debian.org (full text, mbox):

From: Erik Schanze <schanzi_@gmx.de>
To: 550978@bugs.debian.org
Cc: Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>, control@bugs.debian.org
Subject: Re: Bug#550978: patch incomplete
Date: Fri, 1 Jan 2010 22:09:33 +0100
reopen 550978
thanks

Hi Enrico,

Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>:
> I am the Fedora maintainer of gif2png and think that the supplied patch
> is incomplete.  In main(), there is done
> 
> | -	    strcpy(name, argv[i]);
> | +	    strncpy( name, argv[i], sizeof( name ) );
> |             ...
> |  		strcat(name, ".gif");
> 
> which could still overflow 'name'.  I think that
> 
>   http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup
> 
> solves the issue better. 

You're right. Thank you for your attention.

> It omits the changes in processfile() because
> main() guarantees that 'fname' is short enough.
> 
But processfile() will remain insecure.
I will adapt my patch with your suggestions.

> FWIW, 2.5.2 *is* affected; the -ENAMETOOLONG comes from the open(2)
> call.  
> Applying a modified exploit like
> 
>   gif2png `perl -e "print '/' x 1024"`/a
> 
> still triggers the issue.
>
Not for me:
$ gif2png `perl -e "print '/' x 1024"`/a
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////a: No such file or directory


Kind regards,

Erik




Bug No longer marked as fixed in versions 2.5.2-1 and reopened. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Fri, 01 Jan 2010 21:18:11 GMT) Full text and rfc822 format available.

Reply sent to Erik Schanze <eriks@debian.org>:
You have taken responsibility. (Fri, 01 Jan 2010 23:51:12 GMT) Full text and rfc822 format available.

Notification sent to Patroklos Argyroudis <argp@census-labs.com>:
Bug acknowledged by developer. (Fri, 01 Jan 2010 23:51:12 GMT) Full text and rfc822 format available.

Message #57 received at 550978-close@bugs.debian.org (full text, mbox):

From: Erik Schanze <eriks@debian.org>
To: 550978-close@bugs.debian.org
Subject: Bug#550978: fixed in gif2png 2.5.2-2
Date: Fri, 01 Jan 2010 23:48:17 +0000
Source: gif2png
Source-Version: 2.5.2-2

We believe that the bug you reported is fixed in the latest version of
gif2png, which is due to be installed in the Debian FTP archive:

gif2png_2.5.2-2.diff.gz
  to main/g/gif2png/gif2png_2.5.2-2.diff.gz
gif2png_2.5.2-2.dsc
  to main/g/gif2png/gif2png_2.5.2-2.dsc
gif2png_2.5.2-2_i386.deb
  to main/g/gif2png/gif2png_2.5.2-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 550978@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Erik Schanze <eriks@debian.org> (supplier of updated gif2png package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 01 Jan 2010 21:29:18 +0100
Source: gif2png
Binary: gif2png
Architecture: source i386
Version: 2.5.2-2
Distribution: unstable
Urgency: low
Maintainer: Erik Schanze <eriks@debian.org>
Changed-By: Erik Schanze <eriks@debian.org>
Description: 
 gif2png    - GIF -> PNG conversions
Closes: 550978
Changes: 
 gif2png (2.5.2-2) unstable; urgency=low
 .
   * Adapted 10_fix_gif2png_c.dpatch, closes: #550978
Checksums-Sha1: 
 8d0e9eca7b0f8b0a592a0870adfc277daf59ad16 1010 gif2png_2.5.2-2.dsc
 4edc5056a19435430779f62ab50b15372a5dbe28 13655 gif2png_2.5.2-2.diff.gz
 fae9001604d783ca0a7e05525bb93583deb36a0f 38640 gif2png_2.5.2-2_i386.deb
Checksums-Sha256: 
 af2702290aff36475e33bcb0501722b265d294054ccde11131ed2893b7568453 1010 gif2png_2.5.2-2.dsc
 5f3418b8f9a61fbc20326eadb6f0ac467b8c802a72d9a8a576e9fdecb0516342 13655 gif2png_2.5.2-2.diff.gz
 93874ba04f9e9f6c2ecd5674196f3aedfcea3950a7531efa2548bc6868c96abf 38640 gif2png_2.5.2-2_i386.deb
Files: 
 2644d3ec599722e0af93bee188da27f0 1010 graphics optional gif2png_2.5.2-2.dsc
 51d2cc3eb4eab1e0d26bd4027d5cd6e0 13655 graphics optional gif2png_2.5.2-2.diff.gz
 68e2f726a364aeb3ace679cf4dae745a 38640 graphics optional gif2png_2.5.2-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAks+hY8ACgkQwAfeuzCCU0Ww1gCeMgCMVioPAFowQmq7NUdFCwYZ
ZZoAnAv7ZrNylTUbSmwdgg+d+vkfbYw9
=8nkf
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>:
Bug#550978; Package gif2png. (Sat, 02 Jan 2010 11:33:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>:
Extra info received and forwarded to list. Copy sent to Erik Schanze <eriks@debian.org>. (Sat, 02 Jan 2010 11:33:03 GMT) Full text and rfc822 format available.

Message #62 received at 550978@bugs.debian.org (full text, mbox):

From: Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>
To: Erik Schanze <eriks@debian.org>
Cc: 550978@bugs.debian.org
Subject: Re: Bug#550978: patch incomplete
Date: Sat, 02 Jan 2010 12:30:51 +0100
Erik Schanze <schanzi_@gmx.de> writes:

>>   http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup
>> 
>> solves the issue better. 
>
> You're right. Thank you for your attention.

fwiw, I changed my patch to abort/fail when filename length exceeds a
certain size.  That's better than the current strncpy() stuff which
might cause to process a different file than this what was given (and
perhaps validated) by the caller.


>> It omits the changes in processfile() because main() guarantees that
>> 'fname' is short enough.
>> 
> But processfile() will remain insecure.

does not matter... it is called from main() only which does all the
range checking.


> I will adapt my patch with your suggestions.
>
>> FWIW, 2.5.2 *is* affected; the -ENAMETOOLONG comes from the open(2)
>> call.  
>> Applying a modified exploit like
>> 
>>   gif2png `perl -e "print '/' x 1024"`/a
>> 
>> still triggers the issue.
>>
> Not for me:

Adjust the '1024'; on Fedora/RHEL not the buffer overflow caused the
crash but the FORTIFY_SORUCE checks.

$ gif2png `perl -e "print '/' x 1024"`/a
*** buffer overflow detected ***: gif2png terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xb76b31c1]
/lib/libc.so.6(__strcpy_chk+0x43)[0xb76b25e3]
gif2png[0x804aae6]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb75e2e9c]
gif2png[0x8048f21]
======= Memory map: ========



Enrico




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 09 Feb 2010 07:35:14 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:31:55 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.