Debian Bug report logs - #778646
potrace: CVE-2013-7437: possible heap overflow

Display info messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@debian.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Multiple issues

Date: Tue, 17 Feb 2015 22:02:37 +0100

Package: potrace
Version: 1.11-2
Severity: grave
Tags: security

Hi,
please see https://bugzilla.redhat.com/show_bug.cgi?id=955808
Could you report this upstream?

A CVE ID has been requested, but not yet assigned:
http://www.openwall.com/lists/oss-security/2015/02/06/12

Cheers,
        Moritz

Message #10 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Tomasz Buchert <tomasz.buchert@inria.fr>

To: Moritz Muehlenhoff <jmm@debian.org>

Cc: 778646@bugs.debian.org

Subject: Re: Multiple issues

Date: Sun, 1 Mar 2015 21:08:41 +0100

[Message part 1 (text/plain, inline)]

On 17/02/15 22:02, Moritz Muehlenhoff wrote:
> Package: potrace
> Version: 1.11-2
> Severity: grave
> Tags: security
> 
> Hi,
> please see https://bugzilla.redhat.com/show_bug.cgi?id=955808
> Could you report this upstream?
> 
> A CVE ID has been requested, but not yet assigned:
> http://www.openwall.com/lists/oss-security/2015/02/06/12
> 
> Cheers,
>         Moritz
> 
> 

Hi Moritz,
here is my analysis of the problem in a form of a patch.

tl;dr; -> (a) casting from unsigned int to int is tricky
          (b) product of two ints may overflow

It fixes all the cases attached in the RedHat's bugzilla, but
a review of the code by another person is advised.

Cheers,
Tomasz

[0002-Fix-multiple-integer-overflows.patch (text/x-diff, attachment)]

Message #15 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Tomasz Buchert <tomasz.buchert@inria.fr>

To: Moritz Muehlenhoff <jmm@debian.org>

Cc: 778646@bugs.debian.org

Subject: Re: Multiple issues

Date: Sun, 1 Mar 2015 23:47:30 +0100

[Message part 1 (text/plain, inline)]

Hi again,
here is slightly better patch.

Cheers,
Tomasz

[0002-Fix-multiple-integer-overflows.patch (text/x-diff, attachment)]

Message #20 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Tomasz Buchert <tomasz.buchert@inria.fr>

To: Moritz Muehlenhoff <jmm@debian.org>

Cc: 778646@bugs.debian.org

Subject: Re: Multiple issues

Date: Mon, 2 Mar 2015 01:40:57 +0100

[Message part 1 (text/plain, inline)]

Hi again (!),

I figured out that this will not work on architectures where
sizeof(long int) != 8 and/or sizeof(size_t) != 8, i386 for example.

The *next* patch makes sure that numbers passed to malloc() are not
overflowing size_t, and also uses *unsigned long long int* everywhere
which is guaranteed to be at least 64bit. Tested on both amd64 and
i386.

Tomasz

[0002-Fix-multiple-integer-overflows.patch (text/x-diff, attachment)]

Message #27 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>

To: 778646@bugs.debian.org, fenio@debian.org

Subject: Re: Multiple issues

Date: Sun, 15 Mar 2015 21:26:41 +0100

On Tue, Feb 17, 2015 at 10:02:37PM +0100, Moritz Muehlenhoff wrote:
> Package: potrace
> Version: 1.11-2
> Severity: grave
> Tags: security
> 
> Hi,
> please see https://bugzilla.redhat.com/show_bug.cgi?id=955808
> Could you report this upstream?
> 
> A CVE ID has been requested, but not yet assigned:
> http://www.openwall.com/lists/oss-security/2015/02/06/12

Bartosz,
it's been almost a month. Can you please upload a fixed package?

Cheers,
        Moritz

Message #32 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Tomasz Buchert <tomasz@debian.org>

To: Moritz Mühlenhoff <jmm@inutil.org>

Cc: 778646@bugs.debian.org, fenio@debian.org

Subject: Re: Multiple issues

Date: Tue, 17 Mar 2015 08:24:17 +0100

[Message part 1 (text/plain, inline)]

Hi all,
Moritz - did you take a look at my patch? I'd really like to have a
second opinion on that since it is fairly large for an NMU.

I attach NMU patch. Shall I upload it to DELAYED/5 or something like
that?

Cheers,
Tomasz

[nmu.diff (text/x-diff, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Bartosz Fenski <bartosz@fenski.pl>

To: Tomasz Buchert <tomasz@debian.org>, Moritz Mühlenhoff <jmm@inutil.org>

Cc: 778646@bugs.debian.org, fenio@debian.org

Subject: Re: Multiple issues

Date: Tue, 17 Mar 2015 10:06:06 +0100

I contacted upstream and he's willing to fix it in a different way.
He said that he should be able to work on it later this week.

regards
Bartek

W dniu 3/17/2015 o 8:24 AM, Tomasz Buchert pisze:
> Hi all, Moritz - did you take a look at my patch? I'd really like
> to have a second opinion on that since it is fairly large for an
> NMU.
> 
> I attach NMU patch. Shall I upload it to DELAYED/5 or something
> like that?
> 
> Cheers, Tomasz
> 

Message #42 received at 778646@bugs.debian.org (full text, mbox, reply):

From: selinger@mathstat.dal.ca (Peter Selinger)

To: 778646@bugs.debian.org

Cc: bartosz@fenski.pl (Bartosz Fenski), selinger@mathstat.dal.ca (Peter Selinger)

Subject: Re: Multiple issues

Date: Fri, 20 Mar 2015 20:28:03 -0300 (ADT)

[Message part 1 (text/plain, inline)]

Here's the patch that I am planning to apply upstream. Please comment
if you see anything wrong with it. 

While the general idea is similar to Tomasz's patch, I've solved the
details a bit differently.

* I prefer to use ssize_t instead of unsigned long long int for memory
  manipulations. Since size_t is the type used by malloc, memcpy, etc,
  it is big enough to hold the relevant values. The reason I use a
  signed rather than unsigned type is that the "dy" field in the
  potrace_bitmap_s structure may be positive or negative, depending on
  whether the bitmap is stored top-to-bottom or bottom-to-top. Potrace
  itself always uses a positive dy, but other applications that link
  against the Potrace library may use their own convention. Tomasz's
  patch used an unsigned type which would break applications that use
  a negative dy.

  The code now checks that the bitmap dimensions are indeed such that
  all relevant values fit within ssize_t. A remaining assumption is
  that ssize_t is at least as big as int, which I think is guaranteed.

* I prefer to use calloc instead of safe_malloc. Calloc is appropriate
  whenever the memory to be allocated is a number of copies of items
  of a given size. Unlike malloc(x*y), calloc(x, y) actually checks
  that x*y does not overflow. (I checked the glibc source code for
  calloc to be sure that such a check is actually performed). In the
  few cases where the argument of malloc is calculated differently
  (say as a product of three numbers), I have added an explicit
  overflow check. This is safer, in my opinion, than safe_malloc(x*y);
  in particular, there is no difference bewteen safe_malloc and
  ordinary malloc when size_t = unsigned long long int.

* I also fixed analogous issues in Mkbitmap and throughout the rest of
  the code.

I'll post an updated upstream package in a day or two unless there's
feedback requiring additional changes.

Thanks, -- Peter

[potrace-overflow.patch (text/plain, attachment)]

Message #47 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Bartosz Fenski <bartosz@fenski.pl>

To: Peter Selinger <selinger@mathstat.dal.ca>, 778646@bugs.debian.org

Subject: Re: Multiple issues

Date: Mon, 23 Mar 2015 19:39:32 +0100

Hey Peter,

I'm fine with your version of patch and noone else had objections so I
believe we can patch it your way.

Did you fix it upstream? I'm still seeing 1.11 as the latest release.
I can patch it only for Debian but I believe we should have it fixed for
every other distros / ways of distribution.

regards
Bartek

W dniu 3/21/2015 o 12:28 AM, Peter Selinger pisze:
> Here's the patch that I am planning to apply upstream. Please comment
> if you see anything wrong with it. 
> 
> While the general idea is similar to Tomasz's patch, I've solved the
> details a bit differently.
> 
> * I prefer to use ssize_t instead of unsigned long long int for memory
>   manipulations. Since size_t is the type used by malloc, memcpy, etc,
>   it is big enough to hold the relevant values. The reason I use a
>   signed rather than unsigned type is that the "dy" field in the
>   potrace_bitmap_s structure may be positive or negative, depending on
>   whether the bitmap is stored top-to-bottom or bottom-to-top. Potrace
>   itself always uses a positive dy, but other applications that link
>   against the Potrace library may use their own convention. Tomasz's
>   patch used an unsigned type which would break applications that use
>   a negative dy.
> 
>   The code now checks that the bitmap dimensions are indeed such that
>   all relevant values fit within ssize_t. A remaining assumption is
>   that ssize_t is at least as big as int, which I think is guaranteed.
> 
> * I prefer to use calloc instead of safe_malloc. Calloc is appropriate
>   whenever the memory to be allocated is a number of copies of items
>   of a given size. Unlike malloc(x*y), calloc(x, y) actually checks
>   that x*y does not overflow. (I checked the glibc source code for
>   calloc to be sure that such a check is actually performed). In the
>   few cases where the argument of malloc is calculated differently
>   (say as a product of three numbers), I have added an explicit
>   overflow check. This is safer, in my opinion, than safe_malloc(x*y);
>   in particular, there is no difference bewteen safe_malloc and
>   ordinary malloc when size_t = unsigned long long int.
> 
> * I also fixed analogous issues in Mkbitmap and throughout the rest of
>   the code.
> 
> I'll post an updated upstream package in a day or two unless there's
> feedback requiring additional changes.
> 
> Thanks, -- Peter
> 

Message #52 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Tomasz Buchert <tomasz@debian.org>

To: Bartosz Fenski <bartosz@fenski.pl>

Cc: Peter Selinger <selinger@mathstat.dal.ca>, 778646@bugs.debian.org

Subject: Re: Multiple issues

Date: Thu, 26 Mar 2015 09:24:39 +0100

[Message part 1 (text/plain, inline)]

Hi,
there is 1.12 available (but the patch above solves
the problem as well).

Tomasz

[signature.asc (application/pgp-signature, inline)]

Message #57 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: Tomasz Buchert <tomasz@debian.org>

Cc: Bartosz Fenski <bartosz@fenski.pl>, Peter Selinger <selinger@mathstat.dal.ca>, 778646@bugs.debian.org

Subject: Re: Multiple issues

Date: Sun, 29 Mar 2015 21:56:41 +0200

On Thu, Mar 26, 2015 at 09:24:39AM +0100, Tomasz Buchert wrote:
> Hi,
> there is 1.12 available (but the patch above solves
> the problem as well).

This has been assigned CVE-2013-7437.

Bartosz, can you please upload a fixed package to unstable?

Cheers,
        Moritz

Message #64 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bartosz Fenski <bartosz@fenski.pl>

Cc: Moritz Muehlenhoff <jmm@inutil.org>, 778646@bugs.debian.org, Tomasz Buchert <tomasz@debian.org>, Peter Selinger <selinger@mathstat.dal.ca>

Subject: Re: Bug#778646: Multiple issues

Date: Sat, 11 Apr 2015 16:50:50 +0200

Hi Bartosz,

On Sun, Mar 29, 2015 at 09:56:41PM +0200, Moritz Muehlenhoff wrote:
> On Thu, Mar 26, 2015 at 09:24:39AM +0100, Tomasz Buchert wrote:
> > Hi,
> > there is 1.12 available (but the patch above solves
> > the problem as well).
> 
> This has been assigned CVE-2013-7437.
> 
> Bartosz, can you please upload a fixed package to unstable?

Ping?

Regards,
Salvatore

Message #69 received at 778646-close@bugs.debian.org (full text, mbox, reply):

From: Bartosz Fenski <fenio@debian.org>

To: 778646-close@bugs.debian.org

Subject: Bug#778646: fixed in potrace 1.12-1

Date: Sun, 12 Apr 2015 12:49:42 +0000

Source: potrace
Source-Version: 1.12-1

We believe that the bug you reported is fixed in the latest version of
potrace, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 778646@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bartosz Fenski <fenio@debian.org> (supplier of updated potrace package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Sun, 12 Apr 2015 10:46:32 +0200
Source: potrace
Binary: potrace libpotrace0 libpotrace-dev
Architecture: source amd64
Version: 1.12-1
Distribution: unstable
Urgency: high
Maintainer: Bartosz Fenski <fenio@debian.org>
Changed-By: Bartosz Fenski <fenio@debian.org>
Description:
 libpotrace-dev - development files for potrace library
 libpotrace0 - library for tracing bitmaps
 potrace    - utility to transform bitmaps into vector graphics
Closes: 778646
Changes:
 potrace (1.12-1) unstable; urgency=high
 .
   * New upstream version.
     - fixes memory overflow bug CVE-2013-7437 (Closes: #778646)
Checksums-Sha1:
 478b57d64bb6f02859d4841909a65fb052990981 1829 potrace_1.12-1.dsc
 e66bd7d6ff74fe45a07d4046f6303dec5d23847f 604946 potrace_1.12.orig.tar.gz
 9b1e0c90561e397b0b529d085778de29033747e2 3648 potrace_1.12-1.debian.tar.xz
 4f7bae052abbb418c9fa2eebe3b3c89b677bdf95 76092 potrace_1.12-1_amd64.deb
 291c08a85ab0d51ee70f09181b7b84d69a0a2577 24946 libpotrace0_1.12-1_amd64.deb
 1bd3a613210ede8e4d1c05c34b712bdddd1d86bc 11606 libpotrace-dev_1.12-1_amd64.deb
Checksums-Sha256:
 a0b710ef2716cb0521807940b675a86f21aae2600a01e65834a48cb985633afb 1829 potrace_1.12-1.dsc
 b0bbf1d7badbebfcb992280f038936281b47ddbae212e8ae91e863ce0b76173b 604946 potrace_1.12.orig.tar.gz
 d7f19dec52e68cb6bbd3b2f91145e850cdbe83c94ba58882c9fe438e7baa83d7 3648 potrace_1.12-1.debian.tar.xz
 dc1e20634f7bdca12bab320fe509abdc89492acbdb7c2a1d6f6a22f0cc5cc659 76092 potrace_1.12-1_amd64.deb
 167244443908986874f41011e41bfc6dbd45dc15ae3b243431825507859e4b20 24946 libpotrace0_1.12-1_amd64.deb
 e525846df725205baa65f06aff5c91472efa8bba1c4042a57094782e48fc369f 11606 libpotrace-dev_1.12-1_amd64.deb
Files:
 c16d3b08c50b40697b3770ae1bc99c16 1829 graphics optional potrace_1.12-1.dsc
 314850e30ae4319f0615efdae485abaa 604946 graphics optional potrace_1.12.orig.tar.gz
 a9f3673cc885e2b67ddeafb95e499b6e 3648 graphics optional potrace_1.12-1.debian.tar.xz
 a75831ca4d7866d856ae8c8805f360ba 76092 graphics optional potrace_1.12-1_amd64.deb
 175861d7e6843dceb196877743d66b62 24946 libs optional libpotrace0_1.12-1_amd64.deb
 9bc41f055bf27678c55549ea815da648 11606 libdevel optional libpotrace-dev_1.12-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJVKmWGAAoJELDZ1Kg807vBeaoP/A3bTuBd2+f7krUK85VO9awE
94GMwVum1BTl05lAppPHcqCOeA+Md2+PWTjui1+5zeN9wNZ/kSpAMIhdrmCrV+sh
Z+xo0o4tFi5EiV7Kw7y9cLM+GqQp6PkHAt4El5iwuqXPqsWMC/5OHxH72cuOqMA3
x5NmSU1VBUeOu9TGSyok8svl0diJCd35IyavvviKJHPsoSCELWsx5Lj0kFfuvYw1
Gnd9RkgawEPAgfLwgd6sRLKOslo6x4btHSkMEpv5JF51wTpakIahPmVK0waRZh6H
uTM39SIzJUSMEUNlZkxRFb1n5SeOZDYJdNTf2+vdlF40XWBdpgYFpa5bjo2xWgch
7X0CobSADOSUuVuzJhsBLtfLs/VEMrVqGAGyYHHjzA2J7Ox5T0zbU5tHUB/SK0Xn
8SnOaAYdnchOw/egIHjycTEU8Rg6Vv6Y5mk3NNZzhwswCBDbRysJU4yNeU6AOcdw
gKJ4iSkZPKDvRNZ3JTxanfe/WWz/bir5dFdnvp4wJr57GBwvdcN4aQIgY9Rkzew1
Cv2MyW9LfCAhRFcAxLXzXUmKHqInv/Tc+UN6VfOYzRRx5S1BwaOWVDiMESoffMSI
8Q9aI07MM6RSx3B+DZsHEmx91WnFH7QWsEhawqpGcH17Bcq9hldG5F/dX+k90ozF
FJQ7FxkYxzruIzpurdfl
=2TjE
-----END PGP SIGNATURE-----

Message #74 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: 778646@bugs.debian.org, Bartosz Fenski <fenio@debian.org>

Cc: Moritz Muehlenhoff <jmm@debian.org>

Subject: Re: Bug#778646 closed by Bartosz Fenski <fenio@debian.org> (Bug#778646: fixed in potrace 1.12-1)

Date: Sun, 12 Apr 2015 22:20:34 +0200

Hi Bartosz,

On Sun, Apr 12, 2015 at 12:51:17PM +0000, Debian Bug Tracking System wrote:
>  potrace (1.12-1) unstable; urgency=high
>  .
>    * New upstream version.
>      - fixes memory overflow bug CVE-2013-7437 (Closes: #778646)

Thanks first of all for fixing CVE-2013-7437 in unstable. I just have
the concern, that this fix will not be accepted anymore to jessie, we
are ~1 week away from the release, and I guess the release team will
not te too happy to unblock this. Can we extract from it only the
actual changes needed to fix CVE-2013-7437?

Regards,
Salvatore

Message #79 received at 778646@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>

To: Bartosz Fenski <fenio@debian.org>, Moritz Muehlenhoff <jmm@debian.org>

Cc: 778646@bugs.debian.org

Subject: Re: Bug#778646: closed by Bartosz Fenski <fenio@debian.org> (Bug#778646: fixed in potrace 1.12-1)

Date: Mon, 13 Apr 2015 13:28:50 +0200

Hi Bartosz,

On Sun, Apr 12, 2015 at 10:20:34PM +0200, Salvatore Bonaccorso wrote:
> Hi Bartosz,
> 
> On Sun, Apr 12, 2015 at 12:51:17PM +0000, Debian Bug Tracking System wrote:
> >  potrace (1.12-1) unstable; urgency=high
> >  .
> >    * New upstream version.
> >      - fixes memory overflow bug CVE-2013-7437 (Closes: #778646)
> 
> Thanks first of all for fixing CVE-2013-7437 in unstable. I just have
> the concern, that this fix will not be accepted anymore to jessie, we
> are ~1 week away from the release, and I guess the release team will
> not te too happy to unblock this. Can we extract from it only the
> actual changes needed to fix CVE-2013-7437?

Good news, was unblocked:

potrace (1.11-2 to 1.12-1)
    Maintainer: Bartosz Fenski
    Too young, only 0 of 2 days old
    Ignoring block request by freeze, due to unblock request by nthykier
    Updating potrace fixes old bugs: #778646
    Not considered

Regards,
Salvatore

Send a report that this bug log contains spam.