Package: gifsicle Version: 1.90-1 Severity: normal Dear Maintainer,
Running 'gifdiff poc poc' with the attached file raises double-free bug, which may allow a remote attacker to cause a denial-of-service attack or other unspecified impact with a crafted file. I expected the program to terminate without segfault, but the program crashes as follow ---------------------------- june@june:~/project/analyze/poc/gifdiff/crash2$ ~/project/analyze/bins/gifsicle-1.90/src/gifdiff poc poc ================================================================= ==22514==ERROR: AddressSanitizer: attempting double-free on 0x611000009c80 in thread T0: #0 0x7f3b19570090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) #1 0x56146456d6f3 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3) #2 0x561464577ed3 in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3) #3 0x561464579219 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219) #4 0x561464579825 in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) #5 0x56146457e4eb in read_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) #6 0x56146457e96f in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2596f) #7 0x7f3b18e2b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) #8 0x56146455dde9 in _start (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x4de9) 0x611000009c80 is located 0 bytes inside of 253-byte region [0x611000009c80,0x611000009d7d) freed by thread T0 here: #0 0x7f3b1956fa10 in free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc1a10) #1 0x56146457952d in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2052d) #2 0x561464579825 in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) #3 0x56146457e4eb in read_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) #4 0x56146457e95f in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f) #5 0x7f3b18e2b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) previously allocated by thread T0 here: #0 0x7f3b19570090 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) #1 0x56146456d6f3 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x146f3) #2 0x561464577ed3 in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x1eed3) #3 0x561464579219 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20219) #4 0x561464579825 in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x20825) #5 0x56146457e4eb in read_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x254eb) #6 0x56146457e95f in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifdiff+0x2595f) #7 0x7f3b18e2b2b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0) SUMMARY: AddressSanitizer: double-free (/usr/lib/x86_64-linux-gnu/libasan.so.3+0xc2090) in realloc ==22514==ABORTING ----------------------------- The bug was found with a fuzzer developed by 'SoftSec' group at KAIST. -- System Information: Debian Release: 9.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages gifsicle depends on: ii libc6 2.24-11+deb9u1 ii libx11-6 2:1.6.4-3 gifsicle recommends no packages. gifsicle suggests no packages. -- no debconf information
poc
Description: Binary data
