Package: ufraw-batch Version: 0.22-2 Severity: important Tags: security stack buffer overflow running ufraw-batch with "--overwrite poc" option
Running 'ufraw-batch --overwrite poc' with the attached file raises stack
buffer overflow
which may allow a remote attacker to cause unspecified impact including
denial-of-service attack
I expected the program to terminate without segfault, but the program crashes
as follow
june@june:~/temp/report/ufraw-batch/unknown$ ufraw-batch poc
*** stack smashing detected ***: ufraw-batch terminated
Segmentation fault
Below is debugging information about this bug
0. poc file
00000000: 0001 0001 0040 2020 0000 0020 2020 4b41 .....@ ... KA
00000010: 492d 3033 3430 200f 4343 4343 4343 4343 I-0340 .CCCCCCCC
00000020: 4343 4343 4343 4343 4343 [4141] 6565 CCCCCCCCCCAAee
1. Above two bytes [4141] was stored in the variable 'raw_width'
in DCRaw::identify function at dcraw.cc
8871 } else if (!memcmp (head,"\0\001\0\001\0@",6)) {
8872 fseek (ifp, 6, SEEK_SET);
8873 fread (make, 1, 8, ifp);
8874 fread (model, 1, 8, ifp);
8875 fread (model2, 1, 16, ifp);
8876 data_offset = get2();
8877 get2();
8878 raw_width = get2(); // HERE
8879 raw_height = get2();
8880 load_raw = &CLASS nokia_load_raw;
8881 filters = 0x61616161;
--gdb--
8878 raw_width = get2();
(gdb) n
8879 raw_height = get2();
(gdb) p/x raw_width
$21 = 0x4141
-------
2. And then it stored in the varaible 'width' in the same function
9008 desc[511] = artist[63] = make[63] = model[63] = model2[63] = 0;
9009 if (!is_raw) goto notraw;
9010
9011 if (!height) height = raw_height;
9012 if (!width) width = raw_width; // HERE
9013 if (height == 2624 && width == 3936) /* Pentax K10D and Samsung GX10 */
9014 { height = 2616; width = 3896; }
9015 if (height == 3136 && width == 4864) /* Pentax K20D and Samsung GX20 */
--gdb--
Breakpoint 9, DCRaw::identify (this=this@entry=0x7ffff48b2010) at dcraw.cc:9012
9012 if (!width) width = raw_width;
$24 = 0
(gdb) n
9013 if (height == 2624 && width == 3936) /* Pentax K10D and Samsung GX10 */
(gdb) p/x width
$25 = 0x4141
3. This 'width' was used in the below loop
in the function DCRaw::find_green at the same file.
8504 float CLASS find_green (int bps, int bite, int off0, int off1)
8505 {
8506 UINT64 bitbuf=0;
8507 int vbits, col, i, c;
8508 ushort img[2][2064];
8509 double sum[]={0,0};
8510
8511 FORC(2) {
8512 fseek (ifp, c ? off1:off0, SEEK_SET);
8513 for (vbits=col=0; col < width; col++) { // HERE(1), width was used
8514 for (vbits -= bps; vbits < 0; vbits += bite) {
8515 bitbuf <<= bite;
8516 for (i=0; i < bite; i+=8)
8517 bitbuf |= (unsigned) (fgetc(ifp) << i);
8518 }
8519 img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); // HERE(2), col
is index of img buffer
8520 }
8521 }
8522 FORC(width-1) {
8523 sum[ c & 1] += ABS(img[0][c]-img[1][c+1]);
8524 sum[~c & 1] += ABS(img[1][c]-img[0][c+1]);
8525 }
8526 return 100 * log(sum[0]/sum[1]);
8527 }
At HERE(2) because local variable 'col' increased until being same as variable
'width'
which can be easily modified by input file and can have big enough value to
overwrite local buffer img.
=========================================================================
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST
-- System Information:
Debian Release: 9.3
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'),
(500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages ufraw-batch depends on:
ii libbz2-1.0 1.0.6-8.1
ii libc6 2.24-11+deb9u1
ii libexiv2-14 0.25-3.1
ii libgcc1 1:6.3.0-18
ii libglib2.0-0 2.50.3-2
ii libgomp1 6.3.0-18
ii libjpeg62-turbo 1:1.5.1-2
ii liblcms2-2 2.8-4
ii liblensfun1 0.3.2-3
ii libpng16-16 1.6.28-1
ii libstdc++6 6.3.0-18
ii libtiff5 4.0.8-2+deb9u2
ii zlib1g 1:1.2.8.dfsg-5
ufraw-batch recommends no packages.
Versions of packages ufraw-batch suggests:
pn ufraw <none>
-- no debconf information
poc
Description: Binary data
