Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-Id: <20160717143256.2AF9F332028@smtpvbsrv1.mitre.org>
Date: Sun, 17 Jul 2016 10:32:56 -0400 (EDT)
From: cve-assign@...re.org
To: marco.gra@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: multiple memory corruption issues in lepton

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> I just reported on dropbox/lepton github project some memory corruption
> issues, with reproducers.
> 
> https://github.com/dropbox/lepton/issues/26

>> download some samples that will cause memory corruption problems in lepton:
>> 
>> https://github.com/marcograss/marcograss.github.io/blob/master/assets/lepton_testcases1.zip?raw=true
>> 
>> you can reproduce with ./lepton/lepton -singlethread -unjailed -preload testcase.jpeg /tmp/out.lep

>> AddressSanitizer: unknown-crash
>> READ of size 208
>> #0 0x52eb78 in std::__atomic_base::load(std::memory_order) const /usr/include/c++/6/bits/atomic_base.h:396
>> #1 0x52eb78 in std::__atomic_base::operator unsigned int() const /usr/include/c++/6/bits/atomic_base.h:259
>> #2 0x52eb78 in print_bill(int) src/vp8/util/billing.cc:145
>> #3 0x46b7f3 in process_file(IOUtil::FileReader, IOUtil::FileWriter, int, bool) src/lepton/jpgcoder.cc:1616

Use CVE-2016-6234. We think this is an issue in Lepton code. We were
unable to find any relationship between src/vp8/util/billing.cc and
the https://github.com/webmproject/libvpx/tree/master/vp8 code.


>> AddressSanitizer: SEGV on unknown address
>> #0 0x455163 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023

Use CVE-2016-6235.


>> AddressSanitizer: global-buffer-overflow
>> READ of size 2
>> #0 0x4571f0 in setup_imginfo_jpg(bool) src/lepton/jpgcoder.cc:4023

Use CVE-2016-6236 for this buffer over-read issue.


>> AddressSanitizer: global-buffer-overflow
>> WRITE of size 2
>> #0 0x45392c in build_huffcodes(unsigned char, unsigned char, huffCodes, huffTree) src/lepton/jpgcoder.cc:5099

Use CVE-2016-6237.


>> AddressSanitizer: global-buffer-overflow
>> READ of size 2
>> #0 0x4fe248 in ProbabilityTablesBase::set_quantization_table(BlockType, unsigned short const) src/vp8/model/model.hh:233
>> #1 0x4fe248 in VP8ComponentEncoder::vp8_full_encoder(UncompressedComponents const, IOUtil::FileWriter, ThreadHandoff const, unsigned int) src/lepton/vp8_encoder.cc:465
>> #2 0x47b3a8 in write_ujpg(std::vector >, std::vector >) src/lepton/jpgcoder.cc:3660

Use CVE-2016-6238 for this buffer over-read issue. We think this is an
issue in Lepton code. We were unable to find any relationship between
src/vp8/model/model.hh and the
https://github.com/webmproject/libvpx/tree/master/vp8 code.

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJXi5bEAAoJEHb/MwWLVhi2NgEP/3kibyFdWoOvdS0pi/zyPGq4
WnVyS1lgnjNKUH/eJSj2L0mpxh9ecW7SRojAxE5DG8W0KjZRH2KyNJDnSVq04BtW
tgZv5SzUbAZpZ3g0mQo4hjXcfv9Iss3ajjHol7KliMIpU8gnquHRUJytKGHVjKyj
uTFCIsQIv29yXGyU9A7999uuSlwWpKo6amJUh4q4ip14B75Ho9SDCOwjX6Zp7E7Z
z0aoPUWRHaOIg3/1u3KPQ2JM0dapD+Z0R7Bo9I5uHWYA79shp5OQ4LeLCF8jMCHI
Y2WOp2sQWxXBGoYPtbeCzvTFj+EAeXfLa6vI+oEFiYiQRaUzrbwN4PGgNJ00IISu
2snPbfeUxnwbTXjcs1eBS0kwlBBuCNjA619sdIuq8CV4qEXSHr4SR195j1dVa3kD
aQOhp7IhTzvTwbhDrzccCcqnoduE3Gs9GfzS0QQfvYgPxkclRT3zIBFoKqJ9kgy6
mzBouOlWmCPzVD4PB2ugG5Aq7ChqDoTTwCmP+VoA9Ne736Y0s2FiEGPC5rKhLACW
vjkHAjKLfV4hXbXfPRRL3FDZ2t3EV2CqFVer5+iJZgAY6DE7vYP/BSuqA/Qjrnl/
h+H1xnvBiW6V5MF+D7vmrdn8LzZ3Bj+G5KCdIAT7c0VtlFO6VM68LE1OyRGjcHID
Fw2yhG0f2WXRJCB1eda6
=OEE8
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.