|
Message-ID: <20160913192423.GA13420@hunt>
Date: Tue, 13 Sep 2016 12:24:23 -0700
From: Seth Arnold <seth.arnold@...onical.com>
To: Hanno Böck <hanno@...eck.de>
Cc: "vul@...safe" <vul@...safe.com>, oss-security@...ts.openwall.com
Subject: Re: Heapoverflow in giflib5.1.4
On Tue, Sep 13, 2016 at 06:55:08PM +0200, Hanno Böck wrote:
> Two notes:
> * This is a bug *only* in the gif2rgb command line tool, not in giflib
> itself.
> * I reported this before. The giflib maintainer claimed multiple times
> that he has fixed it, yet he hasn't. See:
> https://sourceforge.net/p/giflib/bugs/79/
Hanno, can you still reproduce this issue? I followed your excellent
reproducer script and I don't get any ASAN warnings. If you still get ASAN
warnings this may indicate the source of the confusion.
Thanks
ubuntu@x1:~$ git clone --depth=1 git://git.code.sf.net/p/giflib/code giflib-code
Cloning into 'giflib-code'...
remote: Counting objects: 149, done.
remote: Compressing objects: 100% (147/147), done.
remote: Total 149 (delta 22), reused 10 (delta 0)
Receiving objects: 100% (149/149), 389.03 KiB | 0 bytes/s, done.
Resolving deltas: 100% (22/22), done.
Checking connectivity... done.
ubuntu@x1:~$ cd giflib-code/
ubuntu@x1:~/giflib-code$ CFLAGS="-fsanitize=address -g" LDFLAGS="-fsanitize=address" ./autogen.sh
Warning: This script will run configure for you -- if you need to pass
arguments to configure, please give them as arguments to this script.
aclocal: warning: couldn't open directory 'm4': No such file or directory
configure.ac:14: installing './ar-lib'
configure.ac:14: installing './compile'
configure.ac:15: installing './config.guess'
configure.ac:15: installing './config.sub'
configure.ac:5: installing './install-sh'
configure.ac:5: installing './missing'
Makefile.am: installing './INSTALL'
parallel-tests: installing './test-driver'
lib/Makefile.am: installing './depcomp'
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... /bin/mkdir -p
checking for gawk... gawk
[...]
configure: creating ./config.status
config.status: creating util/Makefile
config.status: creating lib/Makefile
config.status: creating Makefile
config.status: creating doc/Makefile
config.status: creating pic/Makefile
config.status: creating config.h
config.status: executing depfiles commands
config.status: executing libtool commands
ubuntu@x1:~/giflib-code$ make -j
make all-recursive
make[1]: Entering directory '/home/ubuntu/giflib-code'
Making all in lib
make[2]: Entering directory '/home/ubuntu/giflib-code/lib'
CC dgif_lib.lo
CC gif_font.lo
CC egif_lib.lo
CC gif_hash.lo
CC gifalloc.lo
CC openbsd-reallocarray.lo
CC gif_err.lo
CC quantize.lo
CCLD libgif.la
ar: `u' modifier ignored since `D' is the default (see `U')
make[2]: Leaving directory '/home/ubuntu/giflib-code/lib'
Making all in util
make[2]: Entering directory '/home/ubuntu/giflib-code/util'
CC getarg.o
CC gif2rgb.o
CC qprintf.o
CC gifbuild.o
CC gifecho.o
CC gifinto.o
CC giftext.o
CC giftool.o
CC gifclrmp.o
CC giffix.o
CC gifbg.o
CC gifcolor.o
CC giffilter.o
CC gifsponge.o
CC gifhisto.o
CC gifwedge.o
AR libgetarg.a
ar: `u' modifier ignored since `D' is the default (see `U')
CCLD gif2rgb
CCLD gifecho
CCLD giffix
CCLD giftext
CCLD gifinto
CCLD giftool
CCLD gifbg
CCLD gifclrmp
CCLD gifcolor
CCLD giffilter
CCLD gifsponge
CCLD gifwedge
CCLD gifhisto
CCLD gifbuild
make[2]: Leaving directory '/home/ubuntu/giflib-code/util'
Making all in pic
make[2]: Entering directory '/home/ubuntu/giflib-code/pic'
make[2]: Nothing to be done for 'all'.
make[2]: Leaving directory '/home/ubuntu/giflib-code/pic'
make[2]: Entering directory '/home/ubuntu/giflib-code'
make[2]: Leaving directory '/home/ubuntu/giflib-code'
make[1]: Leaving directory '/home/ubuntu/giflib-code'
ubuntu@x1:~/giflib-code$ wget https://sourceforge.net/p/giflib/bugs/79/attachment/gif2rgb-oob-heap-read.gif
--2016-09-13 19:19:27-- https://sourceforge.net/p/giflib/bugs/79/attachment/gif2rgb-oob-heap-read.gif
Resolving sourceforge.net (sourceforge.net)... 216.34.181.60
Connecting to sourceforge.net (sourceforge.net)|216.34.181.60|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 20 [image/gif]
Saving to: ‘gif2rgb-oob-heap-read.gif’
gif2rgb-oob-heap-read.gif 100%[=============================================>] 20 --.-KB/s in 0s
2016-09-13 19:19:27 (2.73 MB/s) - ‘gif2rgb-oob-heap-read.gif’ saved [20/20]
ubuntu@x1:~/giflib-code$ util/gif2rgb gif2rgb-oob-heap-read.gif
Background color out of range for colormap
ubuntu@x1:~/giflib-code$
Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.