[Secure-testing-team] Bug#881119: gifsicle: double free while running gifsicle
Joonun Jang
joonun.jang at gmail.com
Wed Nov 8 01:37:48 UTC 2017
Package: gifsicle
Version: 1.90-1
Severity: important
Tags: security
double free while running 'gifsicle with --delay 50 poc poc -o output' option
Running 'gifsicle --delay 50 poc poc -o output' with the attached file raises double free
which may allow a remote attacker to cause a denial-of-service attack or other unspecified
impact with a crafted file
I expected the program to terminate without segfault, but the program crashes as follow
-------------------------------------------
june at yuweol:~/poc/gifsicle/crash1$ gifsicle poc poc -o output
gifsicle:poc:#0: read error: unknown block type 83 at file offset 37
gifsicle:poc: file not in GIF format
Segmentation fault
-------------------------------------------
june at yuweol:~/poc/gifsicle/crash1$ ~/project/analyze/bins/gifsicle-1.90/src/gifsicle --delay 50 poc poc -o output
gifsicle:poc:#0: read error: unknown block type 83 at file offset 37
gifsicle:poc: file not in GIF format
=================================================================
==4607==ERROR: AddressSanitizer: attempting double-free on 0x611000000400 in thread T0:
#0 0x7f519caaafd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x562d9a5a6de8 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
#2 0x562d9a5b19db in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
#3 0x562d9a5b2fe2 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
#4 0x562d9a5b38cd in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#5 0x562d9a60301d in input_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#6 0x562d9a60a2e2 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#7 0x7f519c3502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
#8 0x562d9a596da9 in _start (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0xfda9)
0x611000000400 is located 0 bytes inside of 207-byte region [0x611000000400,0x6110000004cf)
freed by thread T0 here:
#0 0x7f519caaa8c8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd98c8)
#1 0x562d9a5b33ae in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c3ae)
#2 0x562d9a5b38cd in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#3 0x562d9a60301d in input_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#4 0x562d9a60a2e2 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#5 0x7f519c3502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
previously allocated by thread T0 here:
#0 0x7f519caaafd0 in __interceptor_realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0)
#1 0x562d9a5a6de8 in Gif_Realloc (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x1fde8)
#2 0x562d9a5b19db in suck_data (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2a9db)
#3 0x562d9a5b2fe2 in read_gif (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2bfe2)
#4 0x562d9a5b38cd in Gif_FullReadFile (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x2c8cd)
#5 0x562d9a60301d in input_stream (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x7c01d)
#6 0x562d9a60a2e2 in main (/home/june/project/analyze/bins/gifsicle-1.90/src/gifsicle+0x832e2)
#7 0x7f519c3502e0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202e0)
SUMMARY: AddressSanitizer: double-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9fd0) in __interceptor_realloc
==4607==ABORTING
-------------------------------------------
This bug was found with a fuzzer developed by 'SoftSec' group at KAIST
-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages gifsicle depends on:
ii libc6 2.24-17
ii libx11-6 2:1.6.4-3
gifsicle recommends no packages.
gifsicle suggests no packages.
-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 82 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171108/075b0316/attachment-0001.obj>
More information about the Secure-testing-team
mailing list