[Secure-testing-team] Bug#881144: fig2dev: out of bound read while running fig2dev with -L pic option

Joonun Jang joonun.jang at gmail.com
Wed Nov 8 06:44:23 UTC 2017 

Package: fig2dev
Version: 1:3.2.6a-4
Severity: important
Tags: security

out of bound read while running fig2dev with -L pic option

Running 'fig2dev -L pic poc' with the attached file raises out of bound read bug
which may allow a remote attack to cause a denial-of-service attack or information
disclosure with a crafted file.

I expected the program to terminate without segfault, but the program crashes as follow

=======================================================

june at yuweol:~/poc/fig2dev/crash2$ fig2dev -L pic ./poc
.PS
.ps 11
Segmentation fault

=======================================================

Program received signal SIGSEGV, Segmentation fault.
0x0000555555567960 in unpsfont (t=t at entry=0x555555810160) at psfonts.c:194
194   if (PSmapwarn[t->font+1])
(gdb) p t->font
$1 = 71111111
(gdb) bt
#0  0x0000555555567960 in unpsfont (t=t at entry=0x555555810160) at psfonts.c:194
#1  0x000055555558e282 in genpic_text (t=0x555555810160) at genpic.c:443
#2  0x00005555555615d2 in gendev_objects (dev=0x5555557ef200 <dev_pic>, objects=0x7fffffffe0f0)
    at fig2dev.c:833
#3  main (argc=<optimized out>, argv=<optimized out>) at fig2dev.c:467
(gdb) x/i $rip
=> 0x555555567960 <unpsfont+32>:  mov    (%rcx,%rdx,4),%ecx
(gdb) i r rcx rdx
rcx            0x5555555c3f60 93824992690016
rdx            0x43d11c8  71111112

=======================================================

This bug was found with a fuzzer developed by 'SoftSec' group at KAIST.

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'testing-debug'), (500, 'stable-updates'), (500, 'testing'), (500, 'stable'), (1, 'experimental-debug')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk         1:4.1.4+dfsg-1
ii  libc6        2.24-17
ii  libpng16-16  1.6.34-1
ii  libxpm4      1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.22~dfsg-1
ii  netpbm       2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 42 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20171108/44e1a9af/attachment.obj>

More information about the Secure-testing-team mailing list