[Secure-testing-team] Bug#890015: fig2dev: global buffer overflow while running fig2dev

Joonun Jang joonun.jang at gmail.com
Sat Feb 10 05:36:06 UTC 2018 

Package: fig2dev
Version: 1:3.2.6a-6
Severity: important
Tags: security

global buffer overflow running fig2dev with "-L pdf poc" option

Running 'fig2dev -L pdf poc' with the attached file raises global buffer overflow
which may allow a remote attacker to cause unspecified impact including denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

june at june:~/temp/report/fig2dev/global$ ../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc
=================================================================
==16175==ERROR: AddressSanitizer: global-buffer-overflow on address 0x555555826e40 at pc 0x55555557da29 bp 0x7fffffffdcd0 sp 0x7fffffffdcc8
READ of size 8 at 0x555555826e40 thread T0
    #0 0x55555557da28 in save_comment /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425
    #1 0x55555557da28 in get_line /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1404
    #2 0x555555581d52 in read_objects /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:325
    #3 0x555555581d52 in readfp_fig /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:185
    #4 0x55555556eb70 in main /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412
    #5 0x7ffff63762b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #6 0x55555556f259 in _start (/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259)

0x555555826e40 is located 32 bytes to the left of global variable 'line_no' defined in 'read.c:88:13' (0x555555826e60) of size 4
0x555555826e40 is located 0 bytes to the right of global variable 'comments' defined in 'read.c:95:14' (0x555555826b20) of size 800
SUMMARY: AddressSanitizer: global-buffer-overflow /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:1425 in save_comment
Shadow bytes around the buggy address:
  0x0aab2aafcd70: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcd80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcd90: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcda0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcdb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0aab2aafcdc0: 00 00 00 00 00 00 00 00[f9]f9 f9 f9 04 f9 f9 f9
  0x0aab2aafcdd0: f9 f9 f9 f9 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcde0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafcdf0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafce00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0aab2aafce10: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==16175==ABORTING

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk         1:4.1.4+dfsg-1
ii  libc6        2.24-11+deb9u1
ii  libpng16-16  1.6.28-1
ii  libxpm4      1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm       2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  <none>

-- no debconf information
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc
Type: application/octet-stream
Size: 61204 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20180210/9d453c3f/attachment-0001.obj>

More information about the Secure-testing-team mailing list