[Secure-testing-team] Bug#890016: fig2dev: null dereference while running fig2dev

Joonun Jang joonun.jang at gmail.com
Sat Feb 10 05:40:46 UTC 2018 

Package: fig2dev
Version: 1:3.2.6a-6
Severity: important
Tags: security

null dereference running fig2dev with "-L pdf poc" option

Running 'fig2dev -L pdf poc' with the attached file raises null dereference
which may allow a remote attacker to cause denial-of-service attack
I expected the program to terminate without segfault, but the program crashes as follow

june at june:~/temp/report/fig2dev/null$ ../../binary/fig2dev-3.2.6a/fig2dev/fig2dev -L pdf poc
incomplete spline object
ASAN:DEADLYSIGNAL
=================================================================
==16804==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x55555557911b bp 0x60800000bf20 sp 0x7fffffffd8d0 T0)
    #0 0x55555557911a in free_splinestorage /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122
    #1 0x55555557ad0d in read_splineobject /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:430
    #2 0x55555557bef7 in read_1_3_objects /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read1_3.c:102
    #3 0x555555581ad4 in readfp_fig /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/read.c:187
    #4 0x55555556eb70 in main /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev.c:412
    #5 0x7ffff63762b0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x202b0)
    #6 0x55555556f259 in _start (/home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/fig2dev+0x1b259)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/june/temp/report/binary/fig2dev-3.2.6a/fig2dev/free.c:122 in free_splinestorage
==16804==ABORTING

-- System Information:
Debian Release: 9.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages fig2dev depends on:
ii  gawk         1:4.1.4+dfsg-1
ii  libc6        2.24-11+deb9u1
ii  libpng16-16  1.6.28-1
ii  libxpm4      1:3.5.12-1
ii  x11-common   1:7.7+19

Versions of packages fig2dev recommends:
ii  ghostscript  9.20~dfsg-3.2+deb9u1
ii  netpbm       2:10.0-15.3+b2

Versions of packages fig2dev suggests:
pn  xfig  <none>

-- no debconf information
-------------- next part --------------
711111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111


0
1
16 3

16 6

0

16 6

0
1
1 6
1=6

More information about the Secure-testing-team mailing list