Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
Summary: CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-2009-009) Alias: CVE-2009-2295
https://bugzilla.redhat.com/show_bug.cgi?id=509531
Summary: CVE-2009-2295 ocaml-camlimages: PNG reader multiple integer overflows (oCERT-2009-009) Product: Security Response Version: unspecified Platform: All OS/Version: Linux Status: NEW Keywords: Security Severity: medium Priority: medium Component: vulnerability AssignedTo: security-response-team@redhat.com ReportedBy: thoger@redhat.com CC: rjones@redhat.com, fedora-ocaml-list@redhat.com Classification: Other Target Release: ---
oCERT advisory oCERT-2009-009 was published describing a flaw in ocaml-camlimages:
http://www.ocert.org/advisories/ocert-2009-009.html
CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution.
The vulnerability is triggered by PNG image parsing, the read_png_file and read_png_file_as_rgb24 functions do not properly validate the width and height of the image. Specific PNG images with large width and height can be crafted to trigger the vulnerability.
Issue was reported to affect both 2.2 and 3.0.1, which no upstream patch available at the moment.
References: http://thread.gmane.org/gmane.comp.security.oss.general/1882 http://bugs.gentoo.org/show_bug.cgi?id=276235
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
Richard W.M. Jones rjones@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED AssignedTo|security-response-team@redh |rjones@redhat.com |at.com |
--- Comment #2 from Richard W.M. Jones rjones@redhat.com 2009-07-03 07:33:52 EDT --- I'll have a look at this one now.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #4 from Richard W.M. Jones rjones@redhat.com 2009-07-03 09:31:00 EDT --- Created an attachment (id=350433) --> (https://bugzilla.redhat.com/attachment.cgi?id=350433) camlimages-oversized-png-check.patch
This is a potential fix which checks whether the numbers we are about to multiply together could provoke an arithmetic overflow (or are negative, which would be equally bogus).
It solves the test case that I was given privately.
Note that in any case the bug only manifests on 32 bit architectures. On 64 bit, the multiply does not overflow, but unless you have loads of free memory you will shortly afterwards get a (safe) Out_of_memory exception.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #5 from Tomas Hoger thoger@redhat.com 2009-07-03 09:59:49 EDT --- (In reply to comment #4)
Created an attachment (id=350433)
--> (https://bugzilla.redhat.com/attachment.cgi?id=350433) [details]
camlimages-oversized-png-check.patch
One note from a very quick look... in general, test like:
(x) * (y) < (x) || (x) * (y) < (y)
is not sufficient to catch all possible integer overflows in multiplication. Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit world. This can still result in small buffer that may be overflown later.
The test is usually written as:
y != 0 && x > (TYPE)_MAX / y
(first part is needed if y can be 0, not needed in cases where y is sizeof(sometype)).
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #6 from Fedora Update System updates@fedoraproject.org 2009-07-03 10:03:41 EDT --- ocaml-camlimages-3.0.1-7.fc11.1 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-7.fc11.1
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #7 from Fedora Update System updates@fedoraproject.org 2009-07-03 10:07:41 EDT --- ocaml-camlimages-3.0.1-3.fc10.1 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-3.fc10.1
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #8 from Richard W.M. Jones rjones@redhat.com 2009-07-03 10:08:41 EDT --- (In reply to comment #5)
(In reply to comment #4)
Created an attachment (id=350433)
--> (https://bugzilla.redhat.com/attachment.cgi?id=350433) [details] [details]
camlimages-oversized-png-check.patch
One note from a very quick look... in general, test like:
(x) * (y) < (x) || (x) * (y) < (y)
is not sufficient to catch all possible integer overflows in multiplication. Think of x == y == 0x10001, x * y == 0x100020001, which is 0x20001 in 32bit world. This can still result in small buffer that may be overflown later.
The test is usually written as:
y != 0 && x > (TYPE)_MAX / y
(first part is needed if y can be 0, not needed in cases where y is sizeof(sometype)).
Yup, someone just found a counterexample on #ocaml.
I'll change the patch and rebuild in a moment.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
Richard W.M. Jones rjones@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #350433|0 |1 is obsolete| |
--- Comment #9 from Richard W.M. Jones rjones@redhat.com 2009-07-03 10:20:52 EDT --- Created an attachment (id=350440) --> (https://bugzilla.redhat.com/attachment.cgi?id=350440) camlimages-oversized-png-check-CVE-2009-2295.patch
Fix overflow detection in the patch.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #10 from Tomas Hoger thoger@redhat.com 2009-07-03 10:37:51 EDT --- I also see two occurrences of this in pngread.c:
row_pointers = (png_bytep*) stat_alloc(sizeof(png_bytep) * height);
While sizeof(png_bytep) is fixed, height comes from the file and it seems possible for it to be 2^32/4 or larger.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
Richard W.M. Jones rjones@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Attachment #350440|0 |1 is obsolete| |
--- Comment #11 from Richard W.M. Jones rjones@redhat.com 2009-07-03 10:52:38 EDT --- Created an attachment (id=350441) --> (https://bugzilla.redhat.com/attachment.cgi?id=350441) camlimages-oversized-png-check-CVE-2009-2295.patch
Updated the patch with feedback from comment 10.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
Richard W.M. Jones rjones@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |MODIFIED
--- Comment #12 from Richard W.M. Jones rjones@redhat.com 2009-07-03 14:38:18 EDT --- I've pushed new packages for Fedora 10, 11 and Rawhide with the patch in comment 11.
Note that although we have CVS branches for EL-4 and EL-5, we don't currently distribute this package (missing build dep). However I've added the patch to those branches too, so that if in future we build for EL-4/5 we will have the patch.
I've also discussed this issue and the patch with Debian and OpenBSD maintainers.
Updates coming shortly.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #13 from Fedora Update System updates@fedoraproject.org 2009-07-03 14:45:14 EDT --- ocaml-camlimages-3.0.1-3.fc10.2 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-3.fc10.2
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #14 from Fedora Update System updates@fedoraproject.org 2009-07-03 14:45:15 EDT --- ocaml-camlimages-3.0.1-7.fc11.2 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/ocaml-camlimages-3.0.1-7.fc11.2
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
Vincent Danen vdanen@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |vdanen@redhat.com
--- Comment #15 from Vincent Danen vdanen@redhat.com 2009-07-27 12:01:52 EDT --- Robert @ Gentoo reported that upstream fixed similar integer overflows in gifread.c and jpegread.c for values that are used in memory allocations and memcpy():
A stripped down [by Alexis Ballier] version of the patch is in Gentoo's BZ: https://bugs.gentoo.org/show_bug.cgi?id=276235 https://bugs.gentoo.org/attachment.cgi?id=199108
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #16 from Fedora Update System updates@fedoraproject.org 2009-08-12 16:53:33 EDT --- ocaml-camlimages-3.0.1-7.fc11.2 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
--- Comment #17 from Fedora Update System updates@fedoraproject.org 2009-09-11 19:39:55 EDT --- ocaml-camlimages-3.0.1-3.fc10.2 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report.
Please do not reply directly to this email. All additional comments should be made in the comments box of this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=509531
Richard W.M. Jones rjones@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|MODIFIED |CLOSED Resolution| |RAWHIDE
--- Comment #18 from Richard W.M. Jones rjones@redhat.com 2009-10-16 06:03:26 EDT --- Long fixed ... Closing.
ocaml-devel@lists.fedoraproject.org