Description:
Paps is an UTF-8 to PostScript converter that makes use of pango. It provides both a stand alone command line tool as well as a library
It was discovered that a crafted/empty file is able to cause an heap-based buffer overflow.
Apparently, the project does not have release(s) since 2007 and seems to be dead, but I just discovered right now that the project has moved silently to github where the PR has been sent.
The complete ASan output:
# paps $crafted.file ================================================================= ==30527==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000dfaf at pc 0x0000004e122d bp 0x7ffd8f3dfe90 sp 0x7ffd8f3dfe88 READ of size 1 at 0x60200000dfaf thread T0 #0 0x4e122c in read_file /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:573:7 #1 0x4e122c in main /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:493 #2 0x7fd8aff707af in __libc_start_main (/lib64/libc.so.6+0x207af) #3 0x436968 in _start (/usr/bin/paps+0x436968) 0x60200000dfaf is located 1 bytes to the left of 4-byte region [0x60200000dfb0,0x60200000dfb4) allocated by thread T0 here: #0 0x4bdc75 in realloc (/usr/bin/paps+0x4bdc75) #1 0x7fd8b111c35d in g_realloc (/usr/lib64/libglib-2.0.so.0+0x4e35d) SUMMARY: AddressSanitizer: heap-buffer-overflow /tmp/portage/app-text/paps-0.6.8-r1/work/paps-0.6.8/src/paps.c:573 read_file Shadow bytes around the buggy address: 0x0c047fff9ba0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9bb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9bc0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9bd0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c047fff9be0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c047fff9bf0: fa fa fa fa fa[fa]04 fa fa fa 00 02 fa fa 00 02 0x0c047fff9c00: fa fa fd fd fa fa fd fd fa fa fd fd fa fa fd fa 0x0c047fff9c10: fa fa fd fa fa fa 00 00 fa fa 00 00 fa fa 00 00 0x0c047fff9c20: fa fa 00 00 fa fa 00 fa fa fa 00 00 fa fa fd fa 0x0c047fff9c30: fa fa fd fa fa fa fd fa fa fa 00 00 fa fa 00 00 0x0c047fff9c40: fa fa 00 fa fa fa 00 00 fa fa 00 00 fa fa 00 fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Heap right redzone: fb Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack partial redzone: f4 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==30527==ABORTING
Affected version:
All versions.
Fixed version:
0.6.8-r2 (in Gentoo)
Commit fix:
https://gitweb.gentoo.org/repo/gentoo.git/tree/app-text/paps/files/paps-0.6.8-fix-empty-file.patch
Credit:
This bug was discovered by Agostino Sarubbo of Gentoo.
This bug was fixed by Jason A. Donenfeld of Gentoo.
Timeline:
2015-06-09: bug discovered
2015-11-17: bug reported downstream (Gentoo)
2016-07-12: fixed produced downstream
2016-07-28: blog post about the issue
Note:
This bug was found with American Fuzzy Lop.
Permalink: