Monthly Archives: April 2017

elfutils: heap-based buffer overflow in check_symtab_shndx (elflint.c)

Posted on April 3, 2017 by ago

Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-elflint showed an heap overflow. The complete ASan output: # eu-elflint -d $FILE ==14342==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc … Continue reading

Posted in advisories, security | Leave a comment

elfutils: heap-based buffer overflow in check_group (elflint.c)

Posted on April 3, 2017 by ago

Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-elflint showed an heap overflow. The complete ASan output: # eu-elflint -d $FILE ==12804==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60200000efd0 at pc … Continue reading

Posted in advisories, security | Leave a comment

elfutils: memory allocation failure in __libelf_decompress (elf_compress.c)

Posted on April 3, 2017 by ago

Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-readelf showed a memory allocation failure. Will follow a feedback from upstream: That is slightly tricky. We do have to trust … Continue reading

Posted in advisories, security | 1 Comment

elfutils: heap-based buffer overflow in ebl_object_note_type_name (eblobjnotetypename.c)

Posted on April 3, 2017 by ago

Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-readelf showed an heap overflow. Will follow a feedback from upstream: Nice find. The issue is with notes that have a … Continue reading

Posted in advisories, security | Leave a comment

elfutils: heap-based buffer overflow in handle_gnu_hash (readelf.c)

Posted on April 3, 2017 by ago

Description: elfutils is a set of libraries/utilities to handle ELF objects (drop in replacement for libelf). A fuzz on eu-readelf showed an heap overflow. The complete ASan output: # eu-readelf -a $FILE ==1855==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x611000009ffc at pc … Continue reading

Posted in advisories, security | 1 Comment

imagemagick: undefined behavior in coders/rle.c

Posted on April 2, 2017 by ago

Description: imagemagick is a software suite to create, edit, compose, or convert bitmap images. A fuzz with the upstream security policy enabled, a quantum of 32 and the undefined behavior sanitizer discovered this bug. # identify $FILE coders/rle.c:274:18: runtime error: … Continue reading

Posted in advisories, security | 1 Comment

libaacplus: signed integer overflow, left shift and assertion failure

Posted on April 1, 2017 by ago

Description: libaacplus is a HE-AAC+ v2 library, based on the reference implementation. While fuzzing it I found some crashes. Upstream was poked on 2017-03-12, but no response from him. # aacplusenc $FILE out.aac 24000 s au_channel.h:31:91: runtime error: signed integer … Continue reading

Posted in advisories, security | 1 Comment

libtiff: multiple UBSAN crashes

Posted on April 1, 2017 by ago

Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. A fuzz with the undefined behavior sanitizer revealed some crashes. # tiffcp -i $FILE /tmp/foo runtime error: … Continue reading

Posted in advisories, security | 3 Comments

libtiff: divide-by-zero in JPEGSetupEncode (tiff_jpeg.c)

Posted on April 1, 2017 by ago

Description: Libtiff is a software that provides support for the Tag Image File Format (TIFF), a widely used format for storing image data. A crafted tiff can crash the library. The complete ASan output: # tiffcp -i $FILE /tmp/out ==28692==ERROR: … Continue reading

Posted in advisories, security | 1 Comment