{"id":1811,"date":"2017-05-20T17:37:28","date_gmt":"2017-05-20T15:37:28","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1811"},"modified":"2017-05-23T10:05:40","modified_gmt":"2017-05-23T08:05:40","slug":"imageworsener-multiple-vulnerabilities","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/05\/20\/imageworsener-multiple-vulnerabilities\/","title":{"rendered":"imageworsener: multiple vulnerabilities"},"content":{"rendered":"

Description<\/strong>:
\nimageworsener<\/a> is a utility for image scaling and processing.<\/p>\n

After have fuzzed the 1.3.0 release and have found something already documented in the previous posts, I re-tested the new release and the fuzzer turned up some issues. I don’t know if those issues were present also in the old releases or the recent commits introduced them.<\/p>\n

# imagew $FILE \/tmp\/out -outfmt bmp\r\nsrc\/imagew-cmd.c:850:46: runtime error: division by zero\r\nsrc\/imagew-cmd.c:850:29: runtime error: value inf is outside the range of representable values of type 'int'\r\n<\/font><\/pre>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/jsummers\/imageworsener\/commit\/dc49c807926b96e503bd7c0dec35119eecd6c6fe<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00278-imageworsener-fpe-outside-int<\/a>
\nCVE:<\/strong>
\nCVE-2017-9201<\/p>\n
############################<\/p>\n
# imagew $FILE \/tmp\/out -outfmt bmp\r\nsrc\/imagew-cmd.c:854:45: runtime error: division by zero\r\nsrc\/imagew-cmd.c:854:28: runtime error: value inf is outside the range of representable values of type 'int'\r\n<\/font><\/pre>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/jsummers\/imageworsener\/commit\/dc49c807926b96e503bd7c0dec35119eecd6c6fe<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00279-imageworsener-fpe-outside-int_2<\/a>
\nCVE:<\/strong>
\nCVE-2017-9202<\/p>\n
############################<\/p>\n
# imagew $FILE \/tmp\/out -outfmt bmp\r\nsrc\/imagew-main.c:960:12: runtime error: index -1 out of bounds for type 'struct iw_channelinfo_out [4]'\r\n<\/font><\/pre>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/jsummers\/imageworsener\/commit\/a4f247707f08e322f0b41e82c3e06e224240a654<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00280-imageworsener-oob-iw_channelinfo_out<\/a>
\nCVE:<\/strong>
\nCVE-2017-9203<\/p>\n
############################<\/p>\n
# imagew $FILE \/tmp\/out -outfmt bmp\r\n==29040==ERROR: AddressSanitizer: SEGV on unknown address 0x60b00a000086 (pc 0x7f693a6b6a30 bp 0x7ffc6ae53710 sp 0x7ffc6ae536f0 T0)                  \r\n==29040==The signal is caused by a READ memory access.                                                                                               \r\n    #0 0x7f693a6b6a2f in iw_get_ui16le \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:405:23              \r\n    #1 0x7f693a6b6a2f in iw_get_ui16_e \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:435                 \r\n    #2 0x7f693a67d008 in iwjpeg_scan_exif_ifd \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:130:14       \r\n    #3 0x7f693a67d008 in iwjpeg_scan_exif \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:182              \r\n    #4 0x7f693a67d008 in iwjpeg_read_saved_markers \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:205     \r\n    #5 0x7f693a67d008 in iw_read_jpeg_file \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:430             \r\n    #6 0x7f693a5ed21d in iw_read_file_by_fmt \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-allfmts.c:43:12      \r\n    #7 0x510184 in iwcmd_run \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:1191:6                         \r\n    #8 0x50c1a6 in iwcmd_main \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:3018:7                        \r\n    #9 0x50c1a6 in main \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:3067                                \r\n    #10 0x7f69395f6680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                          \r\n    #11 0x41b048 in _init (\/usr\/bin\/imagew+0x41b048)\r\n\r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:405:23 in iw_get_ui16le\r\n==29040==ABORTING\r\n<\/font><\/pre>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/jsummers\/imageworsener\/commit\/b45cb1b665a14b0175b9cb1502ef7168e1fe0d5d<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00281-imageworsener-invalidread-iw_get_ui16le<\/a>
\nCVE:<\/strong>
\nCVE-2017-9204<\/p>\n
############################<\/p>\n
# imagew $FILE \/tmp\/out -outfmt bmp\r\n==9730==ERROR: AddressSanitizer: SEGV on unknown address 0x60b0ff100086 (pc 0x7f4178fefadb bp 0x7fffcee12570 sp 0x7fffcee12550 T0)                   \r\n==9730==The signal is caused by a READ memory access.                                                                                                \r\n    #0 0x7f4178fefada in iw_get_ui16be \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:422:24              \r\n    #1 0x7f4178fefada in iw_get_ui16_e \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:436                 \r\n    #2 0x7f4178fb6008 in iwjpeg_scan_exif_ifd \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:130:14       \r\n    #3 0x7f4178fb6008 in iwjpeg_scan_exif \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:182              \r\n    #4 0x7f4178fb6008 in iwjpeg_read_saved_markers \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:205     \r\n    #5 0x7f4178fb6008 in iw_read_jpeg_file \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:430             \r\n    #6 0x7f4178f2621d in iw_read_file_by_fmt \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-allfmts.c:43:12      \r\n    #7 0x510184 in iwcmd_run \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:1191:6                         \r\n    #8 0x50c1a6 in iwcmd_main \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:3018:7                        \r\n    #9 0x50c1a6 in main \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:3067                                \r\n    #10 0x7f4177f2f680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                          \r\n    #11 0x41b048 in _init (\/usr\/bin\/imagew+0x41b048)                                                                                                 \r\n                                                                                                                                                     \r\nAddressSanitizer can not provide additional info.\r\nSUMMARY: AddressSanitizer: SEGV \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:422:24 in iw_get_ui16be\r\n==9730==ABORTING\r\n<\/font><\/pre>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/jsummers\/imageworsener\/commit\/b45cb1b665a14b0175b9cb1502ef7168e1fe0d5d<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00282-imageworsener-invalidread-iw_get_ui16be<\/a>
\nCVE:<\/strong>
\nCVE-2017-9205<\/p>\n
############################<\/p>\n
# imagew $FILE \/tmp\/out -outfmt bmp\r\n==24197==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000000a70 at pc 0x7f1c90ffbb6b bp 0x7ffd41b1af40 sp 0x7ffd41b1af38            \r\nREAD of size 1 at 0x608000000a70 thread T0                                                                                                           \r\n    #0 0x7f1c90ffbb6a in iw_get_ui16le \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:405:23              \r\n    #1 0x7f1c90ffbb6a in iw_get_ui16_e \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:435                 \r\n    #2 0x7f1c90fc2008 in iwjpeg_scan_exif_ifd \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:130:14       \r\n    #3 0x7f1c90fc2008 in iwjpeg_scan_exif \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:182              \r\n    #4 0x7f1c90fc2008 in iwjpeg_read_saved_markers \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:205     \r\n    #5 0x7f1c90fc2008 in iw_read_jpeg_file \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:430             \r\n    #6 0x7f1c90f3221d in iw_read_file_by_fmt \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-allfmts.c:43:12      \r\n    #7 0x510184 in iwcmd_run \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:1191:6                         \r\n    #8 0x50c1a6 in iwcmd_main \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:3018:7                        \r\n    #9 0x50c1a6 in main \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:3067                                \r\n    #10 0x7f1c8ff3b680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289                          \r\n    #11 0x41b048 in _init (\/usr\/bin\/imagew+0x41b048)                                                                                                 \r\n                                                                                                                                                     \r\nAddress 0x608000000a70 is a wild pointer.\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:405:23 in iw_get_ui16le\r\n<\/font><\/pre>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/jsummers\/imageworsener\/commit\/b45cb1b665a14b0175b9cb1502ef7168e1fe0d5d<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00283-imageworsener-heapoverflow-iw_get_ui16le<\/a>
\nCVE:<\/strong>
\nCVE-2017-9206<\/p>\n
############################<\/p>\n
# imagew $FILE \/tmp\/out -outfmt bmp\r\n==9198==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x608000004070 at pc 0x7ffb620f1b97 bp 0x7fff09707940 sp 0x7fff09707938\r\nREAD of size 1 at 0x608000004070 thread T0\r\n    #0 0x7ffb620f1b96 in iw_get_ui16be \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:422:24\r\n    #1 0x7ffb620f1b96 in iw_get_ui16_e \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:436\r\n    #2 0x7ffb620b8008 in iwjpeg_scan_exif_ifd \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:130:14\r\n    #3 0x7ffb620b8008 in iwjpeg_scan_exif \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:182\r\n    #4 0x7ffb620b8008 in iwjpeg_read_saved_markers \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:205\r\n    #5 0x7ffb620b8008 in iw_read_jpeg_file \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-jpeg.c:430\r\n    #6 0x7ffb6202821d in iw_read_file_by_fmt \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-allfmts.c:43:12\r\n    #7 0x510184 in iwcmd_run \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:1191:6\r\n    #8 0x50c1a6 in iwcmd_main \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:3018:7\r\n    #9 0x50c1a6 in main \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-cmd.c:3067\r\n    #10 0x7ffb61031680 in __libc_start_main \/tmp\/portage\/sys-libs\/glibc-2.23-r3\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #11 0x41b048 in _init (\/usr\/bin\/imagew+0x41b048)\r\n\r\nAddress 0x608000004070 is a wild pointer.\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/media-gfx\/imageworsener-1.3.1\/work\/imageworsener-1.3.1\/src\/imagew-util.c:422:24 in iw_get_ui16be\r\n<\/font><\/pre>\n
Commit fix:<\/strong>
\nhttps:\/\/github.com\/jsummers\/imageworsener\/commit\/b45cb1b665a14b0175b9cb1502ef7168e1fe0d5d<\/a>
\nReproducer:<\/strong>
\nhttps:\/\/github.com\/asarubbo\/poc\/blob\/master\/00284-imageworsener-heapoverflow-iw_get_ui16be<\/a>
\nCVE:<\/strong>
\nCVE-2017-9207<\/p>\n
############################<\/p>\n
Affected version:<\/strong>
\n1.3.1<\/p>\n
Fixed version:<\/strong>
\n1.3.2 (not released atm)<\/p>\n
Credit:<\/strong>
\nThese bugs were discovered by Agostino Sarubbo of Gentoo.<\/p>\n
Timeline:<\/strong>
\n2017-05-10: bugs discovered and reported to upstream
\n2017-05-20: blog post about the issue
\n2017-05-23: CVE assigned<\/p>\n
Note:<\/strong>
\nThese bugs were found with American Fuzzy Lop<\/a>.<\/p>\n
Permalink:<\/strong><\/p>\n
imageworsener: multiple vulnerabilities<\/a><\/p><\/blockquote>\n