{"id":1965,"date":"2017-08-09T19:34:23","date_gmt":"2017-08-09T17:34:23","guid":{"rendered":"http:\/\/blogs.gentoo.org\/ago\/?p=1965"},"modified":"2017-08-17T22:02:48","modified_gmt":"2017-08-17T20:02:48","slug":"libfpx-heap-based-buffer-overflow-in-olestreamwritevt_lpstr-olestrm-cpp","status":"publish","type":"post","link":"https:\/\/blogs.gentoo.org\/ago\/2017\/08\/09\/libfpx-heap-based-buffer-overflow-in-olestreamwritevt_lpstr-olestrm-cpp\/","title":{"rendered":"libfpx: heap-based buffer overflow in OLEStream::WriteVT_LPSTR (olestrm.cpp)"},"content":{"rendered":"<p><strong>Description<\/strong>:<br \/>\n<a href=\"http:\/\/www.i3a.org\/\">libfpx<\/a> is a library for manipulating FlashPIX images.<\/p>\n<p>I&#8217;m aware that the link to the upstream website does not work. I&#8217;m keeping it as well because in the future the upstream website could appear again.<br \/>\nLibfpx is not actively developed, I contacted the imagemagick project if they were available to patch security issues, but they said the they are only accepting patches and push new releases.<br \/>\nThis issue was found using the gm command line tool of graphicsmagick.<\/p>\n<p>The complete ASan output of the issue:<\/p>\n<pre><font size=\"2\"># gm identify $FILE\r\n==11148==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000001cd1 at pc 0x00000043ebe2 bp 0x7ffc6fa94b20 sp 0x7ffc6fa942d0\r\nREAD of size 2 at 0x602000001cd1 thread T0\r\n    #0 0x43ebe1 in __interceptor_strlen \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:284\r\n    #1 0x7fd59be76493 in OLEStream::WriteVT_LPSTR(char*) \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/ole\/olestrm.cpp:1472\r\n    #2 0x7fd59be72e06 in OLEPropertySection::Write() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/ole\/oleprops.cpp:477\r\n    #3 0x7fd59be73101 in OLEPropertySet::Commit() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/ole\/oleprops.cpp:131\r\n    #4 0x7fd59be4da36 in PFlashPixFile::Commit() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/fpx\/fpxformt.cpp:581\r\n    #5 0x7fd59be4da8f in PFlashPixFile::~PFlashPixFile() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/fpx\/fpxformt.cpp:276\r\n    #6 0x7fd59be4db78 in PFlashPixFile::~PFlashPixFile() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/fpx\/fpxformt.cpp:306\r\n    #7 0x7fd59be79ed3 in PHierarchicalImage::~PHierarchicalImage() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/ri_image\/ph_image.cpp:168\r\n    #8 0x7fd59be49c38 in PFileFlashPixIO::~PFileFlashPixIO() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/fpx\/f_fpxio.cpp:277\r\n    #9 0x7fd59be536a5 in PFlashPixImageView::~PFlashPixImageView() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/fpx\/fpximgvw.cpp:519\r\n    #10 0x7fd59be536b8 in PFlashPixImageView::~PFlashPixImageView() \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/fpx\/fpximgvw.cpp:532\r\n    #11 0x7fd59be5529e in FPX_CloseImage \/var\/tmp\/portage\/media-libs\/libfpx-1.3.1_p6\/work\/libfpx-1.3.1-6\/fpx\/fpxlibio.cpp:766\r\n    #12 0x7fd59c0c7bf4 in ReadFPXImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.26\/work\/GraphicsMagick-1.3.26\/coders\/fpx.c:344:14\r\n    #13 0x7fd5a193ee2b in ReadImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.26\/work\/GraphicsMagick-1.3.26\/magick\/constitute.c:1607:13\r\n    #14 0x7fd5a193be8c in PingImage \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.26\/work\/GraphicsMagick-1.3.26\/magick\/constitute.c:1370:9\r\n    #15 0x7fd5a1807ae5 in IdentifyImageCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.26\/work\/GraphicsMagick-1.3.26\/magick\/command.c:8379:17\r\n    #16 0x7fd5a180e065 in MagickCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.26\/work\/GraphicsMagick-1.3.26\/magick\/command.c:8869:17\r\n    #17 0x7fd5a18b97fb in GMCommandSingle \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.26\/work\/GraphicsMagick-1.3.26\/magick\/command.c:17396:10\r\n    #18 0x7fd5a18b6931 in GMCommand \/var\/tmp\/portage\/media-gfx\/graphicsmagick-1.3.26\/work\/GraphicsMagick-1.3.26\/magick\/command.c:17449:16\r\n    #19 0x7fd5a0121680 in __libc_start_main \/var\/tmp\/portage\/sys-libs\/glibc-2.23-r4\/work\/glibc-2.23\/csu\/..\/csu\/libc-start.c:289\r\n    #20 0x419cd8 in _init (\/usr\/bin\/gm+0x419cd8)\r\n\r\n0x602000001cd1 is located 0 bytes to the right of 1-byte region [0x602000001cd0,0x602000001cd1)\r\nallocated by thread T0 here:\r\n    #0 0x4cf688 in malloc \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/asan_malloc_linux.cc:66\r\n    #1 0x7fd59bac5337 in operator new(unsigned long) (\/usr\/lib\/gcc\/x86_64-pc-linux-gnu\/6.4.0\/libstdc++.so.6+0xb2337)\r\n\r\nSUMMARY: AddressSanitizer: heap-buffer-overflow \/var\/tmp\/portage\/sys-libs\/compiler-rt-sanitizers-4.0.1\/work\/compiler-rt-4.0.1.src\/lib\/asan\/..\/sanitizer_common\/sanitizer_common_interceptors.inc:284 in __interceptor_strlen\r\nShadow bytes around the buggy address:\r\n  0x0c047fff8340: fa fa 01 fa fa fa 00 06 fa fa fd fa fa fa fd fa\r\n  0x0c047fff8350: fa fa fd fa fa fa 00 fa fa fa 00 05 fa fa fd fa\r\n  0x0c047fff8360: fa fa fd fa fa fa 00 00 fa fa 04 fa fa fa fd fd\r\n  0x0c047fff8370: fa fa fd fa fa fa fd fa fa fa fd fd fa fa fd fa\r\n  0x0c047fff8380: fa fa fd fa fa fa fd fd fa fa 01 fa fa fa 00 00\r\n=&gt;0x0c047fff8390: fa fa fd fa fa fa fd fa fa fa[01]fa fa fa fd fd\r\n  0x0c047fff83a0: fa fa 00 00 fa fa 00 04 fa fa fa fa fa fa fa fa\r\n  0x0c047fff83b0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff83c0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff83d0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\n  0x0c047fff83e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\r\nShadow byte legend (one shadow byte represents 8 application bytes):\r\n  Addressable:           00\r\n  Partially addressable: 01 02 03 04 05 06 07 \r\n  Heap left redzone:       fa\r\n  Freed heap region:       fd\r\n  Stack left redzone:      f1\r\n  Stack mid redzone:       f2\r\n  Stack right redzone:     f3\r\n  Stack after return:      f5\r\n  Stack use after scope:   f8\r\n  Global redzone:          f9\r\n  Global init order:       f6\r\n  Poisoned by user:        f7\r\n  Container overflow:      fc\r\n  Array cookie:            ac\r\n  Intra object redzone:    bb\r\n  ASan internal:           fe\r\n  Left alloca redzone:     ca\r\n  Right alloca redzone:    cb\r\n==11148==ABORTING\r\n<\/font><\/pre>\n<p><strong>Affected version:<\/strong><br \/>\n1.3.1_p6<\/p>\n<p><strong>Fixed version:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Commit fix:<\/strong><br \/>\nN\/A<\/p>\n<p><strong>Credit:<\/strong><br \/>\nThis bug was discovered by Agostino Sarubbo of Gentoo.<\/p>\n<p><strong>CVE:<\/strong><br \/>\nCVE-2017-12919<\/p>\n<p><strong>Reproducer:<\/strong><br \/>\n<a href=\"https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00309-libfpx-heapoverflow-OLEStream_WriteVT_LPSTR\">https:\/\/github.com\/asarubbo\/poc\/blob\/master\/00309-libfpx-heapoverflow-OLEStream_WriteVT_LPSTR<\/a><\/p>\n<p><strong>Timeline:<\/strong><br \/>\n2017-08-01: bug discovered<br \/>\n2017-08-09: blog post about the issue<br \/>\n2017-08-17: CVE assigned<\/p>\n<p><strong>Note:<\/strong><br \/>\nThis bug was found with <a href=\"http:\/\/lcamtuf.coredump.cx\/afl\">American Fuzzy Lop<\/a>.<br \/>\nThis bug was identified with bare metal servers donated by <a href=\"https:\/\/www.packet.net\/\">Packet<\/a>. This work is also supported by the <a href=\"https:\/\/www.coreinfrastructure.org\">Core Infrastructure Initiative<\/a>.<\/p>\n<p><strong>Permalink:<\/strong><\/p>\n<blockquote data-secret=\"4wXyiI8a6o\" class=\"wp-embedded-content\"><p><a href=\"http:\/\/blogs.gentoo.org\/ago\/2017\/08\/09\/libfpx-heap-based-buffer-overflow-in-olestreamwritevt_lpstr-olestrm-cpp\/\">libfpx: heap-based buffer overflow in OLEStream::WriteVT_LPSTR (olestrm.cpp)<\/a><\/p><\/blockquote>\n<p><iframe class=\"wp-embedded-content\" sandbox=\"allow-scripts\" security=\"restricted\" style=\"position: absolute; clip: rect(1px, 1px, 1px, 1px);\" src=\"http:\/\/blogs.gentoo.org\/ago\/2017\/08\/09\/libfpx-heap-based-buffer-overflow-in-olestreamwritevt_lpstr-olestrm-cpp\/embed\/#?secret=4wXyiI8a6o\" data-secret=\"4wXyiI8a6o\" width=\"600\" height=\"338\" title=\"&#8220;libfpx: heap-based buffer overflow in OLEStream::WriteVT_LPSTR (olestrm.cpp)&#8221; &#8212; agostino&#039;s blog\" frameborder=\"0\" marginwidth=\"0\" marginheight=\"0\" scrolling=\"no\"><\/iframe><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Description: libfpx is a library for manipulating FlashPIX images. I&#8217;m aware that the link to the upstream website does not work. I&#8217;m keeping it as well because in the future the upstream website could appear again. Libfpx is not actively &hellip; <a href=\"https:\/\/blogs.gentoo.org\/ago\/2017\/08\/09\/libfpx-heap-based-buffer-overflow-in-olestreamwritevt_lpstr-olestrm-cpp\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":140,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"spay_email":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[12,10],"tags":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p2EaBc-vH","_links":{"self":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1965"}],"collection":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/users\/140"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/comments?post=1965"}],"version-history":[{"count":8,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1965\/revisions"}],"predecessor-version":[{"id":2037,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/posts\/1965\/revisions\/2037"}],"wp:attachment":[{"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/media?parent=1965"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/categories?post=1965"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.gentoo.org\/ago\/wp-json\/wp\/v2\/tags?post=1965"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}