[multi] exifprobe-multi-memory-error in exifprobe.2.0.1 && Cve Request
ChenQin
chenqin at topsec.com.cn
Tue Dec 29 09:31:52 UTC 2015
A non-text attachment was scrubbed...
Name: bug1_3
Type: application/octet-stream
Size: 1600 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20151229/f1db650f/attachment-0002.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug2_4
Type: application/octet-stream
Size: 1527 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20151229/f1db650f/attachment-0003.obj>
-------------- next part --------------
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
product:exifprobe
tag:security
affected version: only tested 2.0.1(latest)
reproduce:
exifprobe bug1_3
exifprobe bug2_4
CASE1: SEGV
@0x000031c=796 : **** next IFD offset 53620784 (+ 12 = 0x332303c/53620796)
@0x0000320=800 : ============= VALUES, EXIF IFD ============
@0x0000348=840 : ExposureTime = 0 sec
@0x0000350=848 : FNumber = 4.33 APEX = 'f4.5'
@0x002000c=131084 : TAG_0x2582 = FAILED to read unsigned short value at offset 131084 (EOF)
@0x0000320=800 : DateTimeOriginal = '6:03:11 14:49:13A\372\377\373'
@0x0000334=820 : DateTimeDigitized = '\0\0\0d\0\0\002\241\0\0\0d\0\0\001\261\0\0\0d'
@0x0000358=856 : TAG_0xb23f = 1
@0x0000360=864 : ShutterSpeedValue = 1 APEX = '0.5 sec'
@0x0000368=872 : ApertureValue = 1.00392 APEX = 'f1.4'
@0x0000370=880 : ExposureBiasValue = 13.3027 APEX
@0x0000378=888 : MaxApertureValue = 0.741181 APEX = 'f1.3'
@0x002000c=131084 : MeteringMode = FAILED to read unsigned short value at offset 131084 (EOF)
@0x0000380=896 : FocalLength = 11.8355 mm
ASAN:SIGSEGV
=================================================================
==13382== ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fc4b52d75c8 sp 0x7ffffb00e640 bp 0x7ffffb00e690 T0)
AddressSanitizer can not provide additional info.
#0 0x7fc4b52d75c7 (/usr/lib/x86_64-linux-gnu/libasan.so.0.0.0+0x105c7)
#1 0x474953 (/usr/bin/exifprobe+0x474953)
#2 0x4448f3 (/usr/bin/exifprobe+0x4448f3)
#3 0x43c6bd (/usr/bin/exifprobe+0x43c6bd)
#4 0x4478bc (/usr/bin/exifprobe+0x4478bc)
#5 0x44a56d (/usr/bin/exifprobe+0x44a56d)
#6 0x403a5c (/usr/bin/exifprobe+0x403a5c)
#7 0x7fc4b4c15a3f (/lib/x86_64-linux-gnu/libc-2.21.so+0x20a3f)
#8 0x405d68 (/usr/bin/exifprobe+0x405d68)
==13382== ABORTING
CASE2: global-buffer-overflow
@0x00005e0=1504 : <0x0100= 256> ImageWidth [6 =SBYTE 4093772288] = @0x400000c=67108876
FAILED to read 4 unsigned bytes at offset 1524 (EOF)
=================================================================
==29216== ERROR: AddressSanitizer: global-buffer-overflow on address 0x000000503260 at pc 0x409a54 bp 0x7ffff05c1960 sp 0x7ffff05c1958
READ of size 4 at 0x000000503260 thread T0
#0 0x409a53 (/usr/bin/exifprobe+0x409a53)
#1 0x44357f (/usr/bin/exifprobe+0x44357f)
#2 0x43c6bd (/usr/bin/exifprobe+0x43c6bd)
#3 0x4478bc (/usr/bin/exifprobe+0x4478bc)
#4 0x44a56d (/usr/bin/exifprobe+0x44a56d)
#5 0x403a5c (/usr/bin/exifprobe+0x403a5c)
#6 0x7f0862268a3f (/lib/x86_64-linux-gnu/libc-2.21.so+0x20a3f)
#7 0x405d68 (/usr/bin/exifprobe+0x405d68)
0x000000503261 is located 0 bytes to the right of global variable '*.LC22 (readfile.c)' (0x503260) of size 1
'*.LC22 (readfile.c)' is ascii string ''
Shadow bytes around the buggy address:
0x0000800985f0: 00 00 00 00 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080098600: 00 01 f9 f9 f9 f9 f9 f9 00 00 00 00 00 00 07 f9
0x000080098610: f9 f9 f9 f9 00 00 00 00 00 00 02 f9 f9 f9 f9 f9
0x000080098620: 00 00 00 00 00 00 02 f9 f9 f9 f9 f9 00 00 00 00
0x000080098630: 00 00 02 f9 f9 f9 f9 f9 05 f9 f9 f9 f9 f9 f9 f9
=>0x000080098640: 00 00 00 00 00 04 f9 f9 f9 f9 f9 f9[01]f9 f9 f9
0x000080098650: f9 f9 f9 f9 00 00 00 00 00 00 00 f9 f9 f9 f9 f9
0x000080098660: 00 00 00 00 00 07 f9 f9 f9 f9 f9 f9 00 00 00 00
0x000080098670: 00 06 f9 f9 f9 f9 f9 f9 00 00 00 00 00 05 f9 f9
0x000080098680: f9 f9 f9 f9 00 00 00 00 05 f9 f9 f9 f9 f9 f9 f9
0x000080098690: 00 00 00 04 f9 f9 f9 f9 00 00 00 06 f9 f9 f9 f9
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap righ redzone: fb
Freed Heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
ASan internal: fe
==29216== ABORTING
—
Chen Qin / Topsec Product Security Team
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCAAGBQJWglL3AAoJEIVElDCpqHYP9nIQANK7TM60fTGyIuOprHL2g0Vq
jOF6LKn/JFwnRJSFSHXTMPnK5jGyGI6KBZIqinbYAp2UrzYX0ckNkeCLSgsHh+o8
p7L1lc1OW3/dYl0wvEEfYURD6icywjcheFuEmxf9yxHdHaaiMfannPWHBjcrjnFJ
pOdHq/se86C2YMonl779LHFDo4e5ljHhYWqFQZMAo820/E7FBbmRnrF2+ptyl/UZ
NClwaOEHzSva/76pLUWwcEWBW3d6x/JS+5mb18kks/rEFjXdk7vWuikLxeMx4HJj
0Qby7kD9+kuGp1Wg6sdeqKJ/sIPq5g7TQwSghVyTzuwLTE1icVw8a2YFAukNXCY1
NdzVasR1Ib5mClXjin84uaIQ1dbDnmvxgVeM9FC+dLCAmiH3NSTPy+4FkE5dwMQi
dO6NxrwIjuBzVZvAGB60lgMuB3T9oZYRiEX6uXyvj6OToowPpO0p6k6nYAtUCOPv
fTz9zwUcNCJrZlkTZeIUz4FkL+Qz8pI6dR6cM3pqipD4eLkreUJGoOmNNWbSrxn8
rxTdPn/H0JVJe1uMunRyF5ZM490Qg4K/29yVD1OrFj1DyW5gXFLeGfHRVELRDS/8
VjHYQaxVMtzUMvTUkta3DlHHGDYOcJ4pqaJW8E5nKNdqn1BuLGSnPj6PrXQh19JO
wHMYeXXU4N2Q8oYHQVSr
=KnUC
-----END PGP SIGNATURE-----
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.alioth.debian.org/pipermail/pkg-multimedia-maintainers/attachments/20151229/f1db650f/attachment-0001.sig>
More information about the pkg-multimedia-maintainers
mailing list