Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2008-1373: CUPS GIF image filter overflow #2765

Closed
michaelrsweet opened this issue Mar 20, 2008 · 4 comments

Comments

Projects
None yet
1 participant
@michaelrsweet
Copy link
Collaborator

commented Mar 20, 2008

Version: 1.3.6
CUPS.org User: mike

Hi!

It seems that CVE-2006-4484 strikes back once again. GIF filter used
by CUPS seems to have similar issue as was fixed earlier this year and
back in 2006 in CVE-2006-4484 (gd), CVE-2007-6697 (SDL_image),
CVE-2008-0553 (tk) and CVE-2008-0554 (netpbm).

Value of code_size is read from GIF image, but not properly validated
before use to initialize table array in gif_read_lzw(). clear_code
used as upper bound in for loop is short, hence overflow is limited to
~16k - 4k short int values. Moreover, attacker has limited control
over the values written past the end of the buffer.

Attached is the reproducer (based on one used in SDL_image advisory
[1], but modified to compensate for clear_code being short) and
possible patch, similar to what's used in gd / netpbm / tk / SDL_image.

[1] http://marc.info/?l=bugtraq&m=120110205511630&w=4

We propose next Wednesday, March 26th, 14:00 UTC as an embargo date.
Is that ok for everyone?

-- Tomas Hoger / Red Hat Security Response Team

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Mar 25, 2008

CUPS.org User: mike

Updated patch attached (CUPS coding style...)

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 1, 2008

CUPS.org User: mike

Fixed in Subversion repository.

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 1, 2008

"cups-CVE-2008-1373.patch":

--- image-gif.c.orig 2008-03-20 09:42:12.000000000 +0100
+++ image-gif.c 2008-03-20 09:41:19.000000000 +0100
@@ -38,6 +38,8 @@
#define GIF_INTERLACE 0x40
#define GIF_COLORMAP 0x80

+#define MAX_LWZ_BITS 12
+
typedef cups_ib_t gif_cmap_t[256][4];
typedef short gif_table_t[4096];

@@ -462,6 +464,9 @@ gif_read_image(FILE fp, / I -
pass = 0;
code_size = getc(fp);

  • if (code_size > MAX_LWZ_BITS)
  • return (-1);

if (!pixels)
return (-1);

@michaelrsweet

This comment has been minimized.

Copy link
Collaborator Author

commented Apr 1, 2008

"str2765.patch":

Index: image-gif.c

--- image-gif.c (revision 676)
+++ image-gif.c (working copy)
@@ -37,6 +37,7 @@

#define GIF_INTERLACE 0x40
#define GIF_COLORMAP 0x80
+#define GIF_MAX_BITS 12

typedef cups_ib_t gif_cmap_t[256][4];
typedef short gif_table_t[4096];
@@ -462,7 +463,7 @@
pass = 0;
code_size = getc(fp);

  • if (!pixels)
  • if (code_size > GIF_MAX_BITS || !pixels)
    return (-1);

if (gif_read_lzw(fp, 1, code_size) < 0)

@michaelrsweet michaelrsweet added this to the Stable milestone Mar 17, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.