Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2018-20546 #38

Closed
fgeek opened this issue Dec 29, 2018 · 0 comments
Closed

CVE-2018-20546 #38

fgeek opened this issue Dec 29, 2018 · 0 comments

Comments

@fgeek
Copy link

@fgeek fgeek commented Dec 29, 2018

Following vulnerability has been reported to Red Hat issue tracker:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20546
https://bugzilla.redhat.com/show_bug.cgi?id=1652622

./img2txt POC1

version: libcaca0.99beta19
Summary: 

There is an illegal READ memory access at caca/dither.c:1347 (function:get_rgba_default )in libcaca latest version.

Description:

The asan debug is as follows:

$./img2txt POC1

=================================================================
==28249==ERROR: AddressSanitizer: SEGV on unknown address 0x7f88ae6a7004 (pc 0x7f88b2b37857 bp 0x000000000042 sp 0x7ffe82454ed0 T0)
==28249==The signal is caused by a READ memory access.
    #0 0x7f88b2b37856 in get_rgba_default /home/company/real/libcaca-master/caca/dither.c:1347
    #1 0x7f88b2b3aa16 in caca_dither_bitmap /home/company/real/libcaca-master/caca/dither.c:1009
    #2 0x55688cdba96e in main /home/company/real/libcaca-master/src/img2txt.c:210
    #3 0x7f88b27581c0 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x211c0)
    #4 0x55688cdbaf09 in _start (/home/company/real/libcaca-master/install_asan/bin/img2txt+0x2f09)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /home/company/real/libcaca-master/caca/dither.c:1347 in get_rgba_default
==28249==ABORTING

Confirmed in f1267fb. Minimized sample CVE-2018-20546.zip with afl-tmin (SHA1: b50dccc3ebb25dd13256fc5e59bed2fcd19cc0e4)

00000000  42 4d 30 30 30 30 30 30  30 30 76 00 00 00 28 00  |BM00000000v...(.|
00000010  00 00 00 00 01 00 00 00  01 00 01 00 04 00 00 00  |................|
*
00000021

Compiler optimization might affect results.

samhocevar added a commit that referenced this issue Dec 30, 2018
Fixes: #38 (CVE-2018-20546)
Fixes: #39 (CVE-2018-20547)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.