Bug 1086777 (CVE-2018-8975)

Summary: VUL-1: CVE-2018-8975: netpbm: The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03allows remote attackers to cause a denial of service (heap-based bufferover-read) via a crafted image file, as demonstrated by pb
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: mcepl, pgajdos, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/202627/
Whiteboard: CVSSv3:SUSE:CVE-2018-8975:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:RedHat:CVE-2018-8975:4.4:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L) CVSSv2:NVD:CVE-2018-8975:4.3:(AV:N/AC:M/Au:N/C:N/I:N/A:P) CVSSv3:NVD:CVE-2018-8975:5.5:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: pbmmask-heapoverflow-1

Description Marcus Meissner 2018-03-26 05:59:51 UTC 
CVE-2018-8975

The pm_mallocarray2 function in lib/util/mallocvar.c in Netpbm through 10.81.03
allows remote attackers to cause a denial of service (heap-based buffer
over-read) via a crafted image file, as demonstrated by pbmmask.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8975
https://github.com/xiaoqx/pocs/blob/master/netpbm
Comment 1 Marcus Meissner 2018-03-26 06:02:15 UTC 
Created attachment 764870 [details]
pbmmask-heapoverflow-1

QA REPRODUCER:

valgrind pbmmask pbmmask-heapoverflow-1

should not report Invalid read
Comment 2 Petr Gajdos 2018-06-27 14:06:18 UTC 
BEFORE

devel,15,12/netpbm

$ valgrind -q pbmmask pbmmask-heapoverflow-1
==19208== Invalid read of size 1
==19208==    at 0x108B55: main (pbmmask.c:160)
==19208==  Address 0x57d03ff is 1 bytes before a block of size 1 alloc'd
==19208==    at 0x4C2E04F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19208==    by 0x4E5F2E6: mallocz (mallocvar.c:15)
==19208==    by 0x4E5F2E6: allocRowHeap (mallocvar.c:68)
==19208==    by 0x4E5F2E6: pm_mallocarray2 (mallocvar.c:117)
==19208==    by 0x4E48F95: pm_allocarray (libpm.c:345)
==19208==    by 0x4E4D4EF: pbm_readpbm (libpbm2.c:295)
==19208==    by 0x108AA6: main (pbmmask.c:145)
==19208== 
==19208== Invalid read of size 1
==19208==    at 0x109210: addflood (pbmmask.c:34)
==19208==    by 0x108C0A: main (pbmmask.c:181)
==19208==  Address 0x57d03ff is 1 bytes before a block of size 1 alloc'd
==19208==    at 0x4C2E04F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19208==    by 0x4E5F2E6: mallocz (mallocvar.c:15)
==19208==    by 0x4E5F2E6: allocRowHeap (mallocvar.c:68)
==19208==    by 0x4E5F2E6: pm_mallocarray2 (mallocvar.c:117)
==19208==    by 0x4E48F95: pm_allocarray (libpm.c:345)
==19208==    by 0x4E4D4EF: pbm_readpbm (libpbm2.c:295)
==19208==    by 0x108AA6: main (pbmmask.c:145)
==19208== 
==19208== Conditional jump or move depends on uninitialised value(s)
==19208==    at 0x109213: addflood (pbmmask.c:34)
==19208==    by 0x108C0A: main (pbmmask.c:181)
==19208== 
==19208== Invalid read of size 1
==19208==    at 0x10922B: addflood (pbmmask.c:34)
==19208==    by 0x108C0A: main (pbmmask.c:181)
==19208==  Address 0x57d055f is 1 bytes before a block of size 1 alloc'd
==19208==    at 0x4C2E04F: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==19208==    by 0x4E5F2E6: mallocz (mallocvar.c:15)
==19208==    by 0x4E5F2E6: allocRowHeap (mallocvar.c:68)
==19208==    by 0x4E5F2E6: pm_mallocarray2 (mallocvar.c:117)
==19208==    by 0x4E48F95: pm_allocarray (libpm.c:345)
==19208==    by 0x108ACB: main (pbmmask.c:147)
==19208== 
==19208== Conditional jump or move depends on uninitialised value(s)
==19208==    at 0x109213: addflood (pbmmask.c:34)
==19208==    by 0x108C16: main (pbmmask.c:182)
==19208== 
==19208== Conditional jump or move depends on uninitialised value(s)
==19208==    at 0x10922F: addflood (pbmmask.c:34)
==19208==    by 0x108C16: main (pbmmask.c:182)
==19208== 
P4
0 24
$

11,10sp3/ImageMagick

$ valgrind -q pbmmask pbmmask-heapoverflow-1
pbmmask: Zero byte allocation
$


PATCH

There's no patch as far as I can see. gdb session shows, that file claims to have 0 columns. Memory allocation, which happens here:

 bits = pbm_readpbm( ifp, &cols, &rows );

will succeed as they use mallocz(), which allocates 1 byte in case of zero argument. However, later in pbmmask.c code asssumes col is greater then zero (col - 1 on several places). For 11/netpbm, the "zero allocation" is not allowed, thus the error.

I am proposing following patch on utility level:

Index: netpbm-10.82.2/editor/pbmmask.c
===================================================================
--- netpbm-10.82.2.orig/editor/pbmmask.c        2018-06-27 13:03:00.431710863 +0200
+++ netpbm-10.82.2/editor/pbmmask.c     2018-06-27 15:45:40.194531538 +0200
@@ -144,6 +144,12 @@ main(int argc, char * argv[]) {

     bits = pbm_readpbm( ifp, &cols, &rows );
     pm_close( ifp );
+    if (cols <= 0 || rows <= 0)
+    {
+      pm_error("zero width or zero height");
+      free(bits);
+      return 0;
+    }
     mask = pbm_allocarray( cols, rows );

     /* Clear out the mask. */

and will notify upstream (via private email, there is no bugtracker or mailinglist). I will submit packages with this patch now and in case upstream will introduce another fix, I will resubmit.


AFTER

devel,15,12/netpbm

$ pbmmask pbmmask-heapoverflow-1 
pbmmask: zero width or zero height
$
Comment 3 Petr Gajdos 2018-06-27 14:08:09 UTC 
Will submit for devel/netpbm, 15/netpbm and 12/netpbm.
Comment 4 Petr Gajdos 2018-06-27 14:10:14 UTC 
I believe all fixed.
Comment 5 Swamp Workflow Management 2018-06-27 14:40:05 UTC 
This is an autogenerated message for OBS integration:
This bug (1086777) was mentioned in
https://build.opensuse.org/request/show/619410 Factory / netpbm
Comment 7 Petr Gajdos 2018-06-29 05:29:35 UTC 
Upstream commit
https://sourceforge.net/p/netpbm/code/3279/
Comment 8 Swamp Workflow Management 2019-04-03 13:12:55 UTC 
SUSE-SU-2019:0855-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1086777
CVE References: CVE-2018-8975
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    netpbm-10.80.1-3.3.36
SUSE Linux Enterprise Module for Basesystem 15 (src):    netpbm-10.80.1-3.3.36

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-04-12 16:10:32 UTC 
openSUSE-SU-2019:1200-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1086777
CVE References: CVE-2018-8975
Sources used:
openSUSE Leap 15.0 (src):    netpbm-10.80.1-lp150.2.3.1
Comment 12 Swamp Workflow Management 2019-06-21 19:15:47 UTC 
SUSE-SU-2019:1645-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1024288,1024291,1086777,1136936
CVE References: CVE-2017-2579,CVE-2017-2580,CVE-2018-8975
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Server 12-SP4 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Server 12-SP3 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Desktop 12-SP4 (src):    netpbm-10.66.3-8.7.2
SUSE Linux Enterprise Desktop 12-SP3 (src):    netpbm-10.66.3-8.7.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Marcus Meissner 2019-10-18 18:20:49 UTC 
done