Bug 1024287 - (CVE-2017-2581) VUL-0: CVE-2017-2581: netpbm: Out-of-bounds write in writeRasterPbm()
(CVE-2017-2581)
VUL-0: CVE-2017-2581: netpbm: Out-of-bounds write in writeRasterPbm()
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/179973/
CVSSv2:SUSE:CVE-2017-2581:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-02-08 14:15 UTC by Matthias Gerstner
Modified: 2019-05-01 13:41 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
CVE-2017-2581.bmp (248 bytes, application/octet-stream)
2017-03-03 15:08 UTC, Marcus Meissner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Gerstner 2017-02-08 14:15:20 UTC
This OOBW issue occurs in bmptopnm and casues by integer overflow.

This issue can be cause by a malformed BMP file through
bmptopnm. Attackers could exploit this issue to result in DoS and may cause
arbitrary code execution.

References:
http://seclists.org/oss-sec/2017/q1/317
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2581
http://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-2581.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2581
Comment 1 Matthias Gerstner 2017-02-08 14:17:21 UTC
From oss-sec:

> Some of these issues are patched in other branches and all will be
> patched in Super Stable branch in March as maintainer said.
> And the maintainer said: "*Anyone who wants a fix before the March
> Super Stable release can either upgrade to Stable or backport the
> fixes from Stable."*

I couldn't find a fix to this in any of the branches in the upstream SVN in https://svn.code.sf.net/p/netpbm/code. So maybe we need to wait until March.
Comment 3 Swamp Workflow Management 2017-02-08 23:02:16 UTC
bugbot adjusting priority
Comment 5 Marcus Meissner 2017-03-03 15:08:56 UTC
Created attachment 716295 [details]
CVE-2017-2581.bmp

found by afl

QA REPRODUCER:

bmptopnm CVE-2017-2581.bmp
Comment 6 Petr Gajdos 2017-06-05 13:50:18 UTC
Tumbleweed/netpbm

$ bmptopnm CVE-2017-2581.bmp 
bmptopnm: Windows (v1) BMP, 4294967295x32x1
bmptopnm: warning: the BMP header says the raster starts at offset 118 bytes into the file (offbits), but that there are 62 bytes of information before the raster.  This inconsistency probably means the input file is not a legal BMP file and is unusable.
bmptopnm: warning: some image data remains unread.
bmptopnm: WRITING PBM IMAGE
P4
-1 32
Segmentation fault (core dumped)
$

12/netpbm

$ bmptopnm CVE-2017-2581.bmp 
bmptopnm: Windows BMP, -1x32x1
bmptopnm: warning: the BMP header says the raster starts at offset 118 bytes into the file (offbits), but that there are 62 bytes of information before the raster.  This inconsistency probably means the input file is not a legal BMP file and is unusable.
bmptopnm: warning: some image data remains unread.
bmptopnm: WRITING PBM IMAGE
P4
-1 32
$

{10sp3,11}/netpbm

$  bmptopnm CVE-2017-2581.bmp 
bmptopnm: Windows BMP, -1x32x1
bmptopnm: warning: the BMP header says the raster starts at offset 118 bytes into the file (offbits), but that there are 62 bytes of information before the raster.  This inconsistency probably means the input file is not a legal BMP file and is unusable.
bmptopnm: warning: read 118 bytes, expected to read 62 bytes
bmptopnm: WRITING PBM IMAGE
P4
-1 32
bmptopnm: object too large
$

From the testcase, it seems that just devel/netpbm package and maybe also 12/netpbm package is affected.
Comment 7 Petr Gajdos 2017-06-06 07:28:23 UTC
Just updated netpbm to 10.78.4 in Tumbleweed, still segfaults. I will notify author.
Comment 8 Petr Gajdos 2017-06-06 07:31:15 UTC
backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x00007ffff7bab1aa in pbm_cleanrowend_packed (packedBits=<optimized out>, cols=<optimized out>) at libpbm2.c:278
278	        packedBits[last] >>= bitsPerChar - cols % bitsPerChar;
(gdb) bt
#0  0x00007ffff7bab1aa in pbm_cleanrowend_packed (packedBits=<optimized out>, cols=<optimized out>) at libpbm2.c:278
#1  0x0000555555555f07 in writeRasterPbm (colormap=0x55555575b5a0, rows=<optimized out>, cols=4294967295, bmpRaster=0x55555575b710)
    at bmptopnm.c:1543
#2  main (argc=<optimized out>, argv=<optimized out>) at bmptopnm.c:1606
(gdb)
Comment 9 Petr Gajdos 2017-06-07 10:07:00 UTC
Reply from Bryan:

--------------
Thanks for telling me about this, and for the debugging.  I see the bug and I
will fix it in the Development and Advanced release series in the next few
days and Stable and Super Stable by the end of the month.

This is the first I've heard of this bug.  The bug that I was told in January
was associated with CVE-2017-2581.bmp affected OS/2 BMP files; the file
attached to this bug report is a Windows BMP file.
--------------
Comment 10 Petr Gajdos 2017-06-09 06:46:41 UTC
commit:
https://sourceforge.net/p/netpbm/code/2989/
Comment 11 Petr Gajdos 2017-06-09 07:00:53 UTC
BEFORE

see comment 6

AFTER

$ bmptopnm CVE-2017-2581.bmp 
bmptopnm: Invalid BMP file: says width is negative (-1)
$
Comment 12 Petr Gajdos 2017-06-09 07:01:22 UTC
Check is needed in every netpbm version we maintain.
Comment 13 Petr Gajdos 2017-06-12 08:40:36 UTC
Packages submitted.
Comment 15 Swamp Workflow Management 2017-06-12 12:30:29 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-06-26.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63668
Comment 16 Swamp Workflow Management 2017-06-16 01:09:47 UTC
SUSE-SU-2017:1575-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1024287
CVE References: CVE-2017-2581
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    netpbm-10.26.44-101.14.1
SUSE Linux Enterprise Server 11-SP4 (src):    netpbm-10.26.44-101.14.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    netpbm-10.26.44-101.14.1
Comment 17 Swamp Workflow Management 2017-06-19 13:13:24 UTC
SUSE-SU-2017:1603-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1024287,1024292,1024294
CVE References: CVE-2017-2581,CVE-2017-2586,CVE-2017-2587
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    netpbm-10.66.3-7.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    netpbm-10.66.3-7.1
SUSE Linux Enterprise Server 12-SP2 (src):    netpbm-10.66.3-7.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    netpbm-10.66.3-7.1
Comment 18 Swamp Workflow Management 2017-06-26 22:09:54 UTC
openSUSE-SU-2017:1698-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1024287,1024292,1024294
CVE References: CVE-2017-2581,CVE-2017-2586,CVE-2017-2587
Sources used:
openSUSE Leap 42.2 (src):    netpbm-10.66.3-8.3.1
Comment 19 Marcus Meissner 2017-10-26 08:31:45 UTC
released