oss-sec mailing list archives
Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less
From: Hanno Böck <hanno () hboeck de>
Date: Sun, 16 Nov 2014 15:10:37 +0100
Hi, I wanted to share a couple of issues I recently found via zzuf and afl fuzzing. It's a telling story about the state of some of the free software projects involved and I can only encourage others to join the effort to find bugs via fuzzing. Some of them are really low hanging fruit. I'm cc-ing cve-assigners, I leave it up to you to decide which you assign CVEs. If you want / need more info on details please ask. Imagemagick: Multiple issues in PCX, DCM parser and generic issue in resize code http://www.imagemagick.org/script/changelog.php These already got CVEs: http://int21.de/cve/CVE-2014-8354-ImageMagick-oob-heap-overflow.html http://int21.de/cve/CVE-2014-8355-ImageMagick-pcx-oob-heap-overflow.html http://int21.de/cve/CVE-2014-8562-ImageMagick-dcm-oob-heap-overflow.html GraphicsMagick: Fork of Imagemagick, so some of the above also affect it, tests with the same fuzzed sample set turned out one independent other issue: http://sourceforge.net/p/graphicsmagick/code/ci/37ab9576dbdfeecd8bbc0a312a49b362846016c1/ Heap Overflow / oob read One more issue with PNGs that turned out to be weird, it caused an error message to overflow: http://sourceforge.net/p/graphicsmagick/code/ci/0dc6e1d3119f1dda668b0f2d1464459a06767879/ elfutils: Checks done with the set of files that crashed binutils turned out one issue: https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-October/004215.html Invalid read american fuzzy lop found a couple more: https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004230.html and more: https://lists.fedorahosted.org/pipermail/elfutils-devel/2014-November/004249.html GIMP: Invalid reads in import plugins for fli and tga. https://bugzilla.gnome.org/show_bug.cgi?id=739133 https://bugzilla.gnome.org/show_bug.cgi?id=739134 claws-mail / gdk-pixbuf Assert in gdk-pixbuf when trying to load a malformed file as an animation. This was an accidental discovery when I clicked on a malformed PNG I send while reporting another issue (in graphicsmagick) in my mail client (and it crashed with an assert). https://bugzilla.gnome.org/show_bug.cgi?id=739785 http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3322 file/libmagic: out of bounds read when parsing JPG header http://bugs.gw.com/view.php?id=398 https://github.com/file/file/commit/59e63838913eee47f5c120a6c53d4565af638158 ndisasm: Actually I found this by running ndisasm on /dev/urandom - no joke! Crash / oob read: http://bugzilla.nasm.us/show_bug.cgi?id=3392289 less: Out of bounds read, upstream doesn't answer and doesn't have a public bug tracker. This wasn't really found by fuzzing but by running less on a likely malwared gif, I reduced it to a smaller testcase: http://int21.de/cve/less-oob cu, -- Hanno Böck http://hboeck.de/ mail/jabber: hanno () hboeck de GPG: BBB51E42
Attachment:
signature.asc
Description:
Current thread:
- Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 16)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Michal Zalewski (Nov 16)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Watson (Nov 16)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 16)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Raphael Geissert (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Hanno Böck (Nov 17)
- Re: Fuzzing findings (and maybe CVE requests) - Image/GraphicsMagick, elfutils, GIMP, gdk-pixbuf, file, ndisasm, less Robert Święcki (Nov 17)