Multiple segmentation faults CVE-2017-9110 to CVE-2017-9116 #232
Comments
|
|
Hi I have tried to reproduce the crash but so far I have failed to do so. I fail to see any crashes. Have anyone else been able to reproduce the problem and in that case how? I can see that a test has been proposed above. Do this mean that the library have to be used in order to reproduce the crash or have anyone seen the problem using any tools? Best regards // Ola |
|
@binarycrusader binarycrusader Hi I have started to look at the proposed patch. Is that proposed patch the final patch or are you planning to do more work on it? I'm asking as I do not see that all CVEs are handled in this proposed patch: Best regards // Ola |
This is subtle, but if you look at the .valgrind files that were provided in the openexr.zip linked in the first comment of the bug, you'll see that exr2aces is the program that was used to reproduce these errors. That's important and subtle because exr2aces isn't built by default, and is therefore not shipped by many Linux distributions either.
These CVEs apply generally to the library but can be easily reproduced by using exr2aces on the corresponding input files: CVE-2017-9110, CVE-2017-9112, CVE-2017-9116 These CVEs appear to be bugs in exr2aces and are not generally reproducible in the library itself, only with bad input to the library via a program such as exr2aces: CVE-2017-9111, CVE-2017-9113, CVE-2017-9114, CVE-2017-9115 My pull request detailed this: |
Absent review feedback, I am not planning to do any more work on pull request #233.
The above are covered by my proposed change as far as I can reproduce/determine. You can't match source files here for expected changes. The root cause of these failures is not necessarily in the same file. The three failures addressed by the patch are: the input buffer size check is subject to integer overflow, the huffman decoder doesn't check for end of input buffer before each read, and the high level piz uncompress routine doesn't ensure that the size of the data array specified in the header does not exceed the size of the input.
These CVEs appear to be bugs in exr2aces and are not generally reproducible in the library itself, only with bad input to the library via a program such as exr2aces. As far as I can tell, exr2aces is passing an invalid pointer to an out-of-bounds memory location to use as a framebuffer, and then the library fails trying to write to it. The library can't possibly guard against an invalid framebuffer pointer being passed to it. Since exr2aces is not built by default (at least for the regular ./configure; Make build), I don't intend to address those CVEs. In particular, it isn't clear to me how to fix exr2aces. If we create a framebuffer suitable for the size of what the input files suggest, that's effectively the program asking for 500GB of memory. While this is technically allowed by the OpenEXR specification (as far as I can tell), obviously I can't add any meaningful test for that. As such, since image processing is not my domain of expertise, and it appears to be the result of bad usage of the library, rather than a problem in the library itself, I have opted to not attempt to resolve them. |
|
FreeBSD don't like any security issues. This happens compiling Luminance-HDR: " 1 problem(s) in the installed packages found. Stop. Stop. Stop. Stop. |
This addresses pointer overflow in exr2aces with large datawindow offsets. It also fixes similar issues in exrenvmap and exrmakepreview. This addresses the crashes in CVE-2017-9111, CVE-2017-9113, CVE-2017-9115 Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
This addresses pointer overflow in exr2aces with large datawindow offsets. It also fixes similar issues in exrenvmap and exrmakepreview. This addresses the crashes in CVE-2017-9111, CVE-2017-9113, CVE-2017-9115 Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
This addresses pointer overflow in exr2aces with large datawindow offsets. It also fixes similar issues in exrenvmap and exrmakepreview. This addresses the crashes in CVE-2017-9111, CVE-2017-9113, CVE-2017-9115 Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
This addresses pointer overflow in exr2aces with large datawindow offsets. It also fixes similar issues in exrenvmap and exrmakepreview. This addresses the crashes in CVE-2017-9111, CVE-2017-9113, CVE-2017-9115 Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
|
more complete fixes are on development master and cherry-picked to release/2.3 pending validation |
|
The remaining CVE that were not addressed previously have been addressed both on master and on release/2.3: and will be in the next release made |
This addresses pointer overflow in exr2aces with large datawindow offsets. It also fixes similar issues in exrenvmap and exrmakepreview. This addresses the crashes in CVE-2017-9111, CVE-2017-9113, CVE-2017-9115 Signed-off-by: Kimball Thurston <kdt3rd@gmail.com>
Brandon Perry provided multiple images that can crash OpenEXR: http://www.openwall.com/lists/oss-security/2017/05/12/5
The files he sent are here (along with the output of valgrind apparently)
openexr.zip
Mitre assigned the following CVE to those issues:
CVE-2017-9116
CVE-2017-9115
CVE-2017-9114
CVE-2017-9113
CVE-2017-9112
CVE-2017-9111
CVE-2017-9110
The text was updated successfully, but these errors were encountered: