Discussion:
[oss-security] Crashes and memory safety bugs in dcraw
Hanno Böck
2018-11-23 08:22:17 UTC
Permalink
Hi,

dcraw is a tool to process raw images from digital cameras.
It easily crashes with various issues (tested version 9.28.0). This was
very shallow testing (afl fuzzing with random inputs, not starting with
valid images), I assume there's much more. I reported those a long time
ago to its author, he didn't seem interested in fixing such issues.

Some applications use dcraw automatically to parse images (gthumb,
kphotoalbum, kde thumbnailers, gwenview).

Input samples are base64.


Segfault / memory read on invalid address in crop_masked_pixels
---------------------------------------------------------------

TU0wMIEwMDAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMIX/MDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMLTCMDAw
MDAwAAAAMDAwMDAwMDAwMDAwMMaN

==6511==ERROR: AddressSanitizer: SEGV on unknown address 0x7fa0aa2ad79e (pc 0x0000005992fe bp 0x7ffdd236bb50 sp 0x7ffdd236b9e0 T0)
==6511==The signal is caused by a READ memory access.
#0 0x5992fd in crop_masked_pixels /mnt/ram/dcraw/dcraw.c:3775:20
#1 0x668a33 in main /mnt/ram/dcraw/dcraw.c:10406:7
#2 0x7fa05f3264ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
#3 0x41c629 in _start (/mnt/ram/dcraw/a.out+0x41c629)


Heap out of bounds read in parse_tiff_ifd
-----------------------------------------

TU0wMIAwMDAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMMUWMDAAAAA=


==6729==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000013f at pc 0x00000043690d bp 0x7ffeaaba2270 sp 0x7ffeaaba1a18
READ of size 256 at 0x61100000013f thread T0
#0 0x43690c in __interceptor_index (/mnt/ram/dcraw/a.out+0x43690c)
#1 0x5ec1d1 in parse_tiff_ifd /mnt/ram/dcraw/dcraw.c:6014:46
#2 0x60cc64 in parse_tiff /mnt/ram/dcraw/dcraw.c:6193:9
#3 0x63d0d6 in identify /mnt/ram/dcraw/dcraw.c:8674:16
#4 0x666eab in main /mnt/ram/dcraw/dcraw.c:10252:15
#5 0x7f1ec0bfc4ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
#6 0x41c629 in _start (/mnt/ram/dcraw/a.out+0x41c629)

0x61100000013f is located 0 bytes to the right of 255-byte region [0x611000000040,0x61100000013f)
allocated by thread T0 here:
#0 0x4c6b23 in malloc (/mnt/ram/dcraw/a.out+0x4c6b23)
#1 0x5ec070 in parse_tiff_ifd /mnt/ram/dcraw/dcraw.c:6012:24
#2 0x60cc64 in parse_tiff /mnt/ram/dcraw/dcraw.c:6193:9
#3 0x63d0d6 in identify /mnt/ram/dcraw/dcraw.c:8674:16
#4 0x666eab in main /mnt/ram/dcraw/dcraw.c:10252:15
#5 0x7f1ec0bfc4ca in __libc_start_main (/lib64/libc.so.6+0x234ca)


Invalid memory read in crop_masked_pixels
-----------------------------------------

TU0wMIEwMDAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMIX/MDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMLTCMDAw
MDAwAAAAMDAwMDAwMDAwMDAwMMaN

==6893==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5514dad79e (pc 0x0000005992fe bp 0x7ffc83994ad0 sp 0x7ffc83994960 T0)
==6893==The signal is caused by a READ memory access.
#0 0x5992fd in crop_masked_pixels /mnt/ram/dcraw/dcraw.c:3775:20
#1 0x668a33 in main /mnt/ram/dcraw/dcraw.c:10406:7
#2 0x7f54c9df64ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
#3 0x41c629 in _start (/mnt/ram/dcraw/a.out+0x41c629)


floating point exception / segfault in parse_tiff_ifd
-----------------------------------------------------

TU0wMIAwMDAAMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMP0JMDAAAAAA

==6910==ERROR: AddressSanitizer: FPE on unknown address 0x0000005f70ee (pc 0x0000005f70ee bp 0x7ffc259155f0 sp 0x7ffc259142a0 T0)
#0 0x5f70ed in parse_tiff_ifd /mnt/ram/dcraw/dcraw.c:6055:43
#1 0x60cc64 in parse_tiff /mnt/ram/dcraw/dcraw.c:6193:9
#2 0x63d0d6 in identify /mnt/ram/dcraw/dcraw.c:8674:16
#3 0x666eab in main /mnt/ram/dcraw/dcraw.c:10252:15
#4 0x7fc98bd024ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
#5 0x41c629 in _start (/mnt/ram/dcraw/a.out+0x41c629)


floating point exception in kodac_radc_load_raw
-----------------------------------------------

UFhOAA==

==6919==ERROR: AddressSanitizer: FPE on unknown address 0x00000054e85e (pc 0x00000054e85e bp 0x7fffc0b15150 sp 0x7fffc0b10be0 T0)
#0 0x54e85d in kodak_radc_load_raw /mnt/ram/dcraw/dcraw.c:2272:34
#1 0x6687ad in main /mnt/ram/dcraw/dcraw.c:10395:10
#2 0x7f8f61ecf4ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
#3 0x41c629 in _start (/mnt/ram/dcraw/a.out+0x41c629)
--
Hanno Böck
https://hboeck.de/

mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Agostino Sarubbo
2018-11-23 08:34:51 UTC
Permalink
Post by Hanno Böck
Segfault / memory read on invalid address in crop_masked_pixels
==6511==ERROR: AddressSanitizer: SEGV on unknown address 0x7fa0aa2ad79e (pc
0x0000005992fe bp 0x7ffdd236bb50 sp 0x7ffdd236b9e0 T0) ==6511==The signal
is caused by a READ memory access.
#0 0x5992fd in crop_masked_pixels /mnt/ram/dcraw/dcraw.c:3775:20
#1 0x668a33 in main /mnt/ram/dcraw/dcraw.c:10406:7
#2 0x7fa05f3264ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
#3 0x41c629 in _start (/mnt/ram/dcraw/a.out+0x41c629)
Invalid memory read in crop_masked_pixels
==6893==ERROR: AddressSanitizer: SEGV on unknown address 0x7f5514dad79e (pc
0x0000005992fe bp 0x7ffc83994ad0 sp 0x7ffc83994960 T0) ==6893==The signal
is caused by a READ memory access.
#0 0x5992fd in crop_masked_pixels /mnt/ram/dcraw/dcraw.c:3775:20
#1 0x668a33 in main /mnt/ram/dcraw/dcraw.c:10406:7
#2 0x7f54c9df64ca in __libc_start_main (/lib64/libc.so.6+0x234ca)
#3 0x41c629 in _start (/mnt/ram/dcraw/a.out+0x41c629)
Hi Hanno,

are the first and the third similar or I'm missing something?
TIA
--
Agostino Sarubbo
Gentoo Linux Developer
Hanno Böck
2018-11-23 08:47:09 UTC
Permalink
On Fri, 23 Nov 2018 09:34:51 +0100
Post by Agostino Sarubbo
are the first and the third similar or I'm missing something?
That looks like the same, sorry, my mistake.
Ignore the second one :-)

Somewhere in the "minify crashing inputs, sort them" I must have
missed that.
--
Hanno Böck
https://hboeck.de/

mail/jabber: ***@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
Marcus Meissner
2018-11-23 14:16:30 UTC
Permalink
Post by Hanno Böck
Hi,
dcraw is a tool to process raw images from digital cameras.
It easily crashes with various issues (tested version 9.28.0). This was
very shallow testing (afl fuzzing with random inputs, not starting with
valid images), I assume there's much more. I reported those a long time
ago to its author, he didn't seem interested in fixing such issues.
Some applications use dcraw automatically to parse images (gthumb,
kphotoalbum, kde thumbnailers, gwenview).
Input samples are base64.
One thing to look at replacement of dcraw is probably libraw, which is more
active. (It used the dcraw sources originally.)

Ciao, Marcus
Ian Zimmerman
2018-11-23 17:17:43 UTC
Permalink
Post by Hanno Böck
dcraw is a tool to process raw images from digital cameras.
It easily crashes with various issues (tested version 9.28.0). This was
very shallow testing (afl fuzzing with random inputs, not starting with
valid images), I assume there's much more. I reported those a long time
ago to its author, he didn't seem interested in fixing such issues.
Some applications use dcraw automatically to parse images (gthumb,
kphotoalbum, kde thumbnailers, gwenview).
An important side note: because dcraw intentionally doesn't provide a
library, only an executable, code from it is bundled in at least some
applications that use it; thus updating the dcraw package in a distro
will not by itself be the end of this problem for the distro. One such
application : RawTherapee
--
Please don't Cc: me privately on mailing lists and Usenet,
if you also post the followup to the list or newsgroup.
To reply privately _only_ on Usenet and on broken lists
which rewrite From, fetch the TXT record for no-use.mooo.com.
Bob Friesenhahn
2018-11-24 01:33:55 UTC
Permalink
Post by Ian Zimmerman
An important side note: because dcraw intentionally doesn't provide a
library, only an executable, code from it is bundled in at least some
applications that use it; thus updating the dcraw package in a distro
will not by itself be the end of this problem for the distro. One such
application : RawTherapee
GraphicsMagick also bundles some version of dcraw for its Microsoft
Windows builds. It is executed as an external program so if it
becomes corrupted, it will not corrupt the invoking application.

Another consideration is that the dcraw author has huge sample image
archive that he is only willing to sell for private use. This means
that other projects (including those which derived code from dcraw)
might not work correctly with as many input files since they have not
done as much validation.

Bob
--
Bob Friesenhahn
***@simple.dallas.tx.us, http://www.simplesystems.org/users/bfriesen/
GraphicsMagick Maintainer, http://www.GraphicsMagick.org/
Public Key, http://www.simplesystems.org/users/bfriesen/public-key.txt
Marcus Meissner
2018-11-27 10:29:35 UTC
Permalink
Post by Hanno Böck
Hi,
dcraw is a tool to process raw images from digital cameras.
It easily crashes with various issues (tested version 9.28.0). This was
very shallow testing (afl fuzzing with random inputs, not starting with
valid images), I assume there's much more. I reported those a long time
ago to its author, he didn't seem interested in fixing such issues.
Some applications use dcraw automatically to parse images (gthumb,
kphotoalbum, kde thumbnailers, gwenview).
I have requested and received CVEs from Mitre for those.

Ciao, Marcus

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

The 4 CVE IDs are below.

We would not ordinarily have CVE IDs for these types of crash issues.
However, https://seclists.org/oss-sec/2018/q4/171 says "because dcraw
intentionally doesn't provide a library, only an executable, code from
it is bundled in at least some applications."

For example, an FPE (such as a divide-by-zero) in the dcraw executable
isn't a security issue because it is only a way for the local user to
attack himself. However, it is plausible that someone has bundled the
dcraw code in an application that is supposed to continue running
forever to accept a continuous series of raw images from a camera over
Wi-Fi.

In https://seclists.org/oss-sec/2018/q4/165, "kodac_radc_load_raw" has
a typo in the fifth letter.
Post by Hanno Böck
[Suggested description]
A buffer over-read in crop_masked_pixels in dcraw through 9.28 could be
used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak
private information.
------------------------------------------
[Additional Information]
issue 1 listed
------------------------------------------
[VulnerabilityType Other]
CWE-126
------------------------------------------
[Vendor of Product]
Dave Coffin
------------------------------------------
[Affected Product Code Base]
dcraw - 9.28
------------------------------------------
[Affected Component]
dcraw
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[CVE Impact Other]
crash
------------------------------------------
[Attack Vectors]
processing raw files
------------------------------------------
[Reference]
https://seclists.org/oss-sec/2018/q4/165
https://seclists.org/oss-sec/2018/q4/171
------------------------------------------
[Discoverer]
Hanno Boeck
Use CVE-2018-19565.
Post by Hanno Böck
[Suggested description]
A heap buffer over-read in parse_tiff_ifd in dcraw through 9.28 could be
used by attackers able to supply malicious files to crash an application that bundles the dcraw code or leak
private information.
------------------------------------------
[Additional Information]
second issue in posting
------------------------------------------
[Vulnerability Type]
Buffer Overflow
------------------------------------------
[Vendor of Product]
Dave Coffin
------------------------------------------
[Affected Product Code Base]
dcraw - 9.28
------------------------------------------
[Affected Component]
dcraw
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Information Disclosure]
true
------------------------------------------
[CVE Impact Other]
crash
------------------------------------------
[Attack Vectors]
processing supplied raw files
------------------------------------------
[Reference]
https://seclists.org/oss-sec/2018/q4/165
https://seclists.org/oss-sec/2018/q4/171
------------------------------------------
[Discoverer]
Hanno Boeck
Use CVE-2018-19566.
Post by Hanno Böck
[Suggested description]
A floating point exception in parse_tiff_ifd in dcraw through 9.28 could
be used by attackers able to supply malicious files to crash an application that bundles the dcraw code.
------------------------------------------
[Additional Information]
fourth issue in list
------------------------------------------
[VulnerabilityType Other]
crash
------------------------------------------
[Vendor of Product]
Dave Coffin
------------------------------------------
[Affected Product Code Base]
dcraw - 9.28
------------------------------------------
[Affected Component]
dcraw
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Attack Vectors]
attackers able to supply crafted files
------------------------------------------
[Reference]
https://seclists.org/oss-sec/2018/q4/165
https://seclists.org/oss-sec/2018/q4/171
------------------------------------------
[Discoverer]
Hanno Boeck
Use CVE-2018-19567.
Post by Hanno Böck
[Suggested description]
A floating point exception in kodak_radc_load_raw in dcraw through 9.28
could be used by attackers able to supply malicious files to crash
an application that bundles the dcraw code.
------------------------------------------
[Additional Information]
last issue in post
------------------------------------------
[VulnerabilityType Other]
crash
------------------------------------------
[Vendor of Product]
Dave Coffin
------------------------------------------
[Affected Product Code Base]
dcraw - 9.28
------------------------------------------
[Affected Component]
dcraw
------------------------------------------
[Attack Type]
Local
------------------------------------------
[Impact Denial of Service]
true
------------------------------------------
[Attack Vectors]
attackers able to supply crafted raw images
------------------------------------------
[Reference]
https://seclists.org/oss-sec/2018/q4/165
https://seclists.org/oss-sec/2018/q4/171
------------------------------------------
[Discoverer]
Hanno Boeck
Use CVE-2018-19568.


- --
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
http://cve.mitre.org/cve/request_id.html ]

Loading...