Mageia Bugzilla – Attachment 11382 Details for
Bug 25767
sdl2_image new security issues CVE-2019-505[12789], CVE-2019-5060, CVE-2019-1221[6-9], CVE-2019-1222[0-2], CVE-2019-13616
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
Log In
[x]
|
New Account
|
Forgot Password
Condensed summary of POC tests
poc.report (text/plain), 3.29 KB, created by
Len Lawrence
on 2019-11-29 23:29:01 CET
(
hide
)
Description:
Condensed summary of POC tests
Filename:
MIME Type:
Creator:
Len Lawrence
Created:
2019-11-29 23:29:01 CET
Size:
3.29 KB
patch
obsolete
>*Before* > >Drew a blank on these: CVE-2019-505{1,2,7,8,9} >-------------- >CVE-2019-12217 >https://bugzilla.suse.com/show_bug.cgi?id=1135787&_ga=2.262025354.643081695.1575055583-469163329.1575055583 > >$ gcc -o loadtif loadtif.c -lSDL2_image -I/usr/include/SDL2 -lSDL2 >$ valgrind ./loadtif CVE-2019-12217.pcx >[...] >==8675== by 0x40116D: main (in /data/qa/sdl2_image/loadtif) >==8675== Address 0x0 is not stack'd, malloc'd or (recently) free'd >[...] >Segmentation fault (core dumped) >-------------- >CVE-2019-12218 >https://bugzilla.suse.com/show_bug.cgi?id=1135789&_ga=2.133152137.643081695.1575055583-469163329.1575055583 > >$ valgrind ./loadtif CVE-2019-12218.pcx >Generated a stackdump similar to the above, and a segfault. >-------------- >CVE-2019-12220 >https://bugzilla.suse.com/show_bug.cgi?id=1135806&_ga=2.229121051.643081695.1575055583-469163329.1575055583 >Compiled foo.c. Note that file name is hard-coded. > >$ valgrind ./foo >[...] >==10766== Syscall param read(buf) points to unaddressable byte(s) >==10766== at 0x4AE8351: read (in /usr/lib64/libc-2.29.so) >[...] >==10766== ERROR SUMMARY: 74 errors from 3 contexts (suppressed: 0 from 0) >Segmentation fault (core dumped) >-------------- >CVE-2019-12221 >https://bugzilla.suse.com/show_bug.cgi?id=1135796&_ga=2.200152105.643081695.1575055583-469163329.1575055583 >Compiled xx.c. > >$ valgrind ./xx >[...] >==5277== Invalid write of size 8 >==5277== at 0x483B6B3: memmove (vg_replace_strmem.c:1271) >[...] >==5277== ERROR SUMMARY: 13 errors from 6 contexts (suppressed: 0 from 0) >Segmentation fault (core dumped) >-------------- >CVE-2019-12222 >https://bugzilla.suse.com/show_bug.cgi?id=1136101&_ga=2.262754699.643081695.1575055583-469163329.1575055583 >This uses loadtif.c. > >$ valgrind ./loadtif a.12222 >[...] >==13350== Invalid write of size 1 >==13350== at 0x483C265: mempcpy (vg_replace_strmem.c:1537) >[...] >==13350== by 0x40116D: main (in /data/qa/sdl2_image/loadtif) >==13350== Address 0x531426f is 3,775 bytes inside an unallocated block of size 961,584 in arena "client" >[...] >valgrind: Heap block lo/hi size mismatch: lo = 192, hi = 8324794453952823552. >This is probably caused by your program erroneously writing past the >end of a heap block and corrupting heap metadata. If you fix any >invalid writes reported by Memcheck, this assertion failure will >probably go away. Please try that before reporting this as a bug. > >There are some differences from the upstream report but this is very similar. >-------------- >CVE-2019-13616 >No leads. > >Deleted the core dumps and updated from testing. > >Recompiled the test scripts and retested the POC. >*Afterwards* >-------------- >CVE-2019-12217 >$ valgrind ./loadtif CVE-2019-12217.pcx >No errors reported. > >-------------- >CVE-2019-12218 >$ valgrind ./loadtif CVE-2019-12218.pcx >No errors. > >-------------- >CVE-2019-12220 >$ valgrind ./foo >[...] >==30305== Argument 'nmemb' of function calloc has a fishy (possibly negative) value: -2815 >[...] >==30305== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) > >Something similar was reported upstream. >-------------- >CVE-2019-12221 >$ valgrind ./xx >No errors. > >-------------- >CVE-2019-12222 >$ valgrind ./loadtif a.12222 >[...] >==21111== Argument 'nmemb' of function calloc has a fishy (possibly negative) value: -25344 >[...] >==21111== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) > >These results all look good.
*Before* Drew a blank on these: CVE-2019-505{1,2,7,8,9} -------------- CVE-2019-12217 https://bugzilla.suse.com/show_bug.cgi?id=1135787&_ga=2.262025354.643081695.1575055583-469163329.1575055583 $ gcc -o loadtif loadtif.c -lSDL2_image -I/usr/include/SDL2 -lSDL2 $ valgrind ./loadtif CVE-2019-12217.pcx [...] ==8675== by 0x40116D: main (in /data/qa/sdl2_image/loadtif) ==8675== Address 0x0 is not stack'd, malloc'd or (recently) free'd [...] Segmentation fault (core dumped) -------------- CVE-2019-12218 https://bugzilla.suse.com/show_bug.cgi?id=1135789&_ga=2.133152137.643081695.1575055583-469163329.1575055583 $ valgrind ./loadtif CVE-2019-12218.pcx Generated a stackdump similar to the above, and a segfault. -------------- CVE-2019-12220 https://bugzilla.suse.com/show_bug.cgi?id=1135806&_ga=2.229121051.643081695.1575055583-469163329.1575055583 Compiled foo.c. Note that file name is hard-coded. $ valgrind ./foo [...] ==10766== Syscall param read(buf) points to unaddressable byte(s) ==10766== at 0x4AE8351: read (in /usr/lib64/libc-2.29.so) [...] ==10766== ERROR SUMMARY: 74 errors from 3 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) -------------- CVE-2019-12221 https://bugzilla.suse.com/show_bug.cgi?id=1135796&_ga=2.200152105.643081695.1575055583-469163329.1575055583 Compiled xx.c. $ valgrind ./xx [...] ==5277== Invalid write of size 8 ==5277== at 0x483B6B3: memmove (vg_replace_strmem.c:1271) [...] ==5277== ERROR SUMMARY: 13 errors from 6 contexts (suppressed: 0 from 0) Segmentation fault (core dumped) -------------- CVE-2019-12222 https://bugzilla.suse.com/show_bug.cgi?id=1136101&_ga=2.262754699.643081695.1575055583-469163329.1575055583 This uses loadtif.c. $ valgrind ./loadtif a.12222 [...] ==13350== Invalid write of size 1 ==13350== at 0x483C265: mempcpy (vg_replace_strmem.c:1537) [...] ==13350== by 0x40116D: main (in /data/qa/sdl2_image/loadtif) ==13350== Address 0x531426f is 3,775 bytes inside an unallocated block of size 961,584 in arena "client" [...] valgrind: Heap block lo/hi size mismatch: lo = 192, hi = 8324794453952823552. This is probably caused by your program erroneously writing past the end of a heap block and corrupting heap metadata. If you fix any invalid writes reported by Memcheck, this assertion failure will probably go away. Please try that before reporting this as a bug. There are some differences from the upstream report but this is very similar. -------------- CVE-2019-13616 No leads. Deleted the core dumps and updated from testing. Recompiled the test scripts and retested the POC. *Afterwards* -------------- CVE-2019-12217 $ valgrind ./loadtif CVE-2019-12217.pcx No errors reported. -------------- CVE-2019-12218 $ valgrind ./loadtif CVE-2019-12218.pcx No errors. -------------- CVE-2019-12220 $ valgrind ./foo [...] ==30305== Argument 'nmemb' of function calloc has a fishy (possibly negative) value: -2815 [...] ==30305== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) Something similar was reported upstream. -------------- CVE-2019-12221 $ valgrind ./xx No errors. -------------- CVE-2019-12222 $ valgrind ./loadtif a.12222 [...] ==21111== Argument 'nmemb' of function calloc has a fishy (possibly negative) value: -25344 [...] ==21111== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0) These results all look good.
View Attachment As Raw
Actions:
View
Attachments on
bug 25767
: 11382