Hugin

Use-After-Free bug in HuginBase::ImageVariable<double>::linkWith

Bug #2025035 reported by Heewon Park
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Hugin
Fix Released
Undecided
Unassigned
Hugin 2023.0beta1

Bug Description

Hi there

We want to share that the latest version (2022.0.0) of pto_merge causes heap-use-after-free.

We assume that the function HuginBase::BaseSrcPanoImage::setFilename in the function HuginBase::PanoramaMemento::loadPTScript tries to access previously freed memory.

Here is the output of program with address sanitizer attached.

### Bug Report
=================================================================
==3836==ERROR: AddressSanitizer: heap-use-after-free on address 0x606000001960 at pc 0x7fee211f5506 bp 0x7ffd73f55460 sp 0x7ffd73f55450
READ of size 8 at 0x606000001960 thread T0
    #0 0x7fee211f5505 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/image_variables.h:79
    #1 0x7fee211fc618 in HuginBase::Panorama::readData(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2178
    #2 0x560fdf074975 in main /home/ubuntu/targets/hugin-2022.0.0_original/src/tools/pto_merge.cpp:99
    #3 0x7fee1e8f0082 in __libc_start_main ../csu/libc-start.c:308
    #4 0x560fdf075c5d in _start (/home/ubuntu/targets/hugin-2022.0.0_original/build/src/tools/pto_merge+0xbc5d)

0x606000001960 is located 32 bytes inside of 57-byte region [0x606000001940,0x606000001979)
freed by thread T0 here:
    #0 0x7fee2169b51f in operator delete(void*) ../../../../src/libsanitizer/asan/asan_new_delete.cc:165
    #1 0x7fee211c97aa in __gnu_cxx::new_allocator<char>::deallocate(char*, unsigned long) /usr/include/c++/9/ext/new_allocator.h:128
    #2 0x7fee211c97aa in std::allocator_traits<std::allocator<char> >::deallocate(std::allocator<char>&, char*, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:469
    #3 0x7fee211c97aa in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_destroy(unsigned long) /usr/include/c++/9/bits/basic_string.h:241
    #4 0x7fee211c97aa in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_dispose() /usr/include/c++/9/bits/basic_string.h:236
    #5 0x7fee211c97aa in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::~basic_string() /usr/include/c++/9/bits/basic_string.h:662
    #6 0x7fee211c97aa in HuginBase::BaseSrcPanoImage::setFilename(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/image_variables.h:62
    #7 0x7fee211c97aa in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:3133
    #8 0x7fee211fc618 in HuginBase::Panorama::readData(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2178
    #9 0x560fdf074975 in main /home/ubuntu/targets/hugin-2022.0.0_original/src/tools/pto_merge.cpp:99
    #10 0x7fee1e8f0082 in __libc_start_main ../csu/libc-start.c:308

previously allocated by thread T0 here:
    #0 0x7fee2169a587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
    #1 0x560fdf07f9b8 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*, std::forward_iterator_tag) /usr/include/c++/9/bits/basic_string.tcc:219
    #2 0x7fee211c9736 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct_aux<char*>(char*, char*, std::__false_type) /usr/include/c++/9/bits/basic_string.h:251
    #3 0x7fee211c9736 in void std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::_M_construct<char*>(char*, char*) /usr/include/c++/9/bits/basic_string.h:270
    #4 0x7fee211c9736 in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >::basic_string(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /usr/include/c++/9/bits/basic_string.h:455
    #5 0x7fee211c9736 in HuginBase::BaseSrcPanoImage::setFilename(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/image_variables.h:62
    #6 0x7fee211c9736 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:3133
    #7 0x7fee211fc618 in HuginBase::Panorama::readData(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2178
    #8 0x560fdf074975 in main /home/ubuntu/targets/hugin-2022.0.0_original/src/tools/pto_merge.cpp:99
    #9 0x7fee1e8f0082 in __libc_start_main ../csu/libc-start.c:308

SUMMARY: AddressSanitizer: heap-use-after-free /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/image_variables.h:79 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
Shadow bytes around the buggy address:
  0x0c0c7fff82d0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff82e0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff82f0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8300: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff8310: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
=>0x0c0c7fff8320: fd fd fd fd fa fa fa fa fd fd fd fd[fd]fd fd fd
  0x0c0c7fff8330: fa fa fa fa 00 00 00 00 00 00 00 01 fa fa fa fa
  0x0c0c7fff8340: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff8350: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fd
  0x0c0c7fff8360: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff8370: 00 00 00 00 00 00 00 01 fa fa fa fa fd fd fd fd
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable: 00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone: fa
  Freed heap region: fd
  Stack left redzone: f1
  Stack mid redzone: f2
  Stack right redzone: f3
  Stack after return: f5
  Stack use after scope: f8
  Global redzone: f9
  Global init order: f6
  Poisoned by user: f7
  Container overflow: fc
  Array cookie: ac
  Intra object redzone: bb
  ASan internal: fe
  Left alloca redzone: ca
  Right alloca redzone: cb
  Shadow gap: cc
==3836==ABORTING

### Envionment
OS: Ubuntu 20.04.5 LTS x86_64
Release: hugin 2022.0.0
Program: pto_merge
libhuginbase: 2020.0.0 (retrieved and compiled from source code)
libpano13: 2.9.19
To reproduce the problem, we need to build hugin:
sudo cmake -DCMAKE_C_FLAGS="-g" -DCMAKE_CXX_FLAGS="-g" ..

### How to reproduce
$ pto_merge poc-file *.jpg
(*.jpg any name of jpg file including asterisk(*))
poc-file is attached.

See original description
Revision history for this message
Heewon Park (3den5eo) wrote :
Heewon Park (3den5eo)
description: updated
Revision history for this message
tmodes (tmodes) wrote :

Fixed in repository.

Changed in hugin:
milestone: none → 2023.0beta1
status: New → Fix Committed
Heewon Park (3den5eo)
information type: Private Security → Public Security
tmodes (tmodes)
Changed in hugin:
status: Fix Committed → Fix Released
Revision history for this message
Heewon Park (3den5eo) wrote (last edit ):

Hi there. I am Heewon, and I am writing to you regarding the recent vulnerabilities that our security team identified in Hugin. I appreciate your prompt attention to these matters, and I am pleased that the vulnerabilities have been confirmed and successfully patched by your development team.

To provide a standardized reference for these vulnerabilities within the cybersecurity community, we would like to request the assignment of Common Vulnerabilities and Exposures (CVE) identifiers. These identifiers will help streamline communication and information sharing among security professionals.

Below is a brief summary of the vulnerabilities along with the relevant details:

### CVE-2023-XXX1: [Description of Vulnerability 1]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch: 2023.0beta1 on 2023-06-29 by tmodes user
- url: https://bugs.launchpad.net/hugin/+bug/2025032

### CVE-2023-XXX2: [Description of Vulnerability 2]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch: 2023.0beta1 on 2023-06-29 by tmodes user
- url: https://bugs.launchpad.net/hugin/+bug/2025035

### CVE-2023-XXX3: [Description of Vulnerability 3]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch: 2023.0beta1 on 2023-06-29 by tmodes user
- url: https://bugs.launchpad.net/hugin/+bug/2025036

### CVE-2023-XXX4: [Description of Vulnerability 4]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch: 2023.0beta1 on 2023-06-29 by tmodes user
- url: https://bugs.launchpad.net/hugin/+bug/2025037

### CVE-2023-XXX5: [Description of Vulnerability 5]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch: 2023.0beta1 on 2023-06-29 by tmodes user
- url: https://bugs.launchpad.net/hugin/+bug/2025038

We kindly request that you forward this information to the appropriate party responsible for CVE assignments within your organization. If your organization has a designated CVE Numbering Authority (CNA), please let us know the preferred process for CVE assignment.

Additionally, we have submitted the same request to MITRE Corporation and CERT/CC, the primary CVE Numbering Authority, for their consideration. However, CERT/CC asked us to refer to you for CVE assignments. Please work on this case and let us know which steps to take.

Thank you for your cooperation and commitment to addressing security issues promptly. If you require any further information or clarification, please do not hesitate to reach out.

We look forward to continuing a collaborative approach to enhancing the security of Hugin and appreciate your ongoing dedication to the security and well-being of your users.

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Bug attachments

Remote bug watches

Bug watches keep track of this bug in other bug trackers.