Multiple heap buffer overflows caused by int overflow

Bug #1900983 reported by Kai Dietrich on 2020-10-22
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
cimg (Ubuntu)
Undecided
Unassigned
gmic (Ubuntu)
Undecided
Unassigned

Bug Description

The CImg library uses an unsafe pattern to calculate memory allocations size. At least in the PNM file format parser, an attacker can trivially supply width/height fields that overflow the heap and result in arbitrary heap writes. This probably also affects other file format parsers in CImg.

The most prominent user of CImg is gmic.
The gmic commandline tool directly exposes the load_pnm() functions (and also the other file format load functions) to the user and thus is affected.

The issue is public and fixed in:
https://github.com/dtschump/CImg/pull/295

Redhat bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1892577
https://bugzilla.redhat.com/show_bug.cgi?id=1893377

CVE References

No CVE assigned yet AFAIK.

summary: - Multiple heap buffer overflows by integer overflow
+ Multiple heap buffer overflows cause by integer overflow
summary: - Multiple heap buffer overflows cause by integer overflow
+ Multiple heap buffer overflows caused by integer overflow
summary: - Multiple heap buffer overflows caused by integer overflow
+ Multiple heap buffer overflows caused by int overflow
description: updated
Eduardo Barretto (ebarretto) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
information type: Private Security → Public Security
Changed in cimg (Ubuntu):
status: New → Confirmed
Changed in gmic (Ubuntu):
status: New → Confirmed
description: updated
description: updated
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers