1652610 – There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.

Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.

Bug 1652610 - There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.

Summary: There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/sp...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	liblas
Sub Component:
Version:	31
Hardware:	All
OS:	All
Priority:	unspecified
Severity:	urgent
Target Milestone:	---
Assignee:	Sandro Mani
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-11-22 13:15 UTC by shuitao gan
Modified:	2020-04-25 03:00 UTC (History)
CC List:	1 user (show)
Fixed In Version:	liblas-1.8.1-5.fc32 liblas-1.8.1-5.fc31
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-04-25 02:22:29 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
./las2pg POC1 (440 bytes, application/octet-stream) 2018-11-22 13:15 UTC, shuitao gan	no flags	Details
View All

Description shuitao gan 2018-11-22 13:15:05 UTC

Created attachment 1507936 [details]
./las2pg POC1

version: libLAS2.4
Summary: 

There is a heap-buffer-overflow at liblas::SpatialReference::GetGTIF()(src/spatialreference.cpp:518) in libLAS while will cause dos attack.

Description:

The gdb debug is as follows:

$./las2pg POC1 

=================================================================
==40200==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x60600000e400 at pc 0x7ff597100d95 bp 0x7fff485354b0 sp 0x7fff48534c58
READ of size 262208 at 0x60600000e400 thread T0
    #0 0x7ff597100d94 in __asan_memcpy (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cd94)
    #1 0x7ff596bf5ffd in ST_SetKey (/usr/lib/x86_64-linux-gnu/libgeotiff.so.2+0x16ffd)
    #2 0x7ff595c23475 in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:518
    #3 0x7ff595c25681 in liblas::SpatialReference::SpatialReference(std::vector<liblas::VariableRecord, std::allocator<liblas::VariableRecord> > const&) /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:102
    #4 0x7ff595c7bd58 in liblas::detail::reader::Header::ReadVLRs() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:389
    #5 0x7ff595c7f53d in liblas::detail::reader::Header::ReadHeader() /home/company/real_sanitize/libLAS-master/src/detail/reader/header.cpp:272
    #6 0x7ff595bc91f6 in liblas::ReaderFactory::CreateWithStream(std::istream&) /home/company/real_sanitize/libLAS-master/src/factory.cpp:92
    #7 0x7ff596e47d4f in LASReader_Create /home/company/real_sanitize/libLAS-master/src/c_api.cpp:248
    #8 0x403701 in main /home/company/real_sanitize/libLAS-master/apps/las2pg.c:424
    #9 0x7ff596835a3f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x20a3f)
    #10 0x404b88 in _start (/home/company/real_sanitize/libLAS-master/build/install/bin/las2pg+0x404b88)

0x60600000e400 is located 0 bytes to the right of 64-byte region [0x60600000e3c0,0x60600000e400)
allocated by thread T0 here:
    #0 0x7ff59710d8b2 in operator new(unsigned long) (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x998b2)
    #1 0x7ff595c2362b in __gnu_cxx::new_allocator<unsigned char>::allocate(unsigned long, void const*) /usr/include/c++/5/ext/new_allocator.h:104
    #2 0x7ff595c2362b in __gnu_cxx::__alloc_traits<std::allocator<unsigned char> >::allocate(std::allocator<unsigned char>&, unsigned long) /usr/include/c++/5/ext/alloc_traits.h:182
    #3 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_allocate(unsigned long) /usr/include/c++/5/bits/stl_vector.h:170
    #4 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_M_create_storage(unsigned long) /usr/include/c++/5/bits/stl_vector.h:185
    #5 0x7ff595c2362b in std::_Vector_base<unsigned char, std::allocator<unsigned char> >::_Vector_base(unsigned long, std::allocator<unsigned char> const&) /usr/include/c++/5/bits/stl_vector.h:136
    #6 0x7ff595c2362b in std::vector<unsigned char, std::allocator<unsigned char> >::vector(std::vector<unsigned char, std::allocator<unsigned char> > const&) /usr/include/c++/5/bits/stl_vector.h:320
    #7 0x7ff595c2362b in liblas::SpatialReference::GetGTIF() /home/company/real_sanitize/libLAS-master/src/spatialreference.cpp:496
    #8 0x7fff48535adf  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ??:0 __asan_memcpy
Shadow bytes around the buggy address:
  0x0c0c7fff9c30: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c40: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c50: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c60: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c0c7fff9c70: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
=>0x0c0c7fff9c80:[fa]fa fa fa 00 00 00 00 00 00 00 00 fa fa fa fa
  0x0c0c7fff9c90: 00 00 00 00 00 00 00 00 fa fa fa fa fd fd fd fd
  0x0c0c7fff9ca0: fd fd fd fd fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c0c7fff9cb0: fa fa fa fa fd fd fd fd fd fd fd fd fa fa fa fa
  0x0c0c7fff9cc0: fd fd fd fd fd fd fd fd fa fa fa fa fd fd fd fd
  0x0c0c7fff9cd0: fd fd fd fd fa fa fa fa fd fd fd fd fd fd fd fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07 
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
==40200==ABORTING

Comment 1 Ben Cotton 2019-08-13 16:50:21 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 31 development cycle.
Changing version to '31'.

Comment 2 Fedora Admin XMLRPC Client 2020-03-04 04:18:56 UTC

This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 3 Fedora Admin XMLRPC Client 2020-04-14 16:43:17 UTC

This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.

Comment 4 Fedora Update System 2020-04-14 20:14:13 UTC

FEDORA-2020-6dbbecb893 has been submitted as an update to Fedora 32. https://bodhi.fedoraproject.org/updates/FEDORA-2020-6dbbecb893

Comment 5 Fedora Update System 2020-04-14 20:14:14 UTC

FEDORA-2020-b0695fcdf7 has been submitted as an update to Fedora 31. https://bodhi.fedoraproject.org/updates/FEDORA-2020-b0695fcdf7

Comment 6 Fedora Update System 2020-04-15 19:57:53 UTC

FEDORA-2020-b0695fcdf7 has been pushed to the Fedora 31 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-b0695fcdf7`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-b0695fcdf7

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 7 Fedora Update System 2020-04-16 19:27:55 UTC

FEDORA-2020-6dbbecb893 has been pushed to the Fedora 32 testing repository.
In short time you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2020-6dbbecb893`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2020-6dbbecb893

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 8 Fedora Update System 2020-04-25 02:22:29 UTC

FEDORA-2020-6dbbecb893 has been pushed to the Fedora 32 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 9 Fedora Update System 2020-04-25 03:00:43 UTC

FEDORA-2020-b0695fcdf7 has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.