diff options
Diffstat (limited to 'bugs/README.md')
| -rw-r--r-- | bugs/README.md | 335 |
1 files changed, 335 insertions, 0 deletions
diff --git a/bugs/README.md b/bugs/README.md new file mode 100644 index 0000000..e2adcab --- /dev/null +++ b/bugs/README.md @@ -0,0 +1,335 @@ +# Bug reproducers + +## GNU Binary Utilities + +- CVE-2017-6965: [heap buffer overflow][sourceware-21137] + + guix shell binutils-with-asan@2.27 + readelf -w cve/2017/6965/bug_3 + +- CVE-2017-14745: [integer overflow][sourceware-22148] + + guix shell binutils@2.29 + objdump -d cve/2017/14745/crash_1 + +- CVE-2017-14939: [heap buffer overflow][sourceware-22169] + + guix shell binutils-with-asan@2.29 + nm -l cve/2017/14939/heapoverflow + +- CVE-2017-14940: [null pointer dereference][sourceware-22167] + + guix shell binutils@2.29 + nm -l cve/2017/14940/nullderef + +- CVE-2017-15020: [heap buffer overflow][sourceware-22202] + + guix shell binutils-with-asan@2.29 + nm -l cve/2017/15020/reproducer + +- CVE-2017-15025: [division by zero][sourceware-22186] + + guix shell binutils@2.29 + nm -l cve/2017/15025/3899.crashes.bin + nm -l cve/2017/15025/floatexception.elf + objdump -S cve/2017/15025/floatexception.elf + +- CVE-2017-15938: [invalid memory read][sourceware-22209] + + guix shell binutils-with-asan@2.29 + nm -l cve/2017/15938/invalidread + +- CVE-2018-10372: [heap buffer overflow][sourceware-23064] + + guix shell binutils-with-asan@2.30 + readelf -w cve/2018/10372/bug3 + +- CVE-2019-9077: [heap buffer overflow][sourceware-24243] + + guix shell binutils-with-asan@2.32 + readelf -a cve/2019/9077/hbo2 + +## GNU Core Utilities + +- #19784: [heap buffer overflow][gnu-19784] + + guix shell coreutils-with-make-prime-list-with-asan@8.23 + make-prime-list 3 # or: $(xargs -0 -a gnu/19784/argv) + +- #25003: [negative size param][gnu-25003] + + guix shell coreutils-with-asan@8.26-sans-4954f79 + split -n2/3 /dev/null # or: $(xargs -0 -a gnu/25003/argv) + +- #25023: [global buffer overflow][gnu-25023] + + guix shell coreutils-with-asan@8.25 + pr -m -S"$(printf '\t\t\t')" -t /dev/null /dev/zero + +- #26545: [memcpy param overlap][gnu-26545] + + guix shell coreutils-with-asan@8.27 + shred -n4 -s7 /dev/null # or: $(xargs -0 -a gnu/26545/argv) + +## JasPer + +- CVE-2016-8691: [divide-by-zero][jasper-22] + + guix shell jasper@1.900.3 + imginfo -f cve/2016/8691/11.crash + +- CVE-2016-9387: [assertion failure][jasper-49] + + guix shell jasper@1.900.5 + imginfo -f cve/2016/9387/jas_matrix.jp2 + +- CVE-2016-9557: [signed integer overflow][jasper-67] + + guix shell jasper-with-ubsan@1.900.19 + imginfo -f cve/2016/9557/signed-int-overflow.jp2 + +## libarchive + +- CVE-2016-5844: [signed integer overflow][libarchive-717] + + guix shell libarchive-with-ubsan@3.2.0 + bsdtar -tf cve/2016/5844/libarchive-signed-int-overflow.iso + +## libjpeg-turbo + +- CVE-2012-2806: [heap buffer overflow][chromium-40058947] + + guix shell libjpeg-turbo-with-asan@1.2.0 + djpeg cve/2012/2806/cnode0006-heap-buffer-overflow-796.jpg + +- CVE-2017-15232: [null pointer dereference][mozjpeg-268] + + guix shell libjpeg-turbo@1.5.2 + djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8\ + -targa -grayscale -outfile /dev/null cve/2017/15232/1.jpg + djpeg -crop "1x1+16+16" -onepass -dither ordered -dct float -colors 8\ + -targa -grayscale -outfile /dev/null cve/2017/15232/2.jpg + +- CVE-2018-14498: [heap buffer overflow][libjpeg-turbo-258] + + guix shell libjpeg-turbo-with-asan@1.5.3 + cjpeg -outfile /dev/null cve/2018/14498/hbo_rdbmp.c:209_1.bmp + cjpeg -outfile /dev/null cve/2018/14498/hbo_rdbmp.c:209_2.bmp + cjpeg -outfile /dev/null cve/2018/14498/hbo_rdbmp.c:210_1.bmp + cjpeg -outfile /dev/null cve/2018/14498/hbo_rdbmp.c:211_1.bmp + cjpeg -outfile /dev/null cve/2018/14498/hbo_rdbmp.c:211_2.bmp + +- CVE-2018-19664: [heap buffer overflow][libjpeg-turbo-305] + + guix shell libjpeg-turbo-with-asan@2.0.1 + djpeg -colors 256 -bmp cve/2018/19664/heap-buffer-overflow-2.jpg + +## libming + +- CVE-2016-9265: [division by zero][oss-sec-20161110-9] + + guix shell libming@0.4.7 + listmp3 cve/2016/9265/34.mp3 + listmp3 cve/2016/9265/45.mp3 + +- CVE-2018-8806: [use after free][libming-128] + + guix shell libming-with-asan@0.4.8 + swftophp cve/2018/8806/heap-use-after-free.swf + +- CVE-2018-8964: [use after free][libming-130] + + guix shell libming-with-asan@0.4.8 + swftophp cve/2018/8964/heap-use-after-free.swf + +## libtiff + +- BZ#2633: [heap buffer overflow][maptools-2633]: + + guix shell libtiff-with-asan@4.0.7 + tiff2ps maptools/2633/heapoverflow.tiff + +- CVE-2014-8128: [buffer overflow][maptools-2489] + + guix shell libtiff@4.0.3 + thumbnail cve/2014/8128/03_thumbnail.tiff /dev/null + +- CVE-2016-3186: [buffer overflow][redhat-1319503] + + guix shell libtiff@4.0.6 + gif2tiff cve/2016/3186/crash.gif - + +- CVE-2016-3623: [division by zero][maptools-2569] + + guix shell libtiff@4.0.6 + tar xvf $(guix build -S libtiff@4.0.6)\ + tiff-4.0.6/test/images/logluv-3c-16b.tiff + rgb2ycbcr -h 0 tiff-4.0.6/test/images/logluv-3c-16b.tiff /dev/null + rgb2ycbcr -v 0 tiff-4.0.6/test/images/logluv-3c-16b.tiff /dev/null + +- CVE-2016-5314: [heap buffer overflow][maptools-2554] + + guix shell libtiff-with-asan@4.0.6 + rgb2ycbcr cve/2016/5314/oobw.tiff /dev/null + +- CVE-2016-5321: [invalid read][maptools-2558] + + guix shell libtiff@4.0.6 + tiffcrop cve/2016/5321/ill-read.tiff /dev/null + +- CVE-2016-9273: [heap buffer overflow][maptools-2587] + + guix shell libtiff-with-asan@4.0.6 + tiffsplit cve/2016/9273/test049.tiff + +- CVE-2016-9532: [heap buffer overflow][maptools-2592] + + guix shell libtiff-with-asan@4.0.6 + tiffcrop cve/2016/9532/heap-buffer-overflow.tiff /dev/null + +- CVE-2016-10092: [heap buffer overflow][maptools-2622] + + guix shell libtiff-with-asan@4.0.7 + tiffcrop -i cve/2016/10092/heapoverflow.tiff /dev/null + +- CVE-2016-10093: [heap buffer overflow][maptools-2610] + + guix shell libtiff-with-asan@4.0.7 + tiffcp -i cve/2016/10093/heapoverflow.tiff /dev/null + +- CVE-2016-10094: [heap buffer overflow][maptools-2640] + + guix shell libtiff-with-asan@4.0.7 + tiff2pdf cve/2016/10094/heapoverflow.tiff -o /dev/null + +- CVE-2016-10266: [division by zero][maptools-2596] + + guix shell libtiff@4.0.7 + tiffcp cve/2016/10266/fpe.tiff /dev/null + +- CVE-2016-10267: [division by zero][maptools-2611] + + guix shell libtiff@4.0.7 + tiffmedian cve/2016/10267/fpe.tiff /dev/null + +- CVE-2016-10268: [heap buffer overflow][maptools-2598] + + guix shell libtiff-with-asan@4.0.7 + tiffcp -i cve/2016/10268/heapoverflow.tiff /dev/null + +- CVE-2016-10271: [heap buffer overflow][maptools-2620] + + guix shell libtiff-with-asan@4.0.7 + tiffcrop -i cve/2016/10271/heapoverflow.tiff /dev/null + +- CVE-2016-10272: [heap buffer overflow][maptools-2624] + + guix shell libtiff-with-asan@4.0.7 + tiffcrop -i cve/2016/10272/heapoverflow.tiff /dev/null + +- CVE-2017-5225: [heap buffer overflow][maptools-2656] + + guix shell libtiff-with-asan@4.0.7 + tiffcp -p separate cve/2017/5225/2656.tiff /dev/null + tiffcp -p contig cve/2017/5225/2657.tiff /dev/null + +- CVE-2017-7595: [division by zero][maptools-2653] + + guix shell libtiff@4.0.7 + tiffcp -i cve/2017/7595/fpe.tiff /dev/null + +- cve-2017-7599: [float cast overflow][maptools-2646] + + guix shell libtiff-with-ubsan-float-cast-overflow@4.0.7 + tiffcp -i cve/2017/7599/outside-short.tiff /dev/null + +- cve-2017-7600: [float cast overflow][maptools-2647] + + guix shell libtiff-with-ubsan-float-cast-overflow@4.0.7 + tiffcp -i cve/2017/7600/outside-unsigned-char.tiff /dev/null + +- CVE-2017-7601: [signed integer overflow][maptools-2648] + + guix shell libtiff-with-ubsan@4.0.7 + tiffcp -i cve/2017/7601/shift-long.tiff /dev/null + +## libxml2 + +- CVE-2012-5134: [heap buffer overflow][chromium-40076524] + + guix shell libxml2-with-asan@2.9.0 + xmllint cve/2012/5134/bad.xml + +- CVE-2016-1838: [heap buffer overflow][chromium-42452154] + + guix shell libxml2-with-asan@2.9.3 + xmllint cve/2016/1838/attachment_316158 + +- CVE-2016-1839: [heap buffer overflow][chromium-42452152] + + guix shell libxml2-with-asan@2.9.3 + xmllint --html cve/2016/1839/asan_heap-oob + +- CVE-2017-5969: [null pointer derefence][oss-sec-20161105-3] + + guix shell libxml2@2.9.4 + xmllint --recover cve/2017/5969/crash-libxml2-recover.xml + +## potrace + +- CVE-2013-7437: [possible heap overflow][redhat-955808] + + guix shell potrace@1.11 + potrace cve/2013/7437/1.bmp + potrace cve/2013/7437/2.bmp + +[chromium-40058947]: https://issues.chromium.org/issues/40058947 +[chromium-40076524]: https://issues.chromium.org/issues/40076524 +[chromium-42452152]: https://project-zero.issues.chromium.org/issues/42452152 +[chromium-42452154]: https://project-zero.issues.chromium.org/issues/42452154 +[gnu-19784]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=19784 +[gnu-25003]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=25003 +[gnu-25023]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=25023 +[gnu-26545]: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=26545 +[jasper-22]: https://github.com/jasper-software/jasper/issues/22 +[jasper-49]: https://github.com/jasper-software/jasper/issues/49 +[jasper-67]: https://github.com/jasper-software/jasper/issues/67 +[libarchive-717]: https://github.com/libarchive/libarchive/issues/717 +[libjpeg-turbo-258]: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/258 +[libjpeg-turbo-305]: https://github.com/libjpeg-turbo/libjpeg-turbo/issues/305 +[libming-128]: https://github.com/libming/libming/issues/128 +[libming-130]: https://github.com/libming/libming/issues/130 +[maptools-2489]: http://bugzilla.maptools.org/show_bug.cgi?id=2489 +[maptools-2554]: http://bugzilla.maptools.org/show_bug.cgi?id=2554 +[maptools-2558]: http://bugzilla.maptools.org/show_bug.cgi?id=2558 +[maptools-2569]: http://bugzilla.maptools.org/show_bug.cgi?id=2569 +[maptools-2587]: http://bugzilla.maptools.org/show_bug.cgi?id=2587 +[maptools-2592]: http://bugzilla.maptools.org/show_bug.cgi?id=2592 +[maptools-2596]: http://bugzilla.maptools.org/show_bug.cgi?id=2596 +[maptools-2598]: http://bugzilla.maptools.org/show_bug.cgi?id=2598 +[maptools-2610]: http://bugzilla.maptools.org/show_bug.cgi?id=2610 +[maptools-2611]: http://bugzilla.maptools.org/show_bug.cgi?id=2611 +[maptools-2620]: http://bugzilla.maptools.org/show_bug.cgi?id=2620 +[maptools-2622]: http://bugzilla.maptools.org/show_bug.cgi?id=2622 +[maptools-2624]: http://bugzilla.maptools.org/show_bug.cgi?id=2624 +[maptools-2633]: http://bugzilla.maptools.org/show_bug.cgi?id=2633 +[maptools-2640]: http://bugzilla.maptools.org/show_bug.cgi?id=2640 +[maptools-2646]: http://bugzilla.maptools.org/show_bug.cgi?id=2646 +[maptools-2647]: http://bugzilla.maptools.org/show_bug.cgi?id=2647 +[maptools-2648]: http://bugzilla.maptools.org/show_bug.cgi?id=2648 +[maptools-2653]: http://bugzilla.maptools.org/show_bug.cgi?id=2653 +[maptools-2656]: http://bugzilla.maptools.org/show_bug.cgi?id=2656 +[mozjpeg-268]: https://github.com/mozilla/mozjpeg/issues/268 +[oss-sec-20161105-3]: https://www.openwall.com/lists/oss-security/2016/11/05/3 +[oss-sec-20161110-9]: https://www.openwall.com/lists/oss-security/2016/11/10/9 +[redhat-955808]: https://bugzilla.redhat.com/show_bug.cgi?id=955808 +[redhat-1319503]: https://bugzilla.redhat.com/show_bug.cgi?id=1319503 +[sourceware-21137]: https://sourceware.org/bugzilla/show_bug.cgi?id=21137 +[sourceware-22148]: https://sourceware.org/bugzilla/show_bug.cgi?id=22148 +[sourceware-22167]: https://sourceware.org/bugzilla/show_bug.cgi?id=22167 +[sourceware-22169]: https://sourceware.org/bugzilla/show_bug.cgi?id=22169 +[sourceware-22186]: https://sourceware.org/bugzilla/show_bug.cgi?id=22186 +[sourceware-22202]: https://sourceware.org/bugzilla/show_bug.cgi?id=22202 +[sourceware-22209]: https://sourceware.org/bugzilla/show_bug.cgi?id=22209 +[sourceware-23064]: https://sourceware.org/bugzilla/show_bug.cgi?id=23064 +[sourceware-24243]: https://sourceware.org/bugzilla/show_bug.cgi?id=24243 |