hugin-devs team mailing list archive

Thread
Date
[Bug 2025032] Re: Heap-buffer-overflow when adding an image in HuginBase::PanoramaMemento::loadPTScript

To: hugin-devs@xxxxxxxxxxxxxxxxxxx
From: Heewon Park <2025032@xxxxxxxxxxxxxxxxxx>
Date: Wed, 27 Dec 2023 05:26:24 -0000
Reply-to: Bug 2025032 <2025032@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
Hi there. I am Heewon, and I am writing to you regarding the recent
vulnerabilities that our security team identified in Hugin. I appreciate
your prompt attention to these matters, and I am pleased that the
vulnerabilities have been confirmed and successfully patched by your
development team.

To provide a standardized reference for these vulnerabilities within the
cybersecurity community, we would like to request the assignment of
Common Vulnerabilities and Exposures (CVE) identifiers. These
identifiers will help streamline communication and information sharing
among security professionals.

Below is a brief summary of the vulnerabilities along with the relevant
details:

### CVE-2023-XXX1: [Description of Vulnerability 1]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch:  2023.0beta1 on  2023-06-29 by tmodes user
- url: https://bugs.launchpad.net/hugin/+bug/2025032

### CVE-2023-XXX2: [Description of Vulnerability 2]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch:  2023.0beta1 on  2023-06-29 by tmodes user
- url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)5

### CVE-2023-XXX3: [Description of Vulnerability 3]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch:  2023.0beta1 on  2023-06-29 by tmodes user
- url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)6

### CVE-2023-XXX4: [Description of Vulnerability 4]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch:  2023.0beta1 on  2023-06-29 by tmodes user
- url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)7

### CVE-2023-XXX5: [Description of Vulnerability 5]

- Confirmation: Fixed in Hugin 2022.0.0
- Patch:  2023.0beta1 on  2023-06-29 by tmodes user
- url: [https://bugs.launchpad.net/hugin/+bug/202503](https://bugs.launchpad.net/hugin/+bug/2025032)8

We kindly request that you forward this information to the appropriate
party responsible for CVE assignments within your organization. If your
organization has a designated CVE Numbering Authority (CNA), please let
us know the preferred process for CVE assignment.

Additionally, we have submitted the same request to MITRE Corporation
and CERT/CC, the primary CVE Numbering Authority, for their
consideration. However, CERT/CC asked us to refer to you for CVE
assignments. Please work on this case and let us know which steps to
take.

Thank you for your cooperation and commitment to addressing security
issues promptly. If you require any further information or
clarification, please do not hesitate to reach out.

We look forward to continuing a collaborative approach to enhancing the
security of Hugin and appreciate your ongoing dedication to the security
and well-being of your users.

-- 
You received this bug notification because you are a member of Hugin
Developers, which is subscribed to Hugin.
https://bugs.launchpad.net/bugs/2025032

Title:
  Heap-buffer-overflow when adding an image in
  HuginBase::PanoramaMemento::loadPTScript

Status in Hugin:
  Fix Released

Bug description:
  Hi there

  We want to share that the latest version (2022.0.0) of pto_merge
  causes heap-buffer-overflow.

  The invalid memory allocation may attribute to the excessive values in
  function parameters to the HuginBase::PanoramaMemento::loadPTScript.

  Here is the output of program with address sanitizer attached.

  ### Bug Report
  =================================================================
  ==3616==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000003800 at pc 0x7f3098044709 bp 0x7ffe486d8200 sp 0x7ffe486d81f0
  READ of size 8 at 0x602000003800 thread T0
      #0 0x7f3098044708 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/image_variables.h:100
      #1 0x7f3098052618 in HuginBase::Panorama::readData(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2178
      #2 0x55cfccdd8975 in main /home/ubuntu/targets/hugin-2022.0.0_original/src/tools/pto_merge.cpp:99
      #3 0x7f3095746082 in __libc_start_main ../csu/libc-start.c:308
      #4 0x55cfccdd9c5d in _start (/home/ubuntu/targets/hugin-2022.0.0_original/build/src/tools/pto_merge+0xbc5d)

  0x602000003800 is located 0 bytes to the right of 16-byte region [0x6020000037f0,0x602000003800)
  allocated by thread T0 here:
      #0 0x7f30984f0587 in operator new(unsigned long) ../../../../src/libsanitizer/asan/asan_new_delete.cc:104
      #1 0x7f309802e9a9 in __gnu_cxx::new_allocator<HuginBase::SrcPanoImage*>::allocate(unsigned long, void const*) /usr/include/c++/9/ext/new_allocator.h:114
      #2 0x7f309802e9a9 in std::allocator_traits<std::allocator<HuginBase::SrcPanoImage*> >::allocate(std::allocator<HuginBase::SrcPanoImage*>&, unsigned long) /usr/include/c++/9/bits/alloc_traits.h:443
      #3 0x7f309802e9a9 in std::_Vector_base<HuginBase::SrcPanoImage*, std::allocator<HuginBase::SrcPanoImage*> >::_M_allocate(unsigned long) /usr/include/c++/9/bits/stl_vector.h:343
      #4 0x7f309802e9a9 in void std::vector<HuginBase::SrcPanoImage*, std::allocator<HuginBase::SrcPanoImage*> >::_M_realloc_insert<HuginBase::SrcPanoImage* const&>(__gnu_cxx::__normal_iterator<HuginBase::SrcPanoImage**, std::vector<HuginBase::SrcPanoImage*, std::allocator<HuginBase::SrcPanoImage*> > >, HuginBase::SrcPanoImage* const&) /usr/include/c++/9/bits/vector.tcc:440
      #5 0x7f309802e9a9 in std::vector<HuginBase::SrcPanoImage*, std::allocator<HuginBase::SrcPanoImage*> >::push_back(HuginBase::SrcPanoImage* const&) /usr/include/c++/9/bits/stl_vector.h:1195
      #6 0x7f309802e9a9 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:3130
      #7 0x7f3098052618 in HuginBase::Panorama::readData(std::istream&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >) /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/Panorama.cpp:2178
      #8 0x55cfccdd8975 in main /home/ubuntu/targets/hugin-2022.0.0_original/src/tools/pto_merge.cpp:99
      #9 0x7f3095746082 in __libc_start_main ../csu/libc-start.c:308

  SUMMARY: AddressSanitizer: heap-buffer-overflow /home/ubuntu/targets/hugin-2022.0.0_original/src/hugin_base/panodata/image_variables.h:100 in HuginBase::PanoramaMemento::loadPTScript(std::istream&, int&, std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&)
  Shadow bytes around the buggy address:
    0x0c047fff86b0: fa fa 00 00 fa fa 00 00 fa fa 04 fa fa fa 00 00
    0x0c047fff86c0: fa fa 01 fa fa fa 04 fa fa fa 00 00 fa fa 00 fa
    0x0c047fff86d0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
    0x0c047fff86e0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 04 fa
    0x0c047fff86f0: fa fa 00 fa fa fa 00 fa fa fa 01 fa fa fa 00 00
  =>0x0c047fff8700:[fa]fa fd fa fa fa 00 fa fa fa 04 fa fa fa 00 fa
    0x0c047fff8710: fa fa 00 fa fa fa 04 fa fa fa 00 fa fa fa 00 fa
    0x0c047fff8720: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
    0x0c047fff8730: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
    0x0c047fff8740: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 00
    0x0c047fff8750: fa fa 00 00 fa fa 04 fa fa fa 00 00 fa fa 01 fa
  Shadow byte legend (one shadow byte represents 8 application bytes):
    Addressable: 00
    Partially addressable: 01 02 03 04 05 06 07
    Heap left redzone: fa
    Freed heap region: fd
    Stack left redzone: f1
    Stack mid redzone: f2
    Stack right redzone: f3
    Stack after return: f5
    Stack use after scope: f8
    Global redzone: f9
    Global init order: f6
    Poisoned by user: f7
    Container overflow: fc
    Array cookie: ac
    Intra object redzone: bb
    ASan internal: fe
    Left alloca redzone: ca
    Right alloca redzone: cb
    Shadow gap: cc
  ==3616==ABORTING

  ### Envionment
  OS: Ubuntu 20.04.5 LTS x86_64
  Release: hugin 2022.0.0
  Program: pto_merge
  libhuginbase: 2020.0.0 (retrieved and compiled from source code)
  libpano13: 2.9.19
  To reproduce the problem, we need to build hugin:
  sudo cmake -DCMAKE_C_FLAGS="-g" -DCMAKE_CXX_FLAGS="-g" ..

  
  ### How to reproduce
  $ pto_merge poc-file *.jpg
  (*.jpg any name of jpg file including asterisk(*))
  poc-file is attached.

To manage notifications about this bug go to:
https://bugs.launchpad.net/hugin/+bug/2025032/+subscriptions
References

[Bug 2025032] [NEW] Heap-buffer-overflow when adding an image in HuginBase::PanoramaMemento::loadPTScript
From: Heewon Park, 2023-06-26