lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAFmK-GzC=OkfHR7=Vt0-VeGjtGBKy2ykxD5jOY-y9dCLCKQymQ@mail.gmail.com>
Date: Thu, 11 Sep 2025 03:02:56 -0400
From: Ron E <ronaldjedgerson@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] libicns v0.8.1 Heap Buffer Overflow in libicns ICNS Parsing
	(icns2png)

libicns, a library used for parsing Apple ICNS image files, contains a
heap-based buffer overflow in the icns2png utility and associated library
components (icns_image.c). The vulnerability occurs when parsing malformed
ICNS files where element sizes are crafted to exceed the allocated heap
buffer. Specifically, the function icns_get_image_from_element() performs a
memcpy() using a length field read from the ICNS element without proper
bounds checking against the allocated buffer. When triggered with a
specially crafted ICNS file (e.g., uaf1.icns), the parser performs an
out-of-bounds read on the heap, resulting in a crash. The issue can be
triggered by any local user or by supplying a malicious ICNS file to an
application that uses libicns for image extraction or processing.

*Impact:*

   - The process parsing the ICNS file crashes, preventing further
   execution.
   - Heap corruption occurs during the overflow; applications embedding
   libicns may be exposed to undefined behavior.
   - Low likelihood in standard CLI usage, but embedding libicns in a
   network-facing service may increase risk for RCE.


*Proof of Concept: *

icns_get_image_from_element() reads a length from the ICNS file and copies
it into a statically or heap-allocated buffer without validating that the
read length does not exceed the allocated size. This allows out-of-bounds
heap access.


ASAN_OPTIONS=abort_on_error=1:detect_leaks=0:halt_on_error=1 ./icns2png -x
uaf1.icns


Reading icns family from uaf1.icns...

Extracting icons from uaf1.icns...

=================================================================

==932188==ERROR: AddressSanitizer: heap-buffer-overflow on address
0x507000000068

READ of size 8 at 0x507000000068 thread T0

    #0 0xaaaab11f5138 in __asan_memcpy
(/root/libicns/icnsutils/icns2png+0xe5138)

    #1 0xaaaab1240ac4 in icns_get_image_from_element
/root/libicns/src/icns_image.c:533:5

    #2 0xaaaab123cdfc in icns_get_image32_with_mask_from_family
/root/libicns/src/icns_image.c:94:10

    #3 0xaaaab12393dc in ExtractAndDescribeIconFamily
/root/libicns/icnsutils/icns2png.c:666:14
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ