Title: GNU Barcode 0.99 Memory Leak
Advisory ID: ZSL-2018-5471
Type: Local
Impact: DoS
Risk: (3/5)
Release Date: 29.05.2018

Summary

GNU Barcode is a tool to convert text strings to printed bars. It supports a variety of standard codes to represent the textual strings and creates postscript output.

Description

GNU Barcode suffers from a memory leak vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the 'cmdline.c', which can be exploited to cause a memory leak via a specially crafted file. The vulnerability is confirmed in version 0.99. Other versions may also be affected.

Vendor

The GNU Project - https://www.gnu.org/software/barcode/
Free Software Foundation, Inc. - https://directory.fsf.org/wiki/Barcode

Affected Version

0.99

Tested On

Ubuntu 16.04.4

Vendor Status

[09.12.2017] Vulnerability discovered.
[14.05.2018] Vendor contacted.
[28.05.2018] No response from the vendor.
[29.05.2018] Public security advisory released.

PoC

gnubarcode_memleak.txt
gnubarcode_crashes.tar

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] https://www.exploit-db.com/exploits/44798/
[2] https://cxsecurity.com/issue/WLB-2018050303
[3] https://packetstormsecurity.com/files/147980
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/144092

Changelog

[29.05.2018] - Initial release
[13.06.2018] - Added reference [2], [3] and [4]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk