← Advisories

GNU Barcode 0.99 Buffer Overflow

High
Advisory ID
ZSL-2018-5470
Release Date
29 May 2018
Vendor
The GNU Project - https://www.gnu.org/software/barcode/, Free Software Foundation, Inc. - https://directory.fsf.org/wiki/Barcode
Affected Version
0.99
CVE
CVE-2018-25154
Tested On
Ubuntu 16.04.4
Summary

GNU Barcode is a tool to convert text strings to printed bars. It supports a variety of standard codes to represent the textual strings and creates postscript output.

Description

The vulnerability is caused due to a boundary error in the processing of an input file, which can be exploited to cause a buffer overflow when a user processes e.g. a specially crafted file. Successful exploitation could allow execution of arbitrary code on the affected machine.

Proof of Concept
gnubarcode_bof.txtTXT
gnubarcode_crashes.tarTAR
Disclosure Timeline
09.12.2017Vulnerability discovered.
14.05.2018Vendor contacted.
28.05.2018No response from the vendor.
29.05.2018Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]https://www.exploit-db.com/exploits/44797/
[2]https://cxsecurity.com/issue/WLB-2018050302
[3]https://packetstormsecurity.com/files/147979
[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/144093
[5]https://www.cve.org/CVERecord?id=CVE-2018-25154
Changelog
29.05.2018Initial release
13.06.2018Added reference [2], [3] and [4]
23.03.2026Added reference [5]