GNU Barcode 0.99 Memory Leak

Medium

Advisory ID

ZSL-2018-5471

Release Date

29 May 2018

Vendor

The GNU Project - https://www.gnu.org/software/barcode/, Free Software Foundation, Inc. - https://directory.fsf.org/wiki/Barcode

Affected Version

0.99

CVE

N/A

Tested On

Ubuntu 16.04.4

Summary

GNU Barcode is a tool to convert text strings to printed bars. It supports a variety of standard codes to represent the textual strings and creates postscript output.

Description

GNU Barcode suffers from a memory leak vulnerability, which can be exploited by malicious people to cause a DoS (Denial of Service). The vulnerability is caused due to an error in the 'cmdline.c', which can be exploited to cause a memory leak via a specially crafted file. The vulnerability is confirmed in version 0.99. Other versions may also be affected.

Proof of Concept

gnubarcode_memleak.txtTXT

gnubarcode_crashes.tarTAR

Disclosure Timeline

09.12.2017Vulnerability discovered.

14.05.2018Vendor contacted.

28.05.2018No response from the vendor.

29.05.2018Public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic

References

[1]https://www.exploit-db.com/exploits/44798/

[2]https://cxsecurity.com/issue/WLB-2018050303

[3]https://packetstormsecurity.com/files/147980

[4]https://exchange.xforce.ibmcloud.com/vulnerabilities/144092

Changelog

29.05.2018Initial release

13.06.2018Added reference [2], [3] and [4]