View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0009504Kali LinuxKali Package Bugpublic2026-01-15 11:132026-01-16 10:36
Reportererikdervishi Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status newResolutionopen 
Summary0009504: [Patch & Vulnerability Report] Steghide 0.5.1 - Fix for DoS via Memory Exhaustion (CWE-770)
Description

  1. Executive Summary A Denial of Service (DoS) vulnerability was identified in steghide v0.5.1. The application fails to validate BMP header dimensions (Width and Height) before memory allocation. This allows an attacker to trigger a massive memory allocation (e.g., >6 GB) using a tiny malformed file (0000016:0000060 bytes), resulting in a SIGABRT crash due to std::bad_alloc. Status: Vulnerability Confirmed & Patched.

  2. Technical Analysis

Component: src/BmpFile.cc, function BmpFile::readdata.

Root Cause: The BitmapData.resize() method is called with a size calculated directly from the file header without upper-bound checks.

Risk:

64-bit: Memory Exhaustion (DoS).

32-bit: Integer Overflow leading to Heap Buffer Overflow (Potential RCE).

  1. Proof of Concept (PoC) The following Python script generates dos.bmp, which claims a resolution of 50,000x50,000 pixels.

import struct

filename = "dos.bmp"
with open(filename, "wb") as f:

BMP Header + DIB Header (claiming 50k x 50k pixels)

header = b'BM' + b'\x00'*8 + struct.pack('<I', 54) 
dib = struct.pack('<IIIHHIIIIII', 40, 50000, 50000, 1, 24, 0, 0, 0, 0, 0, 0)
f.write(header + dib)

print(f"[+] Created {filename}. Run: steghide info {filename}")

  1. The Solution (Patch) I implemented a sanity check in src/BmpFile.cc that validates the total required memory before allocation. The patch uses unsigned long long to prevent integer overflows during the check itself.

Applied Fix:
// --- SECURITY PATCH ---
unsigned long long total_bytes_needed = (unsigned long long)height (unsigned long long)linelength;
const unsigned long long MAX_ALLOWED_BYTES = 500ULL 1024ULL * 1024ULL; // 500 MB Limit

if (total_bytes_needed > MAX_ALLOWED_BYTES) {
    fprintf(stderr, "[!] SECURITY ERROR: BMP requires %llu bytes. Limit is %llu bytes.\n", total_bytes_needed, MAX_ALLOWED_BYTES);
    exit(1);
}
// --- END PATCH ---

BitmapData.resize (height * linelength) ;
  1. Verification After recompiling steghide with the patch, executing the PoC no longer results in a crash/abort. Instead, the application handles the error gracefully:

[!] SECURITY ERROR: BMP requires 7499900000 bytes. Limit is 524288000 bytes.

Activities

kali-bugreport

kali-bugreport

2026-01-16 06:17

reporter   ~0021255

You know that you should report this to the development team of that software itself?
erikdervishi

erikdervishi

2026-01-16 10:24

reporter   ~0021258

I would normally report this upstream, but the original project on SourceForge is abandoned and unmaintained (last update was in 2005). There is no active upstream development team to report to anymore.

Since Kali and Debian continue to ship this package, and this is a reproducible security vulnerability (Stack Buffer Overflow causing Information Disclosure via core dumps), the fix needs to be applied at the distribution packaging level (e.g., via debian/patches).

A fix is already available in the community fork "StegHigh" (PR 0000021), which simply replaces the unsafe sprintf with snprintf
kali-bugreport

kali-bugreport

2026-01-16 10:36

reporter   ~0021261

Same as in 0009503

Issue History

Date Modified Username Field Change
2026-01-15 11:13 erikdervishi New Issue
2026-01-16 06:17 kali-bugreport Note Added: 0021255
2026-01-16 10:24 erikdervishi Note Added: 0021258
2026-01-16 10:36 kali-bugreport Note Added: 0021261