Debian Bug report logs -
#421582
[CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files
Reported by: Tony Cook <tony@develop-help.com>
Date: Mon, 30 Apr 2007 09:27:01 UTC
Severity: grave
Tags: patch, security
Found in version libimager-perl/0.50-1
Fixed in version libimager-perl/0.58-1
Done: Jay Bonci <jaybonci@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Tony Cook <tony@develop-help.com>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libimager-perl
Version: 0.50-1
Severity: grave
Tags: security patch
Justification: user security hole
I'm the upstream maintainer for the Imager perl module.
The BMP reader in Imager 0.56 and earlier can cause a memory overflow
in a malloced() buffer when reading an 8-bit/pixel compressed image
where a literal or RLE run overflows the scan-line boundary.
This typically causes the program to exit with a glibc bug, but it may
also be possible to corrupt the memory arena in such a way as to
execute arbitrary code, though I don't see how. At the very least
this could be a denial of service.
I've attached a patch that should apply to Imager 0.45 through 0.56
(with some fuzz).
I've released Imager 0.57 to CPAN which fixes this issue.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages libimager-perl depends on:
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libt1-5 5.1.0-2 Type 1 font rasterizer library - r
ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra
ii libungif4g 4.1.4-4 shared library for GIF images
ii perl 5.8.8-7 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.8.8] 5.8.8-7 The Pathologically Eclectic Rubbis
ii zlib1g 1:1.2.3-13 compression library - runtime
libimager-perl recommends no packages.
-- no debconf information
[bmp-fix.diff (text/x-c, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #10 received at 421582@bugs.debian.org (full text, mbox, reply):
retitle [CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files
thanks
This has been assigned CVE-2007-2459. Please mention this name in the
changelog when fixing this bug. Thanks.
Changed Bug title to [CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files from libimager-perl: buffer overflow when reading 8-bit compressed BMP files.
Request was from Florian Weimer <fw@deneb.enyo.de>
to control@bugs.debian.org
.
(Fri, 04 May 2007 16:18:07 GMT) (full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Kjetil Kjernsmo <kjetilk@opera.com>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #17 received at 421582@bugs.debian.org (full text, mbox, reply):
Hi!
I just made an svn-upgrade of libimager-0.57 to the alioth repository,
which would fix this for sid. Nice if it could be packaged and uploaded
soon.
Cheers,
Kjetil
--
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Tony Cook <tony@develop-help.com>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #22 received at 421582@bugs.debian.org (full text, mbox, reply):
It looks like both CVE 2007-2413 and CVE 2007-2459 have been assigned
to this.
The description in 2459 is inaccurate - there was certainly a bug in
read_4bit_bmp(), but it could not be used to cause a buffer overflow -
or none that I could see.
--
Tony
Imager maintainer
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Esteban Manchado Vel�zquez <zoso@debian.org>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #27 received at 421582@bugs.debian.org (full text, mbox, reply):
Hi,
It has been near a month now, and this package hasn't been uploaded.
There was even the upstream patch in the initial report.
Please, Jay, upload it or I will NMU the package :-) Actually,
shouldn't you have a co-maintainer? I can co-maintain the package if you
want to. Or even take it over if needed...
Regards,
--
Esteban Manchado Velázquez <zoso@debian.org>
EuropeSwPatentFree - http://EuropeSwPatentFree.hispalinux.es
Help spread it through the Net in signatures, webpages, whatever!
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Damyan Ivanov <dam@modsoftsys.com>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #32 received at 421582@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
[Now to the correct BTS address]
-=| Esteban Manchado Vel_zquez, Tue, 22 May 2007 14:54:28 +0200 |=-
> Hi,
>
> It has been near a month now, and this package hasn't been
> uploaded. There was even the upstream patch in the initial report.
>
> Please, Jay, upload it or I will NMU the package :-) Actually,
> shouldn't you have a co-maintainer? I can co-maintain the package if
> you want to. Or even take it over if needed...
Debian Perl Group[1] is also willing to NMU/adopt the package if
necessary.
Kjetil Kjernsmo and Gregor Herrmann even prepared[1] a new upstream
version.
[1]
http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/trunk/
--
dam JabberID: dam@jabber.minus273.org
--
dam JabberID: dam@jabber.minus273.org
[signature.asc (application/pgp-signature, attachment)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Jay Bonci <jay@bonci.com>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #37 received at 421582@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Greetings,
I'm definitely willing to give this package up or co-maint it if
necessary. I'll be doing the upload this evening.
-Jay
On Tue, 2007-05-22 at 22:44 +0300, Damyan Ivanov wrote:
> [Now to the correct BTS address]
>
> -=| Esteban Manchado Vel_zquez, Tue, 22 May 2007 14:54:28 +0200 |=-
> > Hi,
> >
> > It has been near a month now, and this package hasn't been
> > uploaded. There was even the upstream patch in the initial report.
> >
> > Please, Jay, upload it or I will NMU the package :-) Actually,
> > shouldn't you have a co-maintainer? I can co-maintain the package if
> > you want to. Or even take it over if needed...
>
> Debian Perl Group[1] is also willing to NMU/adopt the package if
> necessary.
>
> Kjetil Kjernsmo and Gregor Herrmann even prepared[1] a new upstream
> version.
>
> [1]
> http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/trunk/
> --
> dam JabberID: dam@jabber.minus273.org
>
>
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Jay Bonci <jay@bonci.com>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #42 received at 421582@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hey Tony,
Two things, I noticed the other day that you picked up a Sourceforge
project for libimager-perl (sf.net/projects/imager-perl). I know these
things because I approved the request :) Are you going to be moving
development there, or just using that as a backup?
Secondly, does the update need to be applied to the stable release? If
so, I can begin that process. Please let me know.
-Jay Bonci
jaybonci@debian.org
[signature.asc (application/pgp-signature, inline)]
Reply sent to Jay Bonci <jaybonci@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Tony Cook <tony@develop-help.com>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #47 received at 421582-close@bugs.debian.org (full text, mbox, reply):
Source: libimager-perl
Source-Version: 0.58-1
We believe that the bug you reported is fixed in the latest version of
libimager-perl, which is due to be installed in the Debian FTP archive:
libimager-perl_0.58-1.diff.gz
to pool/main/libi/libimager-perl/libimager-perl_0.58-1.diff.gz
libimager-perl_0.58-1.dsc
to pool/main/libi/libimager-perl/libimager-perl_0.58-1.dsc
libimager-perl_0.58-1_i386.deb
to pool/main/libi/libimager-perl/libimager-perl_0.58-1_i386.deb
libimager-perl_0.58.orig.tar.gz
to pool/main/libi/libimager-perl/libimager-perl_0.58.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 421582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Bonci <jaybonci@debian.org> (supplier of updated libimager-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 24 May 2007 01:57:26 -0400
Source: libimager-perl
Binary: libimager-perl
Architecture: source i386
Version: 0.58-1
Distribution: unstable
Urgency: low
Maintainer: Jay Bonci <jaybonci@debian.org>
Changed-By: Jay Bonci <jaybonci@debian.org>
Description:
libimager-perl - Perl extension for Generating 24 bit Images
Closes: 421582
Changes:
libimager-perl (0.58-1) unstable; urgency=low
.
* New upstream release
* Fixes CVE 2007-2413 and CVE 2007-2459 (Closes: #421582)
* Adds zoso as co-maint
Files:
91fff6d741774ab24ef42918e146bb30 787 perl optional libimager-perl_0.58-1.dsc
c953f53b2680a67dfbef743e77a230b0 849124 perl optional libimager-perl_0.58.orig.tar.gz
24c17e901ce806c4159a0ba74450b260 5060 perl optional libimager-perl_0.58-1.diff.gz
6a5af1e68da2eb69e44c70278281ae10 659524 perl optional libimager-perl_0.58-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGVTW7ZNh5D+C4st4RAmCqAJ9tR76LV6TVhsjZVB59uVU6SLwD1gCeL4rk
pCEK6ezNcnIJFUoikYDXf0U=
=Xm/N
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Tony Cook <tony@develop-help.com>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #52 received at 421582@bugs.debian.org (full text, mbox, reply):
Hi Jay,
On Thu, May 24, 2007 at 02:27:35AM -0400, Jay Bonci wrote:
> Hey Tony,
> Two things, I noticed the other day that you picked up a Sourceforge
> project for libimager-perl (sf.net/projects/imager-perl). I know these
> things because I approved the request :) Are you going to be moving
> development there, or just using that as a backup?
For now it's just a backup.
> Secondly, does the update need to be applied to the stable release? If
> so, I can begin that process. Please let me know.
It needs to applied to stable and oldstable too.
Tony
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>
:
Bug#421582
; Package libimager-perl
.
(full text, mbox, link).
Acknowledgement sent to Jay Bonci <jay@bonci.com>
:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>
.
(full text, mbox, link).
Message #57 received at 421582@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Greetings Security Team,
Please have a look at #421582. This bug effects both stable and
oldstable. The patch applies cleanly, and I can build a stable/oldstable
package if need be.
I'm a bit shaky on the proper security handling here, so please advise
as to the right course of action. I can provide source/diffs if that
works best.
The package in Testing / Unstable is currently good.
Please advise,
-Jay Bonci
On Thu, 2007-05-24 at 17:05 +1000, Tony Cook wrote:
> Hi Jay,
>
> On Thu, May 24, 2007 at 02:27:35AM -0400, Jay Bonci wrote:
> > Hey Tony,
> > Two things, I noticed the other day that you picked up a Sourceforge
> > project for libimager-perl (sf.net/projects/imager-perl). I know these
> > things because I approved the request :) Are you going to be moving
> > development there, or just using that as a backup?
>
> For now it's just a backup.
>
> > Secondly, does the update need to be applied to the stable release? If
> > so, I can begin that process. Please let me know.
>
> It needs to applied to stable and oldstable too.
>
> Tony
>
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 02 Jul 2007 07:38:34 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:11:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.