[CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files

Debian Bug report logs - #421582
[CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Tony Cook <tony@develop-help.com>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: libimager-perl: buffer overflow when reading 8-bit compressed BMP files

Date: Mon, 30 Apr 2007 19:25:08 +1000

[Message part 1 (text/plain, inline)]

Package: libimager-perl
Version: 0.50-1
Severity: grave
Tags: security patch
Justification: user security hole

I'm the upstream maintainer for the Imager perl module.

The BMP reader in Imager 0.56 and earlier can cause a memory overflow
in a malloced() buffer when reading an 8-bit/pixel compressed image
where a literal or RLE run overflows the scan-line boundary.

This typically causes the program to exit with a glibc bug, but it may
also be possible to corrupt the memory arena in such a way as to
execute arbitrary code, though I don't see how.  At the very least
this could be a denial of service.

I've attached a patch that should apply to Imager 0.45 through 0.56
(with some fuzz).

I've released Imager 0.57 to CPAN which fixes this issue.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libimager-perl depends on:
ii  libc6                     2.3.6.ds1-13   GNU C Library: Shared libraries
ii  libfreetype6              2.2.1-5        FreeType 2 font engine, shared lib
ii  libjpeg62                 6b-13          The Independent JPEG Group's JPEG 
ii  libpng12-0                1.2.15~beta5-1 PNG library - runtime
ii  libt1-5                   5.1.0-2        Type 1 font rasterizer library - r
ii  libtiff4                  3.8.2-7        Tag Image File Format (TIFF) libra
ii  libungif4g                4.1.4-4        shared library for GIF images
ii  perl                      5.8.8-7        Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.8.8] 5.8.8-7        The Pathologically Eclectic Rubbis
ii  zlib1g                    1:1.2.3-13     compression library - runtime

libimager-perl recommends no packages.

-- no debconf information

[bmp-fix.diff (text/x-c, attachment)]

Message #10 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Florian Weimer <fw@deneb.enyo.de>

To: 421582@bugs.debian.org, control@bugs.debian.org

Subject: This is CVE-2007-2459

Date: Fri, 04 May 2007 18:06:43 +0200

retitle [CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files
thanks

This has been assigned CVE-2007-2459.  Please mention this name in the
changelog when fixing this bug.  Thanks.

Message #17 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Kjetil Kjernsmo <kjetilk@opera.com>

To: 421582@bugs.debian.org

Subject: libimager-perl 0.57 in SVN

Date: Fri, 11 May 2007 14:01:14 +0200

Hi!

I just made an svn-upgrade of libimager-0.57 to the alioth repository, 
which would fix this for sid. Nice if it could be packaged and uploaded 
soon.

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA

Message #22 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Tony Cook <tony@develop-help.com>

To: 421582@bugs.debian.org

Subject: CVE 2007-2413 or CVE 2007-2459

Date: Wed, 16 May 2007 08:21:22 +1000

It looks like both CVE 2007-2413 and CVE 2007-2459 have been assigned
to this.

The description in 2459 is inaccurate - there was certainly a bug in
read_4bit_bmp(), but it could not be used to cause a buffer overflow -
or none that I could see.

-- 
Tony
Imager maintainer

Message #27 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Esteban Manchado Vel�zquez <zoso@debian.org>

To: 421582@bugs.debian.org

Subject: Upload anyone?

Date: Tue, 22 May 2007 14:55:54 +0200

Hi,

    It has been near a month now, and this package hasn't been uploaded.
There was even the upstream patch in the initial report.

    Please, Jay, upload it or I will NMU the package :-) Actually,
shouldn't you have a co-maintainer? I can co-maintain the package if you
want to. Or even take it over if needed...

    Regards,

-- 
Esteban Manchado Velázquez <zoso@debian.org>
EuropeSwPatentFree - http://EuropeSwPatentFree.hispalinux.es
Help spread it through the Net in signatures, webpages, whatever!

Message #32 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Damyan Ivanov <dam@modsoftsys.com>

To: 421582@bugs.debian.org

Subject: Fw: Upload anyone?

Date: Tue, 22 May 2007 22:44:11 +0300

[Message part 1 (text/plain, inline)]

[Now to the correct BTS address]

-=| Esteban Manchado Vel_zquez, Tue, 22 May 2007 14:54:28 +0200 |=-
> Hi,
> 
>     It has been near a month now, and this package hasn't been
> uploaded. There was even the upstream patch in the initial report.
> 
>     Please, Jay, upload it or I will NMU the package :-) Actually,
> shouldn't you have a co-maintainer? I can co-maintain the package if
> you want to. Or even take it over if needed...

Debian Perl Group[1] is also willing to NMU/adopt the package if
necessary.

Kjetil Kjernsmo and Gregor Herrmann even prepared[1] a new upstream
version.

[1]
http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/trunk/
-- 
dam            JabberID: dam@jabber.minus273.org


-- 
dam            JabberID: dam@jabber.minus273.org

[signature.asc (application/pgp-signature, attachment)]

Message #37 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Jay Bonci <jay@bonci.com>

To: Damyan Ivanov <dam@modsoftsys.com>, 421582@bugs.debian.org

Subject: Re: Bug#421582: Fw: Upload anyone?

Date: Tue, 22 May 2007 16:00:15 -0400

[Message part 1 (text/plain, inline)]

Greetings,
	I'm definitely willing to give this package up or co-maint it if
necessary.  I'll be doing the upload this evening.

-Jay

On Tue, 2007-05-22 at 22:44 +0300, Damyan Ivanov wrote:
> [Now to the correct BTS address]
> 
> -=| Esteban Manchado Vel_zquez, Tue, 22 May 2007 14:54:28 +0200 |=-
> > Hi,
> > 
> >     It has been near a month now, and this package hasn't been
> > uploaded. There was even the upstream patch in the initial report.
> > 
> >     Please, Jay, upload it or I will NMU the package :-) Actually,
> > shouldn't you have a co-maintainer? I can co-maintain the package if
> > you want to. Or even take it over if needed...
> 
> Debian Perl Group[1] is also willing to NMU/adopt the package if
> necessary.
> 
> Kjetil Kjernsmo and Gregor Herrmann even prepared[1] a new upstream
> version.
> 
> [1]
> http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/trunk/
> -- 
> dam            JabberID: dam@jabber.minus273.org
> 
> 

[signature.asc (application/pgp-signature, inline)]

Message #42 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Jay Bonci <jay@bonci.com>

To: Tony Cook <tony@develop-help.com>

Cc: zoso@debian.org, 421582@bugs.debian.org

Subject: libimager-perl 0.58 is now in incoming

Date: Thu, 24 May 2007 02:27:35 -0400

[Message part 1 (text/plain, inline)]

Hey Tony,
	Two things, I noticed the other day that you picked up a Sourceforge
project for libimager-perl (sf.net/projects/imager-perl). I know these
things because I approved the request :)  Are you going to be moving
development there, or just using that as a backup?

	Secondly, does the update need to be applied to the stable release? If
so, I can begin that process. Please let me know. 

-Jay Bonci
jaybonci@debian.org

[signature.asc (application/pgp-signature, inline)]

Message #47 received at 421582-close@bugs.debian.org (full text, mbox, reply):

From: Jay Bonci <jaybonci@debian.org>

To: 421582-close@bugs.debian.org

Subject: Bug#421582: fixed in libimager-perl 0.58-1

Date: Thu, 24 May 2007 06:32:02 +0000

Source: libimager-perl
Source-Version: 0.58-1

We believe that the bug you reported is fixed in the latest version of
libimager-perl, which is due to be installed in the Debian FTP archive:

libimager-perl_0.58-1.diff.gz
  to pool/main/libi/libimager-perl/libimager-perl_0.58-1.diff.gz
libimager-perl_0.58-1.dsc
  to pool/main/libi/libimager-perl/libimager-perl_0.58-1.dsc
libimager-perl_0.58-1_i386.deb
  to pool/main/libi/libimager-perl/libimager-perl_0.58-1_i386.deb
libimager-perl_0.58.orig.tar.gz
  to pool/main/libi/libimager-perl/libimager-perl_0.58.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 421582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Bonci <jaybonci@debian.org> (supplier of updated libimager-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 24 May 2007 01:57:26 -0400
Source: libimager-perl
Binary: libimager-perl
Architecture: source i386
Version: 0.58-1
Distribution: unstable
Urgency: low
Maintainer: Jay Bonci <jaybonci@debian.org>
Changed-By: Jay Bonci <jaybonci@debian.org>
Description: 
 libimager-perl - Perl extension for Generating 24 bit Images
Closes: 421582
Changes: 
 libimager-perl (0.58-1) unstable; urgency=low
 .
   * New upstream release
   * Fixes CVE 2007-2413 and CVE 2007-2459 (Closes: #421582)
   * Adds zoso as co-maint
Files: 
 91fff6d741774ab24ef42918e146bb30 787 perl optional libimager-perl_0.58-1.dsc
 c953f53b2680a67dfbef743e77a230b0 849124 perl optional libimager-perl_0.58.orig.tar.gz
 24c17e901ce806c4159a0ba74450b260 5060 perl optional libimager-perl_0.58-1.diff.gz
 6a5af1e68da2eb69e44c70278281ae10 659524 perl optional libimager-perl_0.58-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGVTW7ZNh5D+C4st4RAmCqAJ9tR76LV6TVhsjZVB59uVU6SLwD1gCeL4rk
pCEK6ezNcnIJFUoikYDXf0U=
=Xm/N
-----END PGP SIGNATURE-----

Message #52 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Tony Cook <tony@develop-help.com>

To: Jay Bonci <jay@bonci.com>, 421582@bugs.debian.org

Cc: zoso@debian.org

Subject: Re: Bug#421582: libimager-perl 0.58 is now in incoming

Date: Thu, 24 May 2007 17:05:45 +1000

Hi Jay,

On Thu, May 24, 2007 at 02:27:35AM -0400, Jay Bonci wrote:
> Hey Tony,
> 	Two things, I noticed the other day that you picked up a Sourceforge
> project for libimager-perl (sf.net/projects/imager-perl). I know these
> things because I approved the request :)  Are you going to be moving
> development there, or just using that as a backup?

For now it's just a backup.

> 	Secondly, does the update need to be applied to the stable release? If
> so, I can begin that process. Please let me know. 

It needs to applied to stable and oldstable too.

Tony

Message #57 received at 421582@bugs.debian.org (full text, mbox, reply):

From: Jay Bonci <jay@bonci.com>

To: team@security.debian.org, 421582@bugs.debian.org

Subject: Re: Bug#421582: libimager-perl 0.58 is now in incoming

Date: Thu, 24 May 2007 09:24:28 -0400

[Message part 1 (text/plain, inline)]

Greetings Security Team,
	Please have a look at #421582. This bug effects both stable and
oldstable. The patch applies cleanly, and I can build a stable/oldstable
package if need be. 

	I'm a bit shaky on the proper security handling here, so please advise
as to the right course of action.  I can provide source/diffs if that
works best.

	The package in Testing / Unstable is currently good.

	Please advise,

-Jay Bonci


On Thu, 2007-05-24 at 17:05 +1000, Tony Cook wrote:
> Hi Jay,
> 
> On Thu, May 24, 2007 at 02:27:35AM -0400, Jay Bonci wrote:
> > Hey Tony,
> > 	Two things, I noticed the other day that you picked up a Sourceforge
> > project for libimager-perl (sf.net/projects/imager-perl). I know these
> > things because I approved the request :)  Are you going to be moving
> > development there, or just using that as a backup?
> 
> For now it's just a backup.
> 
> > 	Secondly, does the update need to be applied to the stable release? If
> > so, I can begin that process. Please let me know. 
> 
> It needs to applied to stable and oldstable too.
> 
> Tony
> 

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.