Debian Bug report logs -
#505714
Crash on loading XPM file
Reported by: Julien Danjou <acid@debian.org>
Date: Fri, 14 Nov 2008 15:09:02 UTC
Severity: grave
Tags: patch, security
Found in versions imlib2/1.4.0-1.1, imlib2/1.4.0-1, imlib2/1.4.2-1
Fixed in versions 1.4.0-1.2, imlib2/1.4.2-2
Done: Jakub Wilk <jwilk@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Fri, 14 Nov 2008 15:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Danjou <acid@debian.org>
:
New Bug report received and forwarded. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Fri, 14 Nov 2008 15:09:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: libimlib2
Version: 1.4.0-1.1
Severity: grave
Hi,
imlib2 crashes with the following backtrace when loading the attached
XPM file.
#0 0x00007fdcf6288166 in load (im=0x7fdcf19d3f90, progress=0, progress_granularity=0 '\0', immediate_load=1 '\001') at loader_xpm.c:475
ptr = (unsigned int *) 0x7fdcf280200c
end = (unsigned int *) 0x7fdcf2805000
f = (FILE *) 0x7fdcf1e89dc8
c = 34
i = 2
j = 146
k = <value optimized out>
w = 32
h = 32
ncolors = 146
cpp = 2
comment = 0
transp = 1
quote = <value optimized out>
context = 2
len = 12
done = 0
r = 255
g = 0
b = 0
backslash = 0
line = 0x7fdcf3acaf00 ' ' <repeats 66 times>
s = "#FFFFFF\000/", '\0' <repeats 136 times>, "\001", '\0'
<repeats 38 times>,
"GG�002�177\000\000\000�000\000\000\000\000\000`\000\004\000\000\000\000\000\002\000\000\000\000\000\000\000�",
'\0' <repeats 14 times>,
"[\177�005�177\000\000\000\020\000\000\000\000\000\000��005�177\000"
tok =
"#FFFFFF\000�237��177\000\000�237��177\000\000\234�\r�\177\000\000\001\000\000\000\000\000\000\000[\177�005�177\000\000�226��177\000\000��005�177\000\000�\016�002�177\000\000\004\000\000\000\000\000\000\000�237��177\000\000���\177\000\000د��\177\000\000\234�\r�\177\000\000\001",
'\0' <repeats 14 times>
col = "
FFFFF\000[\177�005�177\000\000�P��177\000\000��005�177\000\000`�\r�\177\000\000[\177�005�177\000\000���177\000\000��005�177\000\000\000\000\000\000\000\000\000\000\020\000\000\000\000\000\000\000
\000\000\000\000\000\000\000�\031�\177", '\0' <repeats 18 times>,
"`\000\000\000\000\000\000\000�|�005�177\000\000�P��177\000\000�\236\005�177\000\000��r�\177\000\000xnP��177\000\000\000oP��177\000\000�P��177\000\000\001\000\t\034",
'\0' <repeats 12 times>,
"��\r�\177\000\000\001\000\000\000\000\000\000\000�"...
lsz = 256
cmap = (struct _cmap *) 0x7fdcf27ff804
lookup = {{0 <repeats 14 times>, 92, 0 <repeats 81 times>}, {16,
0 <repeats 13 times>, 108,
0 <repeats 81 times>}, {0 <repeats 96 times>}, {4, 0 <repeats 13
times>, 96, 0 <repeats 81 times>},
{5, 0 <repeats 13 times>, 97, 0 <repeats 81 times>}, {6, 0 <repeats 13
times>, 98,
0 <repeats 81 times>}, {7, 0 <repeats 13 times>, 99, 0 <repeats 81
times>}, {14,
0 <repeats 13 times>, 106, 0 <repeats 81 times>}, {22, 0 <repeats 13
times>, 114,
0 <repeats 81 times>}, {15, 0 <repeats 13 times>, 107, 0 <repeats 81
times>}, {8,
0 <repeats 13 times>, 100, 0 <repeats 81 times>}, {2, 0 <repeats 13
times>, 94,
0 <repeats 81 times>}, {13, 0 <repeats 13 times>, 105, 0 <repeats 81
times>}, {10,
0 <repeats 13 times>, 102, 0 <repeats 81 times>}, {1, 0 <repeats 13
times>, 93,
0 <repeats 81 times>}, {21, 0 <repeats 13 times>, 113, 0 <repeats 81
times>}, {38,
0 <repeats 13 times>, 130, 0 <repeats 81 times>}, {29, 0 <repeats 13
times>, 121,
0 <repeats 81 times>}, {30, 0 <repeats 13 times>, 122, 0 <repeats 81
times>}, {31,
0 <repeats 13 times>, 123, 0 <repeats 81 times>}, {32, 0 <repeats 13
times>, 124,
0 <repeats 81 times>}, {33, 0 <repeats 13 times>, 125, 0 <repeats 81
times>}, {34,
0 <repeats 13 times>, 126, 0 <repeats 81 times>}, {35, 0 <repeats 13
times>, 127,
0 <repeats 81 times>}, {36, 0 <repeats 13 times>, 128, 0 <repeats 81
times>}, {37,
0 <repeats 13 times>, 129, 0 <repeats 81 times>}, {24, 0 <repeats 13
times>, 116,
0 <repeats 81 times>}, {11, 0 <repeats 13 times>, 103, 0 <repeats 81
times>}, {25,
0 <repeats 13 times>, 117, 0 <repeats 81 times>}, {9, 0 <repeats 13
times>, 101,
0 <repeats 81 times>}, {12, 0 <repeats 13 times>, 104, 0 <repeats 81
times>}, {
0 <repeats 96 times>}, {3, 0 <repeats 13 times>, 95, 0 <repeats 81
times>}, {65,
0 <repeats 95 times>}, {66, 0 <repeats 95 times>}, {67, 0 <repeats
95 times>}, {68,
0 <repeats 95 times>}, {69, 0 <repeats 95 times>}, {70, 0 <repeats
95 times>}, {71,
0 <repeats 95 times>}, {72, 0 <repeats 95 times>}, {73, 0 <repeats
95 times>}, {74,
0 <repeats 95 times>}, {75, 0 <repeats 95 times>}, {76, 0 <repeats
95 times>}, {77,
0 <repeats 95 times>}, {78, 0 <repeats 95 times>}, {79, 0 <repeats
95 times>}, {80,
0 <repeats 95 times>}, {81, 0 <repeats 95 times>}, {82, 0 <repeats
95 times>}, {83,
0 <repeats 95 times>}, {84, 0 <repeats 95 times>}, {85, 0 <repeats
95 times>}, {86,
0 <repeats 95 times>}, {87, 0 <repeats 95 times>}, {88, 0 <repeats
95 times>}, {89,
0 <repeats 95 times>}, {90, 0 <repeats 95 times>}, {26, 0 <repeats
13 times>, 118,
0 <repeats 81 times>}, {0 <repeats 96 times>}, {19, 0 <repeats 13
times>, 111,
0 <repeats 81 times>}, {20, 0 <repeats 13 times>, 112, 0 <repeats 81
times>}, {23,
0 <repeats 13 times>, 115, 0 <repeats 81 times>}, {91, 0 <repeats 95
times>}, {39,
0 <repeats 13 times>, 131, 0 <repeats 81 times>}, {40, 0 <repeats 13
times>, 132,
0 <repeats 81 times>}, {41, 0 <repeats 13 times>, 133, 0 <repeats 81
times>}, {42,
0 <repeats 13 times>, 134, 0 <repeats 81 times>}, {43, 0 <repeats 13
times>, 135,
0 <repeats 81 times>}, {44, 0 <repeats 13 times>, 136, 0 <repeats 81
times>}, {45,
0 <repeats 13 times>, 137, 0 <repeats 81 times>}, {46, 0 <repeats 13
times>, 138,
0 <repeats 81 times>}, {47, 0 <repeats 13 times>, 139, 0 <repeats 81
times>}, {48,
0 <repeats 13 times>, 140, 0 <repeats 81 times>}, {49, 0 <repeats 13
times>, 141,
0 <repeats 81 times>}, {50, 0 <repeats 13 times>, 142, 0 <repeats 81
times>}, {51,
0 <repeats 13 times>, 143, 0 <repeats 81 times>}, {52, 0 <repeats 13
times>, 144,
0 <repeats 81 times>}, {53, 0 <repeats 13 times>, 145, 0 <repeats 81
times>}, {54,
0 <repeats 95 times>}, {55, 0 <repeats 95 times>}, {56, 0 <repeats
95 times>}, {57,
0 <repeats 95 times>}, {58, 0 <repeats 95 times>}, {59, 0 <repeats
95 times>}, {60,
0 <repeats 95 times>}, {61, 0 <repeats 95 times>}, {62, 0 <repeats
95 times>}, {63,
0 <repeats 95 times>}, {64, 0 <repeats 95 times>}, {18, 0 <repeats
13 times>, 110,
0 <repeats 81 times>}, {28, 0 <repeats 13 times>, 120, 0 <repeats 81
times>}, {27,
0 <repeats 13 times>, 119, 0 <repeats 81 times>}, {17, 0 <repeats 13
times>, 109,
0 <repeats 81 times>}, {0 <repeats 96 times>}}
per = 3.02734375
per_inc = 0.09765625
last_per = 0
last_y = 0
count = 1025
pixels = 1024
#1 0x00007fdd02e9da38 in __imlib_LoadImage (
file=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm",
progress=0,
progress_granularity=0 '\0', immediate_load=0 '\0', dont_cache=0
'\0', er=0x7fff0de1c99c)
at image.c:1027
im = <value optimized out>
best_loader = (ImlibLoader *) 0x7fdcf673cfc8
loader_ret = <value optimized out>
#2 0x00007fdd02e89b24 in imlib_load_image_with_error_return (
file=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm",
error_return=0x7fff0de1c9dc)
at api.c:1328
im = <value optimized out>
er = <value optimized out>
prev_ctxt_image = (Imlib_Image) 0x7fdcf2555f90
#3 0x000000000042ea3c in image_new_from_file (
filename=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm")
at /home/jdanjou/Work/src/awesome/src/image.c:141
imimage = (Imlib_Image) 0x7fdcefeb96f0
e = IMLIB_LOAD_ERROR_NONE
image = (image_t *) 0x7fff0de1ca40
__FUNCTION__ = "image_new_from_file"
#4 0x000000000042eadd in luaA_image_new (L=0x7fdcffad4d98)
at /home/jdanjou/Work/src/awesome/src/image.c:172
image = (image_t *) 0x7fdcffad4d98
filename = 0x7fdcf9024fd8
"/usr/share/pixmaps/atlantikdesigner.xpm"
[…]
-- System Information:
Debian Release: lenny/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libimlib2 depends on:
ii libbz2-1.0 1.0.5-1 high-quality block-sorting file co
ii libc6 2.7-16 GNU C Library: Shared libraries
ii libfreetype6 2.3.7-2 FreeType 2 font engine, shared lib
ii libgif4 4.1.6-6 library for GIF images (library)
ii libid3tag0 0.15.1b-10 ID3 tag reading library from the M
ii libjpeg62 6b-14 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.27-2 PNG library - runtime
ii libtiff4 3.8.2-11 Tag Image File Format (TIFF) libra
ii libx11-6 2:1.1.5-2 X11 client-side library
ii libxext6 2:1.0.4-1 X11 miscellaneous extension librar
ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime
libimlib2 recommends no packages.
libimlib2 suggests no packages.
-- no debconf information
--
Julien Danjou
// ᐰ <julien@danjou.info> http://julien.danjou.info
// 9A0D 5FD9 EB42 22F6 8974 C95C A462 B51E C2FE E5CD
// Don't give up.
[atlantikdesigner.xpm (image/x-xpixmap, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Fri, 14 Nov 2008 15:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Danjou <acid@debian.org>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Fri, 14 Nov 2008 15:42:12 GMT) (full text, mbox, link).
Message #10 received at 505714@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
I opened bug #547 on bugs.enlightenment.org.
Cheers,
--
Julien Danjou
.''`. Debian Developer
: :' : http://julien.danjou.info
`. `' http://people.debian.org/~acid
`- 9A0D 5FD9 EB42 22F6 8974 C95C A462 B51E C2FE E5CD
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Wed, 19 Nov 2008 20:42:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter De Wachter <pdewacht@gmail.com>
:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, ljlane@debian.org (Laurence J. Lane)
.
(Wed, 19 Nov 2008 20:42:13 GMT) (full text, mbox, link).
Message #15 received at 505714@bugs.debian.org (full text, mbox, reply):
Package: libimlib2-dev
Version: 1.4.0-1.1
Tags: security
Followup-For: Bug #505714
This is another buffer overflow in the XPM loader. (The xpm attached
to this bug report is a 32x32 image according to the header, but
contains 33x32 pixels.)
--- a/src/modules/loaders/loader_xpm.c
+++ b/src/modules/loaders/loader_xpm.c
@@ -246,8 +246,8 @@
return 0;
}
ptr = im->data;
- end = ptr + (sizeof(DATA32) * w * h);
pixels = w * h;
+ end = ptr + pixels;
}
else
{
Tags added: security, patch
Request was from pdewacht@gmail.com (Peter De Wachter)
to control@bugs.debian.org
.
(Wed, 19 Nov 2008 21:33:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Sat, 22 Nov 2008 10:23:55 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Viehmann <tv@beamnet.de>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Sat, 22 Nov 2008 10:23:55 GMT) (full text, mbox, link).
Message #22 received at 505714@bugs.debian.org (full text, mbox, reply):
tags 505714 + patch pending
thanks
Hi Laurance,
Here is the NMU for imlib2 (versioned as 1.4.0-1.2) and to be uploaded.
Kind regards
T.
diff -u imlib2-1.4.0/debian/control imlib2-1.4.0/debian/control
--- imlib2-1.4.0/debian/control
+++ imlib2-1.4.0/debian/control
@@ -2,7 +2,7 @@
Section: libs
Priority: optional
Maintainer: Laurence J. Lane <ljlane@debian.org>
-Build-Depends: libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libungif4-dev, libx11-dev, libxext-dev, libfreetype6-dev, cdbs, libltdl3-dev, libbz2-dev, libid3tag0-dev, debhelper (>> 5)
+Build-Depends: libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libgif-dev, libx11-dev, libxext-dev, libfreetype6-dev, cdbs, libltdl3-dev, libbz2-dev, libid3tag0-dev, debhelper (>> 5)
Standards-Version: 3.7.2
Package: libimlib2
@@ -22,7 +22,7 @@
Architecture: any
Section: libdevel
Replaces: libimlib2
-Depends: libimlib2 (=${binary:Version}), libc6-dev, libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libungif4-dev, libx11-dev, libxext-dev, libfreetype6-dev, libltdl3-dev
+Depends: libimlib2 (=${binary:Version}), libc6-dev, libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libgif-dev, libx11-dev, libxext-dev, libfreetype6-dev, libltdl3-dev
Description: Imlib2 development files
Headers, static libraries and documentation for developing
software that uses Imlib2.
diff -u imlib2-1.4.0/debian/libimlib2-dev.doc-base imlib2-1.4.0/debian/libimlib2-dev.doc-base
--- imlib2-1.4.0/debian/libimlib2-dev.doc-base
+++ imlib2-1.4.0/debian/libimlib2-dev.doc-base
@@ -3,7 +3,7 @@
Author: Carsten Haitzler
Abstract: This document describes Imlib2 API
and provides sample C code.
-Section: Apps/Programming
+Section: Programming
Format: HTML
Index: /usr/share/doc/libimlib2-dev/html/index.html
diff -u imlib2-1.4.0/debian/changelog imlib2-1.4.0/debian/changelog
--- imlib2-1.4.0/debian/changelog
+++ imlib2-1.4.0/debian/changelog
@@ -1,3 +1,13 @@
+imlib2 (1.4.0-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix crash in XPM loader. Bug and test case by Julien Danjou, patch by
+ Peter De Wachter, thanks! Closes: #505714 aka CVE-2008-5187
+ * Change libungif4-dev to libgif-dev in (Build-)Depends.
+ * Fix doc-base section to drop Apps/.
+
+ -- Thomas Viehmann <tv@beamnet.de> Sat, 22 Nov 2008 10:45:27 +0100
+
imlib2 (1.4.0-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
--- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
+++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
@@ -246,8 +246,8 @@
return 0;
}
ptr = im->data;
- end = ptr + (sizeof(DATA32) * w * h);
pixels = w * h;
+ end = ptr + pixels;
}
else
{
Tags added: patch, pending
Request was from Thomas Viehmann <tv@beamnet.de>
to control@bugs.debian.org
.
(Sat, 22 Nov 2008 10:23:57 GMT) (full text, mbox, link).
Reply sent
to Thomas Viehmann <tv@beamnet.de>
:
You have taken responsibility.
(Sat, 22 Nov 2008 10:57:17 GMT) (full text, mbox, link).
Notification sent
to Julien Danjou <acid@debian.org>
:
Bug acknowledged by developer.
(Sat, 22 Nov 2008 10:57:17 GMT) (full text, mbox, link).
Message #29 received at 505714-close@bugs.debian.org (full text, mbox, reply):
Source: imlib2
Source-Version: 1.4.0-1.2
We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive:
imlib2_1.4.0-1.2.diff.gz
to pool/main/i/imlib2/imlib2_1.4.0-1.2.diff.gz
imlib2_1.4.0-1.2.dsc
to pool/main/i/imlib2/imlib2_1.4.0-1.2.dsc
libimlib2-dev_1.4.0-1.2_amd64.deb
to pool/main/i/imlib2/libimlib2-dev_1.4.0-1.2_amd64.deb
libimlib2_1.4.0-1.2_amd64.deb
to pool/main/i/imlib2/libimlib2_1.4.0-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 505714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Viehmann <tv@beamnet.de> (supplier of updated imlib2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 22 Nov 2008 10:45:27 +0100
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source amd64
Version: 1.4.0-1.2
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <ljlane@debian.org>
Changed-By: Thomas Viehmann <tv@beamnet.de>
Description:
libimlib2 - powerful image loading and rendering library
libimlib2-dev - Imlib2 development files
Closes: 505714
Changes:
imlib2 (1.4.0-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* Fix crash in XPM loader. Bug and test case by Julien Danjou, patch by
Peter De Wachter, thanks! Closes: #505714 aka CVE-2008-5187
* Change libungif4-dev to libgif-dev in (Build-)Depends.
* Fix doc-base section to drop Apps/.
Checksums-Sha1:
0ac5b27856033fe044dda2d157ca48e70f33a26a 1123 imlib2_1.4.0-1.2.dsc
8462b934a996ebd9814d086b40b09ac5bebd281e 56377 imlib2_1.4.0-1.2.diff.gz
c4c49877be44061131655510849f256676ec82c4 220114 libimlib2_1.4.0-1.2_amd64.deb
00b041b75b8c98d94cf18e6eb265b265b0ed52f8 371766 libimlib2-dev_1.4.0-1.2_amd64.deb
Checksums-Sha256:
99cae7fbe6426c130a808662a35976129a648b604e574e29ed08fbf8e3d11251 1123 imlib2_1.4.0-1.2.dsc
ea0b668fd7a55756ae1d41baccbe5cea5135f598069b09cad2664fa492c0d447 56377 imlib2_1.4.0-1.2.diff.gz
af6d7c11f3ef06c7b62a4763f2f5f6e3ec80d95aa894a4378cdef8117110dbce 220114 libimlib2_1.4.0-1.2_amd64.deb
96bf4018e57ce49e7a035efae20eeda88fa8763b394d300a3a467ef28c86d7ab 371766 libimlib2-dev_1.4.0-1.2_amd64.deb
Files:
45a9571b3454a8a56cf50e8eddc8406f 1123 libs optional imlib2_1.4.0-1.2.dsc
ea54608fda300822f84e8d245dae21d9 56377 libs optional imlib2_1.4.0-1.2.diff.gz
6306baa5fed31c0872d6c2912e202639 220114 libs optional libimlib2_1.4.0-1.2_amd64.deb
b777111fd09c13eb939464f230cc9080 371766 libdevel optional libimlib2-dev_1.4.0-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkn3KwACgkQriZpaaIa1PmTtQCggejcP52dSEY/zCsejEYzD0+s
Qw8AoLdEois+BD7V4NaJ/nAG0viyG0uA
=nG7Y
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Sun, 23 Nov 2008 19:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bas Zoetekouw <bas@debian.org>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Sun, 23 Nov 2008 19:03:03 GMT) (full text, mbox, link).
Message #34 received at 505714@bugs.debian.org (full text, mbox, reply):
Hi!
> diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> --- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> +++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> @@ -246,8 +246,8 @@
> return 0;
> }
> ptr = im->data;
> - end = ptr + (sizeof(DATA32) * w * h);
> pixels = w * h;
> + end = ptr + pixels;
> }
> else
> {
Are you sure this patch actually fixes the bug reported here? I agree
that the use of sizeof(DATA32) here is definately a bug and should be
fixed, but I'm not sure that that's all there is to it.
The reporter of the bug as well as the CVE say the actual problem here
is that the height and width are read from the header, and might not be
the actual size of the picture being loaded. I don't see how this patch
fixes that issue (although must confess I haven't looked at the code in
detail).
Concretely: can't w*h still overflow in the code above, for a suitably crafted
header?
Kind regards,
Bas.
--
+--------------------------------------------------------------+
| Bas Zoetekouw | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie: |
| bas@zoetekouw.net | The dew shall weep thy fall tonight; |
+--------------------| For thou must die. |
+-----------------------------------------+
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Sun, 23 Nov 2008 19:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Viehmann <tv@beamnet.de>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Sun, 23 Nov 2008 19:24:06 GMT) (full text, mbox, link).
Message #39 received at 505714@bugs.debian.org (full text, mbox, reply):
Hi,
thanks for your attention to this.
Bas Zoetekouw wrote:
>> diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> --- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> +++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> @@ -246,8 +246,8 @@
>> return 0;
>> }
>> ptr = im->data;
>> - end = ptr + (sizeof(DATA32) * w * h);
>> pixels = w * h;
>> + end = ptr + pixels;
>> }
>> else
>> {
>
> Are you sure this patch actually fixes the bug reported here? I agree
> that the use of sizeof(DATA32) here is definately a bug and should be
> fixed, but I'm not sure that that's all there is to it.
>
> The reporter of the bug as well as the CVE say the actual problem here
> is that the height and width are read from the header, and might not be
> the actual size of the picture being loaded. I don't see how this patch
> fixes that issue (although must confess I haven't looked at the code in
> detail).
>
> Concretely: can't w*h still overflow in the code above, for a suitably crafted
> header?
ptr and end are both DATA32*.
ptr is initialized to
im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);
(im->w and im->h are equal to w and h, respectively) and later on this
is used as
for (i = 0;
((i < 65536) && (ptr < end) && (line[i]));
i++)
{
...
*ptr++ = ...
}
I think this should be OK even end ends up < ptr because some one of w,h
is negative for some reason or an overflow, but I'm more happy to be
corrected than have imlib2 in the release with an incorrect patch. :)
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Sun, 23 Nov 2008 21:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter De Wachter <pdewacht@gmail.com>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Sun, 23 Nov 2008 21:36:03 GMT) (full text, mbox, link).
Message #44 received at 505714@bugs.debian.org (full text, mbox, reply):
On Sun, 23 Nov 2008 20:22:27 +0100
Thomas Viehmann <tv@beamnet.de> wrote:
> > Concretely: can't w*h still overflow in the code above, for a
> > suitably crafted header?
> ptr and end are both DATA32*.
>
> ptr is initialized to
> im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);
>
> (im->w and im->h are equal to w and h, respectively) and later on this
> is used as
>
> for (i = 0;
> ((i < 65536) && (ptr < end) && (line[i]));
> i++)
> {
> ...
> *ptr++ = ...
> }
>
> I think this should be OK even end ends up < ptr because some one of
> w,h is negative for some reason or an overflow, but I'm more happy to
> be corrected than have imlib2 in the release with an incorrect
> patch. :)
The code also checks that w and h are positive and at most 8192.
--
Peter De Wachter
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Tue, 25 Nov 2008 11:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bas Zoetekouw <bas@debian.org>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Tue, 25 Nov 2008 11:51:04 GMT) (full text, mbox, link).
Message #49 received at 505714@bugs.debian.org (full text, mbox, reply):
Hi Thomas!
You wrote:
> I think this should be OK even end ends up < ptr because some one of w,h
> is negative for some reason or an overflow, but I'm more happy to be
> corrected than have imlib2 in the release with an incorrect patch. :)
Isee.
Thanks for your analysis, and sorry for the noise.
Regards,
Bas.
--
+--------------------------------------------------------------+
| Bas Zoetekouw | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie: |
| bas@zoetekouw.net | The dew shall weep thy fall tonight; |
+--------------------| For thou must die. |
+-----------------------------------------+
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 24 Dec 2008 07:26:03 GMT) (full text, mbox, link).
Bug unarchived.
Request was from tv@beamnet.de (Thomas Viehmann)
to control@bugs.debian.org
.
(Mon, 12 Jan 2009 13:48:09 GMT) (full text, mbox, link).
Bug marked as found in version 1.4.0-1.
Request was from tv@beamnet.de (Thomas Viehmann)
to control@bugs.debian.org
.
(Mon, 12 Jan 2009 13:48:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Mon, 12 Jan 2009 15:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Viehmann <tv@beamnet.de>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Mon, 12 Jan 2009 15:00:22 GMT) (full text, mbox, link).
Message #60 received at 505714@bugs.debian.org (full text, mbox, reply):
Hi Laurence,
apologies for misspelling your name in my communication of this bug
report. Nonetheless I would suggest to not drop the security bug fix for
#505714. Generally, it might be a good idea to make a habit out of
incorporating NMUs as per Developer's Reference 5.11.6.
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Mon, 12 Jan 2009 17:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Laurence J. Lane" <ljlane@debian.org>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Mon, 12 Jan 2009 17:18:06 GMT) (full text, mbox, link).
Message #65 received at 505714@bugs.debian.org (full text, mbox, reply):
On Mon, Jan 12, 2009 at 9:51 AM, Thomas Viehmann <tv@beamnet.de> wrote:
> apologies for misspelling your name in my communication of this bug
> report. Nonetheless I would suggest to not drop the security bug fix for
> #505714. Generally, it might be a good idea to make a habit out of
> incorporating NMUs as per Developer's Reference 5.11.6.
Oops.
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane)
:
Bug#505714
; Package libimlib2
.
(Mon, 12 Jan 2009 19:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Viehmann <tv@beamnet.de>
:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane)
.
(Mon, 12 Jan 2009 19:06:02 GMT) (full text, mbox, link).
Message #70 received at 505714@bugs.debian.org (full text, mbox, reply):
# nitpicking the version tracking for Daniel Holbach's reference :)...
found 505714 1.4.2-1
fixed 505714 1.4.2-2
thanks
Hi,
Thanks for the quick fix!
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Bug marked as found in version 1.4.2-1 and reopened.
Request was from Thomas Viehmann <tv@beamnet.de>
to control@bugs.debian.org
.
(Mon, 12 Jan 2009 19:06:04 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.4.2-2.
Request was from Thomas Viehmann <tv@beamnet.de>
to control@bugs.debian.org
.
(Mon, 12 Jan 2009 19:06:05 GMT) (full text, mbox, link).
Reply sent
to Jakub Wilk <jwilk@debian.org>
:
You have taken responsibility.
(Sat, 28 Apr 2012 12:27:03 GMT) (full text, mbox, link).
Notification sent
to Julien Danjou <acid@debian.org>
:
Bug acknowledged by developer.
(Sat, 28 Apr 2012 12:27:06 GMT) (full text, mbox, link).
Message #79 received at 505714-done@bugs.debian.org (full text, mbox, reply):
This bug is marked as fixed in stable, testing and unstable. There's no
reason to keep it open. Closing.
--
Jakub Wilk
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sun, 27 May 2012 07:34:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 15:52:27 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.