Debian Bug report logs -
#464056
CVE-2006-4484: buffer overflow in giftopnm
Reported by: Stefan Fritsch <sf@sfritsch.de>
Date: Mon, 4 Feb 2008 22:15:01 UTC
Severity: important
Tags: security
Found in version netpbm-free/2:10.0-11
Fixed in versions netpbm-free/2:10.0-11.1+etch4, netpbm-free/2:10.0-11.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Andreas Barth <aba@not.so.argh.org>
:
Bug#464056
; Package netpbm
.
(full text, mbox, link).
Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Andreas Barth <aba@not.so.argh.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: netpbm
Version: 2:10.0-11
Severity: important
Tags: security
The gif from http://people.debian.org/~seanius/security/php/poc/38112.gif
causes a buffer overflow in giftopnm, too.
See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384838
or tk8.5 8.5.0-3 for patches for the same problem in other packages.
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>
:
Bug#464056
; Package netpbm
.
(full text, mbox, link).
Acknowledgement sent to Tomas Hoger <thoger@redhat.com>
:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>
.
(full text, mbox, link).
Message #10 received at 464056@bugs.debian.org (full text, mbox, reply):
Hi!
Please note that Mitre has decided to use separate CVE id for each
affected project:
CVE-2006-4484 - gd
CVE-2007-6697 - SDL_image
CVE-2008-0553 - tk
CVE-2008-0554 - netpbm
netpbm was fixed in upstream version 10.27.
http://netpbm.svn.sourceforge.net/viewvc/netpbm/trunk/converter/other/giftopnm.c?revision=1&view=markup#l_1052
--
Tomas Hoger
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>
:
Bug#464056
; Package netpbm
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>
.
(full text, mbox, link).
Message #15 received at 464056@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Tomas,
* Tomas Hoger <thoger@redhat.com> [2008-02-05 10:37]:
> Please note that Mitre has decided to use separate CVE id for each
> affected project:
>
> CVE-2006-4484 - gd
> CVE-2007-6697 - SDL_image
> CVE-2008-0553 - tk
> CVE-2008-0554 - netpbm
Thanks Thomas, we already tracked the other packages,
assigned the ids in the security tracker.
Cheers
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]
Reply sent to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Stefan Fritsch <sf@sfritsch.de>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #20 received at 464056-close@bugs.debian.org (full text, mbox, reply):
Source: netpbm-free
Source-Version: 2:10.0-11.1
We believe that the bug you reported is fixed in the latest version of
netpbm-free, which is due to be installed in the Debian FTP archive:
libnetpbm10-dev_10.0-11.1_i386.deb
to pool/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1_i386.deb
libnetpbm10_10.0-11.1_i386.deb
to pool/main/n/netpbm-free/libnetpbm10_10.0-11.1_i386.deb
libnetpbm9-dev_10.0-11.1_i386.deb
to pool/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1_i386.deb
libnetpbm9_10.0-11.1_i386.deb
to pool/main/n/netpbm-free/libnetpbm9_10.0-11.1_i386.deb
netpbm-free_10.0-11.1.diff.gz
to pool/main/n/netpbm-free/netpbm-free_10.0-11.1.diff.gz
netpbm-free_10.0-11.1.dsc
to pool/main/n/netpbm-free/netpbm-free_10.0-11.1.dsc
netpbm_10.0-11.1_i386.deb
to pool/main/n/netpbm-free/netpbm_10.0-11.1_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 464056@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated netpbm-free package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 07 Feb 2008 20:31:46 +0100
Source: netpbm-free
Binary: netpbm libnetpbm10 libnetpbm10-dev libnetpbm9 libnetpbm9-dev
Architecture: source i386
Version: 2:10.0-11.1
Distribution: unstable
Urgency: high
Maintainer: Andreas Barth <aba@not.so.argh.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
libnetpbm10 - Shared libraries for netpbm
libnetpbm10-dev - Development libraries and header files
libnetpbm9 - Shared libraries for netpbm
libnetpbm9-dev - Development libraries and header files
netpbm - Graphics conversion tools
Closes: 464056
Changes:
netpbm-free (2:10.0-11.1) unstable; urgency=high
.
* Non-maintainer upload by security team.
* This update addresses the following security issue:
- CVE-2008-0554: The readImageData function in giftopnm.c does not
properly check the upper bound of a fixed size array leading to a
buffer overflow and possibly code execution (Closes: #464056).
Files:
ae3a531cc84b21dcd60db88a02ae7767 743 graphics optional netpbm-free_10.0-11.1.dsc
a4ad8a540d0861d518721e8747621f40 50716 graphics optional netpbm-free_10.0-11.1.diff.gz
2bdecf771439e63d3ee954fbb25fa127 1202384 graphics optional netpbm_10.0-11.1_i386.deb
0b81be609bfe60385368c5c4f9ecb037 64660 libs optional libnetpbm10_10.0-11.1_i386.deb
9c791b55b01df4d4b428c4312e2c1d4a 110228 libdevel optional libnetpbm10-dev_10.0-11.1_i386.deb
d0f0b480d27b56ec7a9ddd90a02a707d 70782 libs optional libnetpbm9_10.0-11.1_i386.deb
97c29a7c735b5c10743ee26c7d01578a 109842 libdevel optional libnetpbm9-dev_10.0-11.1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFHq3LWHYflSXNkfP8RAmlSAJ9dS1setE+vBNw9Wk3+o5e5zKrhRQCeI8gl
/OiYfWIlKMpKig+ODRdUY+4=
=aj2E
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>
:
Bug#464056
; Package netpbm
.
(full text, mbox, link).
Acknowledgement sent to Nico Golde <nion@debian.org>
:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>
.
(full text, mbox, link).
Message #25 received at 464056@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi,
my patch went to a wrong bug number so here it is.
It will be also archived on:
http://people.debian.org/~nion/nmu-diff/netpbm-free-10.0-11_10.0-11.1.patch
Kind regards
Nico
--
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[netpbm-free-10.0-11_10.0-11.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 11 Mar 2008 07:36:05 GMT) (full text, mbox, link).
Bug unarchived.
Request was from Lucas Nussbaum <lucas@lucas-nussbaum.net>
to controlbugs.debian.org
.
(Sat, 09 Aug 2008 18:02:59 GMT) (full text, mbox, link).
Marked as fixed in versions netpbm-free/2:10.0-11.1+etch4.
Request was from Andreas Beckmann <anbe@debian.org>
to control@bugs.debian.org
.
(Mon, 04 Nov 2013 00:09:31 GMT) (full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 02 Dec 2013 07:43:27 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:46:49 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.