Report forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>: Bug#359661; Package libimager-perl.
(full text, mbox, link).
Acknowledgement sent to Kjetil Kjernsmo <kjetilk@opera.com>:
New Bug report received and forwarded. Copy sent to Jay Bonci <jaybonci@debian.org>.
(full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libimager-perl: 4 channel JPEGs can crash Imager when writing to a scalar
Date: Tue, 28 Mar 2006 12:22:28 +0200
Package: libimager-perl
Version: 0.44-1
Severity: important
Tags: security
We have found that libimager-perl, aka Imager, versions < 0.49_01, has a
bug that can result in a Segmentation Fault if it operates on 4-channel
JPEG images.
If setting $picture to a blob containing a JPEG image with 4 channels,
the problem should be reproducable:
use Imager;
my $img = Imager->new();
$img->read(data=>$picture);
warn "imager is saving..";
$img->write(data=>\$picture,type=>"jpeg");
warn "imager is done saving..";
We have worked with upstream developer Tony Cook, who has a fix
ready. If the library is used to process images from remote sources,
this problem can be exploited to perform a DoS attack, thus we have
tagged the report security.
Ole Kasper Olsen and Kjetil Kjernsmo
Opera Software ASA
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)
Versions of packages libimager-perl depends on:
ii libc6 2.3.2.ds1-22 GNU C Library: Shared
libraries an
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine,
shared lib
ii libjpeg62 6b-10 The Independent JPEG
Group's JPEG
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libt1-5 5.0.2-3 Type 1 font rasterizer
library - r
ii libtiff4 3.7.2-3 Tag Image File Format
(TIFF) libra
ii libungif4g 4.1.3-2sarge1 shared library for GIF
images (run
ii perl 5.8.4-8sarge3 Larry Wall's Practical
Extraction
ii perl-base [perlapi-5.8 5.8.4-8sarge3 The Pathologically Eclectic
Rubbis
ii zlib1g 1:1.2.2-4.sarge.2 compression library -
runtime
-- no debconf information
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>: Bug#359661; Package libimager-perl.
(full text, mbox, link).
Acknowledgement sent to Tony Cook <tony@develop-help.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>.
(full text, mbox, link).
Here's a simpler example that reproduces the problem:
# 2 or 4 channels, it doesn't matter
my $im = Imager->new(xsize => 1, ysize => 1, channels => 4);
my $data;
# this should fail, but it shouldn't seg fault
$im->write(data => \$data, type => 'jpeg') or die $im->errstr;
The same problem occurs with 2 channel images written to TGA format
streams:
my $im = Imager->new(xsize => 1, ysize => 1, channels => 2);
my $data;
# this should fail, but it shouldn't seg fault
$im->write(data => \$data, type => 'tga') or die $im->errstr;
This problem has existed since at least Imager 0.41.
I'll be releasing Imager 0.50 shortly with a fix for this and 2 other
minor problems in 0.49.
I've attached a patch vs Imager 0.44 if you're looking at an update
for stable.
My dev tree already had a different fix for this problem, since
io_glue_commit_types() had become a no-op.
Tony Cook
Imager maintainer
Tags added: patch
Request was from Kjetil Kjernsmo <kjetilk@opera.com>
to control@bugs.debian.org.
(full text, mbox, link).
Changed Bug title.
Request was from Kjetil Kjernsmo <kjetilk@opera.com>
to control@bugs.debian.org.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>: Bug#359661; Package libimager-perl.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>.
(full text, mbox, link).
Subject: Re: libimager-perl: 4 channel JPEGs can crash Imager when writing to a scalar
Date: Wed, 29 Mar 2006 10:55:14 +0200
Kjetil Kjernsmo wrote:
> Package: libimager-perl
> Version: 0.44-1
> Severity: important
> Tags: security
>
> We have found that libimager-perl, aka Imager, versions < 0.49_01, has a
> bug that can result in a Segmentation Fault if it operates on 4-channel
> JPEG images.
>
> If setting $picture to a blob containing a JPEG image with 4 channels,
> the problem should be reproducable:
>
> use Imager;
> my $img = Imager->new();
> $img->read(data=>$picture);
> warn "imager is saving..";
> $img->write(data=>\$picture,type=>"jpeg");
> warn "imager is done saving..";
>
>
> We have worked with upstream developer Tony Cook, who has a fix
> ready. If the library is used to process images from remote sources,
> this problem can be exploited to perform a DoS attack, thus we have
> tagged the report security.
>
> Ole Kasper Olsen and Kjetil Kjernsmo
> Opera Software ASA
Thanks for the report. A stable security update will be prepared.
This is CVE-2006-0053.
Cheers,
Moritz
Reply sent to Jay Bonci <jaybonci@debian.org>:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Kjetil Kjernsmo <kjetilk@opera.com>:
Bug acknowledged by developer.
(full text, mbox, link).
Subject: Bug#359661: fixed in libimager-perl 0.50-1
Date: Thu, 30 Mar 2006 14:18:38 -0800
Source: libimager-perl
Source-Version: 0.50-1
We believe that the bug you reported is fixed in the latest version of
libimager-perl, which is due to be installed in the Debian FTP archive:
libimager-perl_0.50-1.diff.gz
to pool/main/libi/libimager-perl/libimager-perl_0.50-1.diff.gz
libimager-perl_0.50-1.dsc
to pool/main/libi/libimager-perl/libimager-perl_0.50-1.dsc
libimager-perl_0.50-1_i386.deb
to pool/main/libi/libimager-perl/libimager-perl_0.50-1_i386.deb
libimager-perl_0.50.orig.tar.gz
to pool/main/libi/libimager-perl/libimager-perl_0.50.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 359661@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Bonci <jaybonci@debian.org> (supplier of updated libimager-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 30 Mar 2006 15:26:20 -0500
Source: libimager-perl
Binary: libimager-perl
Architecture: source i386
Version: 0.50-1
Distribution: unstable
Urgency: low
Maintainer: Jay Bonci <jaybonci@debian.org>
Changed-By: Jay Bonci <jaybonci@debian.org>
Description:
libimager-perl - Perl extension for Generating 24 bit Images
Closes: 359661
Changes:
libimager-perl (0.50-1) unstable; urgency=low
.
* New upstream release (Closes: #359661)
* Bumped Policy-Version to 3.6.2.2 (No other changes)
Files:
32260a9ce49356827873500569993db3 694 perl optional libimager-perl_0.50-1.dsc
19cfffe047909599226f76694155f996 757843 perl optional libimager-perl_0.50.orig.tar.gz
7ca2f30c71138cd93d0083537b3655da 2494 perl optional libimager-perl_0.50-1.diff.gz
1a9e618d70aef73bceacc7d31dbfe79d 609636 perl optional libimager-perl_0.50-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)
iD8DBQFELEjtZNh5D+C4st4RArXoAJ9j0Xd1o3dFmehnL+00sC/f4iBj6QCfQ8g1
AXCFa9XBB8qp8FqBZT/jpJE=
=LEAE
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 26 Jun 2007 03:39:31 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.