Debian Bug report logs - #359661
2 or 4 channels images can crash Imager

version graph

Package: libimager-perl; Maintainer for libimager-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libimager-perl is src:libimager-perl.

Reported by: Kjetil Kjernsmo <kjetilk@opera.com>

Date: Tue, 28 Mar 2006 10:33:01 UTC

Severity: important

Tags: patch, security

Found in version libimager-perl/0.44-1

Fixed in version libimager-perl/0.50-1

Done: Jay Bonci <jaybonci@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#359661; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Kjetil Kjernsmo <kjetilk@opera.com>:
New Bug report received and forwarded. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Kjetil Kjernsmo <kjetilk@opera.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libimager-perl: 4 channel JPEGs can crash Imager when writing to a scalar
Date: Tue, 28 Mar 2006 12:22:28 +0200
Package: libimager-perl
Version: 0.44-1
Severity: important
Tags: security

We have found that libimager-perl, aka Imager, versions < 0.49_01, has a
bug that can result in a Segmentation Fault if it operates on 4-channel
JPEG images.
  
If setting $picture to a blob containing a JPEG image with 4 channels,
the problem should be reproducable:

   use Imager;
   my $img = Imager->new();
   $img->read(data=>$picture);
   warn "imager is saving..";
   $img->write(data=>\$picture,type=>"jpeg");
   warn "imager is done saving..";


We have worked with upstream developer Tony Cook, who has a fix
ready. If the library is used to process images from remote sources,
this problem can be exploited to perform a DoS attack, thus we have
tagged the report security.

Ole Kasper Olsen and Kjetil Kjernsmo
Opera Software ASA


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.8-2-686
Locale: LANG=en_US, LC_CTYPE=en_US (charmap=ISO-8859-1)

Versions of packages libimager-perl depends on:
ii  libc6                  2.3.2.ds1-22      GNU C Library: Shared 
libraries an
ii  libfreetype6           2.1.7-2.4         FreeType 2 font engine, 
shared lib
ii  libjpeg62              6b-10             The Independent JPEG 
Group's JPEG 
ii  libpng12-0             1.2.8rel-1        PNG library - runtime
ii  libt1-5                5.0.2-3           Type 1 font rasterizer 
library - r
ii  libtiff4               3.7.2-3           Tag Image File Format 
(TIFF) libra
ii  libungif4g             4.1.3-2sarge1     shared library for GIF 
images (run
ii  perl                   5.8.4-8sarge3     Larry Wall's Practical 
Extraction 
ii  perl-base [perlapi-5.8 5.8.4-8sarge3     The Pathologically Eclectic 
Rubbis
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library - 
runtime

-- no debconf information



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#359661; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Tony Cook <tony@develop-help.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #10 received at 359661@bugs.debian.org (full text, mbox):

From: Tony Cook <tony@develop-help.com>
To: Kjetil Kjernsmo <kjetilk@opera.com>, 359661@bugs.debian.org
Subject: Re: Bug#359661: libimager-perl: 4 channel JPEGs can crash Imager when writing to a scalar
Date: Wed, 29 Mar 2006 09:51:14 +1000
[Message part 1 (text/plain, inline)]
Here's a simpler example that reproduces the problem:

  # 2 or 4 channels, it doesn't matter
  my $im = Imager->new(xsize => 1, ysize => 1, channels => 4);
  my $data;
  # this should fail, but it shouldn't seg fault
  $im->write(data => \$data, type => 'jpeg') or die $im->errstr;

The same problem occurs with 2 channel images written to TGA format
streams:

  my $im = Imager->new(xsize => 1, ysize => 1, channels => 2);
  my $data;
  # this should fail, but it shouldn't seg fault
  $im->write(data => \$data, type => 'tga') or die $im->errstr;

This problem has existed since at least Imager 0.41.

I'll be releasing Imager 0.50 shortly with a fix for this and 2 other
minor problems in 0.49.

I've attached a patch vs Imager 0.44 if you're looking at an update
for stable.

My dev tree already had a different fix for this problem, since
io_glue_commit_types() had become a no-op.

Tony Cook
Imager maintainer
[Imager-0.44-iolayers.diff (text/plain, attachment)]

Tags added: patch Request was from Kjetil Kjernsmo <kjetilk@opera.com> to control@bugs.debian.org. Full text and rfc822 format available.

Changed Bug title. Request was from Kjetil Kjernsmo <kjetilk@opera.com> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#359661; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #19 received at 359661@bugs.debian.org (full text, mbox):

From: Moritz Muehlenhoff <jmm@inutil.org>
To: Kjetil Kjernsmo <kjetilk@opera.com>
Cc: 359661@bugs.debian.org
Subject: Re: libimager-perl: 4 channel JPEGs can crash Imager when writing to a scalar
Date: Wed, 29 Mar 2006 10:55:14 +0200
Kjetil Kjernsmo wrote:
> Package: libimager-perl
> Version: 0.44-1
> Severity: important
> Tags: security
> 
> We have found that libimager-perl, aka Imager, versions < 0.49_01, has a
> bug that can result in a Segmentation Fault if it operates on 4-channel
> JPEG images.
>   
> If setting $picture to a blob containing a JPEG image with 4 channels,
> the problem should be reproducable:
> 
>    use Imager;
>    my $img = Imager->new();
>    $img->read(data=>$picture);
>    warn "imager is saving..";
>    $img->write(data=>\$picture,type=>"jpeg");
>    warn "imager is done saving..";
> 
> 
> We have worked with upstream developer Tony Cook, who has a fix
> ready. If the library is used to process images from remote sources,
> this problem can be exploited to perform a DoS attack, thus we have
> tagged the report security.
> 
> Ole Kasper Olsen and Kjetil Kjernsmo
> Opera Software ASA

Thanks for the report. A stable security update will be prepared.
This is CVE-2006-0053.

Cheers,
        Moritz



Reply sent to Jay Bonci <jaybonci@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Kjetil Kjernsmo <kjetilk@opera.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #24 received at 359661-close@bugs.debian.org (full text, mbox):

From: Jay Bonci <jaybonci@debian.org>
To: 359661-close@bugs.debian.org
Subject: Bug#359661: fixed in libimager-perl 0.50-1
Date: Thu, 30 Mar 2006 14:18:38 -0800
Source: libimager-perl
Source-Version: 0.50-1

We believe that the bug you reported is fixed in the latest version of
libimager-perl, which is due to be installed in the Debian FTP archive:

libimager-perl_0.50-1.diff.gz
  to pool/main/libi/libimager-perl/libimager-perl_0.50-1.diff.gz
libimager-perl_0.50-1.dsc
  to pool/main/libi/libimager-perl/libimager-perl_0.50-1.dsc
libimager-perl_0.50-1_i386.deb
  to pool/main/libi/libimager-perl/libimager-perl_0.50-1_i386.deb
libimager-perl_0.50.orig.tar.gz
  to pool/main/libi/libimager-perl/libimager-perl_0.50.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 359661@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Bonci <jaybonci@debian.org> (supplier of updated libimager-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 30 Mar 2006 15:26:20 -0500
Source: libimager-perl
Binary: libimager-perl
Architecture: source i386
Version: 0.50-1
Distribution: unstable
Urgency: low
Maintainer: Jay Bonci <jaybonci@debian.org>
Changed-By: Jay Bonci <jaybonci@debian.org>
Description: 
 libimager-perl - Perl extension for Generating 24 bit Images
Closes: 359661
Changes: 
 libimager-perl (0.50-1) unstable; urgency=low
 .
   * New upstream release (Closes: #359661)
   * Bumped Policy-Version to 3.6.2.2 (No other changes)
Files: 
 32260a9ce49356827873500569993db3 694 perl optional libimager-perl_0.50-1.dsc
 19cfffe047909599226f76694155f996 757843 perl optional libimager-perl_0.50.orig.tar.gz
 7ca2f30c71138cd93d0083537b3655da 2494 perl optional libimager-perl_0.50-1.diff.gz
 1a9e618d70aef73bceacc7d31dbfe79d 609636 perl optional libimager-perl_0.50-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.2 (GNU/Linux)

iD8DBQFELEjtZNh5D+C4st4RArXoAJ9j0Xd1o3dFmehnL+00sC/f4iBj6QCfQ8g1
AXCFa9XBB8qp8FqBZT/jpJE=
=LEAE
-----END PGP SIGNATURE-----




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 26 Jun 2007 03:39:31 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Apr 24 10:49:25 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.