Debian Bug report logs - #421582
[CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files

version graph

Package: libimager-perl; Maintainer for libimager-perl is Debian Perl Group <pkg-perl-maintainers@lists.alioth.debian.org>; Source for libimager-perl is src:libimager-perl.

Reported by: Tony Cook <tony@develop-help.com>

Date: Mon, 30 Apr 2007 09:27:01 UTC

Severity: grave

Tags: patch, security

Found in version libimager-perl/0.50-1

Fixed in version libimager-perl/0.58-1

Done: Jay Bonci <jaybonci@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Tony Cook <tony@develop-help.com>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Tony Cook <tony@develop-help.com>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: libimager-perl: buffer overflow when reading 8-bit compressed BMP files
Date: Mon, 30 Apr 2007 19:25:08 +1000
[Message part 1 (text/plain, inline)]
Package: libimager-perl
Version: 0.50-1
Severity: grave
Tags: security patch
Justification: user security hole

I'm the upstream maintainer for the Imager perl module.

The BMP reader in Imager 0.56 and earlier can cause a memory overflow
in a malloced() buffer when reading an 8-bit/pixel compressed image
where a literal or RLE run overflows the scan-line boundary.

This typically causes the program to exit with a glibc bug, but it may
also be possible to corrupt the memory arena in such a way as to
execute arbitrary code, though I don't see how.  At the very least
this could be a denial of service.

I've attached a patch that should apply to Imager 0.45 through 0.56
(with some fuzz).

I've released Imager 0.57 to CPAN which fixes this issue.

-- System Information:
Debian Release: 4.0
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages libimager-perl depends on:
ii  libc6                     2.3.6.ds1-13   GNU C Library: Shared libraries
ii  libfreetype6              2.2.1-5        FreeType 2 font engine, shared lib
ii  libjpeg62                 6b-13          The Independent JPEG Group's JPEG 
ii  libpng12-0                1.2.15~beta5-1 PNG library - runtime
ii  libt1-5                   5.1.0-2        Type 1 font rasterizer library - r
ii  libtiff4                  3.8.2-7        Tag Image File Format (TIFF) libra
ii  libungif4g                4.1.4-4        shared library for GIF images
ii  perl                      5.8.8-7        Larry Wall's Practical Extraction 
ii  perl-base [perlapi-5.8.8] 5.8.8-7        The Pathologically Eclectic Rubbis
ii  zlib1g                    1:1.2.3-13     compression library - runtime

libimager-perl recommends no packages.

-- no debconf information
[bmp-fix.diff (text/x-c, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Florian Weimer <fw@deneb.enyo.de>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #10 received at 421582@bugs.debian.org (full text, mbox):

From: Florian Weimer <fw@deneb.enyo.de>
To: 421582@bugs.debian.org, control@bugs.debian.org
Subject: This is CVE-2007-2459
Date: Fri, 04 May 2007 18:06:43 +0200
retitle [CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files
thanks

This has been assigned CVE-2007-2459.  Please mention this name in the
changelog when fixing this bug.  Thanks.



Changed Bug title to [CVE-2007-2459] buffer overflow when reading 8-bit compressed BMP files from libimager-perl: buffer overflow when reading 8-bit compressed BMP files. Request was from Florian Weimer <fw@deneb.enyo.de> to control@bugs.debian.org. (Fri, 04 May 2007 16:18:07 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Kjetil Kjernsmo <kjetilk@opera.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #17 received at 421582@bugs.debian.org (full text, mbox):

From: Kjetil Kjernsmo <kjetilk@opera.com>
To: 421582@bugs.debian.org
Subject: libimager-perl 0.57 in SVN
Date: Fri, 11 May 2007 14:01:14 +0200
Hi!

I just made an svn-upgrade of libimager-0.57 to the alioth repository, 
which would fix this for sid. Nice if it could be packaged and uploaded 
soon.

Cheers,

Kjetil
-- 
Kjetil Kjernsmo
Information Systems Developer
Opera Software ASA



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Tony Cook <tony@develop-help.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #22 received at 421582@bugs.debian.org (full text, mbox):

From: Tony Cook <tony@develop-help.com>
To: 421582@bugs.debian.org
Subject: CVE 2007-2413 or CVE 2007-2459
Date: Wed, 16 May 2007 08:21:22 +1000
It looks like both CVE 2007-2413 and CVE 2007-2459 have been assigned
to this.

The description in 2459 is inaccurate - there was certainly a bug in
read_4bit_bmp(), but it could not be used to cause a buffer overflow -
or none that I could see.

-- 
Tony
Imager maintainer



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Esteban Manchado Vel�zquez <zoso@debian.org>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #27 received at 421582@bugs.debian.org (full text, mbox):

From: Esteban Manchado Vel�zquez <zoso@debian.org>
To: 421582@bugs.debian.org
Subject: Upload anyone?
Date: Tue, 22 May 2007 14:55:54 +0200
Hi,

    It has been near a month now, and this package hasn't been uploaded.
There was even the upstream patch in the initial report.

    Please, Jay, upload it or I will NMU the package :-) Actually,
shouldn't you have a co-maintainer? I can co-maintain the package if you
want to. Or even take it over if needed...

    Regards,

-- 
Esteban Manchado Velázquez <zoso@debian.org>
EuropeSwPatentFree - http://EuropeSwPatentFree.hispalinux.es
Help spread it through the Net in signatures, webpages, whatever!



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Damyan Ivanov <dam@modsoftsys.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #32 received at 421582@bugs.debian.org (full text, mbox):

From: Damyan Ivanov <dam@modsoftsys.com>
To: 421582@bugs.debian.org
Subject: Fw: Upload anyone?
Date: Tue, 22 May 2007 22:44:11 +0300
[Message part 1 (text/plain, inline)]
[Now to the correct BTS address]

-=| Esteban Manchado Vel_zquez, Tue, 22 May 2007 14:54:28 +0200 |=-
> Hi,
> 
>     It has been near a month now, and this package hasn't been
> uploaded. There was even the upstream patch in the initial report.
> 
>     Please, Jay, upload it or I will NMU the package :-) Actually,
> shouldn't you have a co-maintainer? I can co-maintain the package if
> you want to. Or even take it over if needed...

Debian Perl Group[1] is also willing to NMU/adopt the package if
necessary.

Kjetil Kjernsmo and Gregor Herrmann even prepared[1] a new upstream
version.

[1]
http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/trunk/
-- 
dam            JabberID: dam@jabber.minus273.org


-- 
dam            JabberID: dam@jabber.minus273.org
[signature.asc (application/pgp-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Jay Bonci <jay@bonci.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #37 received at 421582@bugs.debian.org (full text, mbox):

From: Jay Bonci <jay@bonci.com>
To: Damyan Ivanov <dam@modsoftsys.com>, 421582@bugs.debian.org
Subject: Re: Bug#421582: Fw: Upload anyone?
Date: Tue, 22 May 2007 16:00:15 -0400
[Message part 1 (text/plain, inline)]
Greetings,
	I'm definitely willing to give this package up or co-maint it if
necessary.  I'll be doing the upload this evening.

-Jay

On Tue, 2007-05-22 at 22:44 +0300, Damyan Ivanov wrote:
> [Now to the correct BTS address]
> 
> -=| Esteban Manchado Vel_zquez, Tue, 22 May 2007 14:54:28 +0200 |=-
> > Hi,
> > 
> >     It has been near a month now, and this package hasn't been
> > uploaded. There was even the upstream patch in the initial report.
> > 
> >     Please, Jay, upload it or I will NMU the package :-) Actually,
> > shouldn't you have a co-maintainer? I can co-maintain the package if
> > you want to. Or even take it over if needed...
> 
> Debian Perl Group[1] is also willing to NMU/adopt the package if
> necessary.
> 
> Kjetil Kjernsmo and Gregor Herrmann even prepared[1] a new upstream
> version.
> 
> [1]
> http://svn.debian.org/wsvn/pkg-perl/packages/libimager-perl/trunk/
> -- 
> dam            JabberID: dam@jabber.minus273.org
> 
> 
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Jay Bonci <jay@bonci.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #42 received at 421582@bugs.debian.org (full text, mbox):

From: Jay Bonci <jay@bonci.com>
To: Tony Cook <tony@develop-help.com>
Cc: zoso@debian.org, 421582@bugs.debian.org
Subject: libimager-perl 0.58 is now in incoming
Date: Thu, 24 May 2007 02:27:35 -0400
[Message part 1 (text/plain, inline)]
Hey Tony,
	Two things, I noticed the other day that you picked up a Sourceforge
project for libimager-perl (sf.net/projects/imager-perl). I know these
things because I approved the request :)  Are you going to be moving
development there, or just using that as a backup?

	Secondly, does the update need to be applied to the stable release? If
so, I can begin that process. Please let me know. 

-Jay Bonci
jaybonci@debian.org

[signature.asc (application/pgp-signature, inline)]

Reply sent to Jay Bonci <jaybonci@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Tony Cook <tony@develop-help.com>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #47 received at 421582-close@bugs.debian.org (full text, mbox):

From: Jay Bonci <jaybonci@debian.org>
To: 421582-close@bugs.debian.org
Subject: Bug#421582: fixed in libimager-perl 0.58-1
Date: Thu, 24 May 2007 06:32:02 +0000
Source: libimager-perl
Source-Version: 0.58-1

We believe that the bug you reported is fixed in the latest version of
libimager-perl, which is due to be installed in the Debian FTP archive:

libimager-perl_0.58-1.diff.gz
  to pool/main/libi/libimager-perl/libimager-perl_0.58-1.diff.gz
libimager-perl_0.58-1.dsc
  to pool/main/libi/libimager-perl/libimager-perl_0.58-1.dsc
libimager-perl_0.58-1_i386.deb
  to pool/main/libi/libimager-perl/libimager-perl_0.58-1_i386.deb
libimager-perl_0.58.orig.tar.gz
  to pool/main/libi/libimager-perl/libimager-perl_0.58.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 421582@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jay Bonci <jaybonci@debian.org> (supplier of updated libimager-perl package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 24 May 2007 01:57:26 -0400
Source: libimager-perl
Binary: libimager-perl
Architecture: source i386
Version: 0.58-1
Distribution: unstable
Urgency: low
Maintainer: Jay Bonci <jaybonci@debian.org>
Changed-By: Jay Bonci <jaybonci@debian.org>
Description: 
 libimager-perl - Perl extension for Generating 24 bit Images
Closes: 421582
Changes: 
 libimager-perl (0.58-1) unstable; urgency=low
 .
   * New upstream release
   * Fixes CVE 2007-2413 and CVE 2007-2459 (Closes: #421582)
   * Adds zoso as co-maint
Files: 
 91fff6d741774ab24ef42918e146bb30 787 perl optional libimager-perl_0.58-1.dsc
 c953f53b2680a67dfbef743e77a230b0 849124 perl optional libimager-perl_0.58.orig.tar.gz
 24c17e901ce806c4159a0ba74450b260 5060 perl optional libimager-perl_0.58-1.diff.gz
 6a5af1e68da2eb69e44c70278281ae10 659524 perl optional libimager-perl_0.58-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGVTW7ZNh5D+C4st4RAmCqAJ9tR76LV6TVhsjZVB59uVU6SLwD1gCeL4rk
pCEK6ezNcnIJFUoikYDXf0U=
=Xm/N
-----END PGP SIGNATURE-----




Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Tony Cook <tony@develop-help.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #52 received at 421582@bugs.debian.org (full text, mbox):

From: Tony Cook <tony@develop-help.com>
To: Jay Bonci <jay@bonci.com>, 421582@bugs.debian.org
Cc: zoso@debian.org
Subject: Re: Bug#421582: libimager-perl 0.58 is now in incoming
Date: Thu, 24 May 2007 17:05:45 +1000
Hi Jay,

On Thu, May 24, 2007 at 02:27:35AM -0400, Jay Bonci wrote:
> Hey Tony,
> 	Two things, I noticed the other day that you picked up a Sourceforge
> project for libimager-perl (sf.net/projects/imager-perl). I know these
> things because I approved the request :)  Are you going to be moving
> development there, or just using that as a backup?

For now it's just a backup.

> 	Secondly, does the update need to be applied to the stable release? If
> so, I can begin that process. Please let me know. 

It needs to applied to stable and oldstable too.

Tony



Information forwarded to debian-bugs-dist@lists.debian.org, Jay Bonci <jaybonci@debian.org>:
Bug#421582; Package libimager-perl. Full text and rfc822 format available.

Acknowledgement sent to Jay Bonci <jay@bonci.com>:
Extra info received and forwarded to list. Copy sent to Jay Bonci <jaybonci@debian.org>. Full text and rfc822 format available.

Message #57 received at 421582@bugs.debian.org (full text, mbox):

From: Jay Bonci <jay@bonci.com>
To: team@security.debian.org, 421582@bugs.debian.org
Subject: Re: Bug#421582: libimager-perl 0.58 is now in incoming
Date: Thu, 24 May 2007 09:24:28 -0400
[Message part 1 (text/plain, inline)]
Greetings Security Team,
	Please have a look at #421582. This bug effects both stable and
oldstable. The patch applies cleanly, and I can build a stable/oldstable
package if need be. 

	I'm a bit shaky on the proper security handling here, so please advise
as to the right course of action.  I can provide source/diffs if that
works best.

	The package in Testing / Unstable is currently good.

	Please advise,

-Jay Bonci


On Thu, 2007-05-24 at 17:05 +1000, Tony Cook wrote:
> Hi Jay,
> 
> On Thu, May 24, 2007 at 02:27:35AM -0400, Jay Bonci wrote:
> > Hey Tony,
> > 	Two things, I noticed the other day that you picked up a Sourceforge
> > project for libimager-perl (sf.net/projects/imager-perl). I know these
> > things because I approved the request :)  Are you going to be moving
> > development there, or just using that as a backup?
> 
> For now it's just a backup.
> 
> > 	Secondly, does the update need to be applied to the stable release? If
> > so, I can begin that process. Please let me know. 
> 
> It needs to applied to stable and oldstable too.
> 
> Tony
> 
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Jul 2007 07:38:34 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 13:24:52 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.