Debian Bug report logs - #464056
CVE-2006-4484: buffer overflow in giftopnm

version graph

Package: netpbm; Maintainer for netpbm is Andreas Barth <aba@not.so.argh.org>; Source for netpbm is src:netpbm-free.

Reported by: Stefan Fritsch <sf@sfritsch.de>

Date: Mon, 4 Feb 2008 22:15:01 UTC

Severity: important

Tags: security

Found in version netpbm-free/2:10.0-11

Fixed in versions netpbm-free/2:10.0-11.1+etch1, netpbm-free/2:10.0-11.1

Done: Nico Golde <nion@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Andreas Barth <aba@not.so.argh.org>:
Bug#464056; Package netpbm. Full text and rfc822 format available.

Acknowledgement sent to Stefan Fritsch <sf@sfritsch.de>:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Stefan Fritsch <sf@sfritsch.de>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CVE-2006-4484: buffer overflow in giftopnm
Date: Mon, 04 Feb 2008 23:13:38 +0100
Package: netpbm
Version: 2:10.0-11
Severity: important
Tags: security


The gif from http://people.debian.org/~seanius/security/php/poc/38112.gif
causes a buffer overflow in giftopnm, too.

See http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=384838 
or tk8.5 8.5.0-3 for patches for the same problem in other packages.




Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#464056; Package netpbm. Full text and rfc822 format available.

Acknowledgement sent to Tomas Hoger <thoger@redhat.com>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #10 received at 464056@bugs.debian.org (full text, mbox):

From: Tomas Hoger <thoger@redhat.com>
To: 464056@bugs.debian.org
Subject: CVE-2008-0554: buffer overflow in giftopnm
Date: Tue, 5 Feb 2008 10:10:50 +0100
Hi!

Please note that Mitre has decided to use separate CVE id for each
affected project:

CVE-2006-4484 - gd
CVE-2007-6697 - SDL_image
CVE-2008-0553 - tk
CVE-2008-0554 - netpbm

netpbm was fixed in upstream version 10.27.

http://netpbm.svn.sourceforge.net/viewvc/netpbm/trunk/converter/other/giftopnm.c?revision=1&view=markup#l_1052

-- 
Tomas Hoger





Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#464056; Package netpbm. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #15 received at 464056@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: Tomas Hoger <thoger@redhat.com>, 464056@bugs.debian.org
Subject: Re: Bug#464056: CVE-2008-0554: buffer overflow in giftopnm
Date: Tue, 5 Feb 2008 11:05:31 +0100
[Message part 1 (text/plain, inline)]
Hi Tomas,
* Tomas Hoger <thoger@redhat.com> [2008-02-05 10:37]:
> Please note that Mitre has decided to use separate CVE id for each
> affected project:
> 
> CVE-2006-4484 - gd
> CVE-2007-6697 - SDL_image
> CVE-2008-0553 - tk
> CVE-2008-0554 - netpbm

Thanks Thomas, we already tracked the other packages, 
assigned the ids in the security tracker.
Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Nico Golde <nion@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Stefan Fritsch <sf@sfritsch.de>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #20 received at 464056-close@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 464056-close@bugs.debian.org
Subject: Bug#464056: fixed in netpbm-free 2:10.0-11.1
Date: Thu, 07 Feb 2008 21:32:04 +0000
Source: netpbm-free
Source-Version: 2:10.0-11.1

We believe that the bug you reported is fixed in the latest version of
netpbm-free, which is due to be installed in the Debian FTP archive:

libnetpbm10-dev_10.0-11.1_i386.deb
  to pool/main/n/netpbm-free/libnetpbm10-dev_10.0-11.1_i386.deb
libnetpbm10_10.0-11.1_i386.deb
  to pool/main/n/netpbm-free/libnetpbm10_10.0-11.1_i386.deb
libnetpbm9-dev_10.0-11.1_i386.deb
  to pool/main/n/netpbm-free/libnetpbm9-dev_10.0-11.1_i386.deb
libnetpbm9_10.0-11.1_i386.deb
  to pool/main/n/netpbm-free/libnetpbm9_10.0-11.1_i386.deb
netpbm-free_10.0-11.1.diff.gz
  to pool/main/n/netpbm-free/netpbm-free_10.0-11.1.diff.gz
netpbm-free_10.0-11.1.dsc
  to pool/main/n/netpbm-free/netpbm-free_10.0-11.1.dsc
netpbm_10.0-11.1_i386.deb
  to pool/main/n/netpbm-free/netpbm_10.0-11.1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 464056@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated netpbm-free package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 07 Feb 2008 20:31:46 +0100
Source: netpbm-free
Binary: netpbm libnetpbm10 libnetpbm10-dev libnetpbm9 libnetpbm9-dev
Architecture: source i386
Version: 2:10.0-11.1
Distribution: unstable
Urgency: high
Maintainer: Andreas Barth <aba@not.so.argh.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 libnetpbm10 - Shared libraries for netpbm
 libnetpbm10-dev - Development libraries and header files
 libnetpbm9 - Shared libraries for netpbm
 libnetpbm9-dev - Development libraries and header files
 netpbm     - Graphics conversion tools
Closes: 464056
Changes: 
 netpbm-free (2:10.0-11.1) unstable; urgency=high
 .
   * Non-maintainer upload by security team.
   * This update addresses the following security issue:
     - CVE-2008-0554: The readImageData function in giftopnm.c does not
     properly check the upper bound of a fixed size array leading to a
     buffer overflow and possibly code execution (Closes: #464056).
Files: 
 ae3a531cc84b21dcd60db88a02ae7767 743 graphics optional netpbm-free_10.0-11.1.dsc
 a4ad8a540d0861d518721e8747621f40 50716 graphics optional netpbm-free_10.0-11.1.diff.gz
 2bdecf771439e63d3ee954fbb25fa127 1202384 graphics optional netpbm_10.0-11.1_i386.deb
 0b81be609bfe60385368c5c4f9ecb037 64660 libs optional libnetpbm10_10.0-11.1_i386.deb
 9c791b55b01df4d4b428c4312e2c1d4a 110228 libdevel optional libnetpbm10-dev_10.0-11.1_i386.deb
 d0f0b480d27b56ec7a9ddd90a02a707d 70782 libs optional libnetpbm9_10.0-11.1_i386.deb
 97c29a7c735b5c10743ee26c7d01578a 109842 libdevel optional libnetpbm9-dev_10.0-11.1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHq3LWHYflSXNkfP8RAmlSAJ9dS1setE+vBNw9Wk3+o5e5zKrhRQCeI8gl
/OiYfWIlKMpKig+ODRdUY+4=
=aj2E
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Andreas Barth <aba@not.so.argh.org>:
Bug#464056; Package netpbm. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Andreas Barth <aba@not.so.argh.org>. Full text and rfc822 format available.

Message #25 received at 464056@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 464056@bugs.debian.org
Subject: patch for NMU
Date: Fri, 8 Feb 2008 13:21:04 +0100
[Message part 1 (text/plain, inline)]
Hi,
my patch went to a wrong bug number so here it is.

It will be also archived on:
http://people.debian.org/~nion/nmu-diff/netpbm-free-10.0-11_10.0-11.1.patch
Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[netpbm-free-10.0-11_10.0-11.1.patch (text/x-diff, attachment)]
[Message part 3 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 11 Mar 2008 07:36:05 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from Lucas Nussbaum <lucas@lucas-nussbaum.net> to controlbugs.debian.org. (Sat, 09 Aug 2008 18:02:59 GMT) Full text and rfc822 format available.

Marked as fixed in versions netpbm-free/2:10.0-11.1+etch1. Request was from Andreas Beckmann <anbe@debian.org> to control@bugs.debian.org. (Mon, 04 Nov 2013 00:09:31 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 02 Dec 2013 07:43:27 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 17:14:41 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.