Report forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Fri, 14 Nov 2008 15:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Danjou <acid@debian.org>:
New Bug report received and forwarded. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Fri, 14 Nov 2008 15:09:06 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Fri, 14 Nov 2008 15:42:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Danjou <acid@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Fri, 14 Nov 2008 15:42:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Wed, 19 Nov 2008 20:42:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter De Wachter <pdewacht@gmail.com>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, ljlane@debian.org (Laurence J. Lane).
(Wed, 19 Nov 2008 20:42:13 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <505714@bugs.debian.org>
Subject: libimlib2-dev: another imlib2 xpm buffer overflow
Date: Wed, 19 Nov 2008 21:39:50 +0100
Package: libimlib2-dev
Version: 1.4.0-1.1
Tags: security
Followup-For: Bug #505714
This is another buffer overflow in the XPM loader. (The xpm attached
to this bug report is a 32x32 image according to the header, but
contains 33x32 pixels.)
--- a/src/modules/loaders/loader_xpm.c
+++ b/src/modules/loaders/loader_xpm.c
@@ -246,8 +246,8 @@
return 0;
}
ptr = im->data;
- end = ptr + (sizeof(DATA32) * w * h);
pixels = w * h;
+ end = ptr + pixels;
}
else
{
Tags added: security, patch
Request was from pdewacht@gmail.com (Peter De Wachter)
to control@bugs.debian.org.
(Wed, 19 Nov 2008 21:33:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Sat, 22 Nov 2008 10:23:55 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Sat, 22 Nov 2008 10:23:55 GMT) (full text, mbox, link).
tags 505714 + patch pending
thanks
Hi Laurance,
Here is the NMU for imlib2 (versioned as 1.4.0-1.2) and to be uploaded.
Kind regards
T.
diff -u imlib2-1.4.0/debian/control imlib2-1.4.0/debian/control
--- imlib2-1.4.0/debian/control
+++ imlib2-1.4.0/debian/control
@@ -2,7 +2,7 @@
Section: libs
Priority: optional
Maintainer: Laurence J. Lane <ljlane@debian.org>
-Build-Depends: libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libungif4-dev, libx11-dev, libxext-dev, libfreetype6-dev, cdbs, libltdl3-dev, libbz2-dev, libid3tag0-dev, debhelper (>> 5)
+Build-Depends: libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libgif-dev, libx11-dev, libxext-dev, libfreetype6-dev, cdbs, libltdl3-dev, libbz2-dev, libid3tag0-dev, debhelper (>> 5)
Standards-Version: 3.7.2
Package: libimlib2
@@ -22,7 +22,7 @@
Architecture: any
Section: libdevel
Replaces: libimlib2
-Depends: libimlib2 (=${binary:Version}), libc6-dev, libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libungif4-dev, libx11-dev, libxext-dev, libfreetype6-dev, libltdl3-dev
+Depends: libimlib2 (=${binary:Version}), libc6-dev, libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libgif-dev, libx11-dev, libxext-dev, libfreetype6-dev, libltdl3-dev
Description: Imlib2 development files
Headers, static libraries and documentation for developing
software that uses Imlib2.
diff -u imlib2-1.4.0/debian/libimlib2-dev.doc-base imlib2-1.4.0/debian/libimlib2-dev.doc-base
--- imlib2-1.4.0/debian/libimlib2-dev.doc-base
+++ imlib2-1.4.0/debian/libimlib2-dev.doc-base
@@ -3,7 +3,7 @@
Author: Carsten Haitzler
Abstract: This document describes Imlib2 API
and provides sample C code.
-Section: Apps/Programming
+Section: Programming
Format: HTML
Index: /usr/share/doc/libimlib2-dev/html/index.html
diff -u imlib2-1.4.0/debian/changelog imlib2-1.4.0/debian/changelog
--- imlib2-1.4.0/debian/changelog
+++ imlib2-1.4.0/debian/changelog
@@ -1,3 +1,13 @@
+imlib2 (1.4.0-1.2) unstable; urgency=high
+
+ * Non-maintainer upload.
+ * Fix crash in XPM loader. Bug and test case by Julien Danjou, patch by
+ Peter De Wachter, thanks! Closes: #505714 aka CVE-2008-5187
+ * Change libungif4-dev to libgif-dev in (Build-)Depends.
+ * Fix doc-base section to drop Apps/.
+
+ -- Thomas Viehmann <tv@beamnet.de> Sat, 22 Nov 2008 10:45:27 +0100
+
imlib2 (1.4.0-1.1) unstable; urgency=high
* Non-maintainer upload by the Security Team.
diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
--- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
+++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
@@ -246,8 +246,8 @@
return 0;
}
ptr = im->data;
- end = ptr + (sizeof(DATA32) * w * h);
pixels = w * h;
+ end = ptr + pixels;
}
else
{
Tags added: patch, pending
Request was from Thomas Viehmann <tv@beamnet.de>
to control@bugs.debian.org.
(Sat, 22 Nov 2008 10:23:57 GMT) (full text, mbox, link).
Reply sent
to Thomas Viehmann <tv@beamnet.de>:
You have taken responsibility.
(Sat, 22 Nov 2008 10:57:17 GMT) (full text, mbox, link).
Notification sent
to Julien Danjou <acid@debian.org>:
Bug acknowledged by developer.
(Sat, 22 Nov 2008 10:57:17 GMT) (full text, mbox, link).
Source: imlib2
Source-Version: 1.4.0-1.2
We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive:
imlib2_1.4.0-1.2.diff.gz
to pool/main/i/imlib2/imlib2_1.4.0-1.2.diff.gz
imlib2_1.4.0-1.2.dsc
to pool/main/i/imlib2/imlib2_1.4.0-1.2.dsc
libimlib2-dev_1.4.0-1.2_amd64.deb
to pool/main/i/imlib2/libimlib2-dev_1.4.0-1.2_amd64.deb
libimlib2_1.4.0-1.2_amd64.deb
to pool/main/i/imlib2/libimlib2_1.4.0-1.2_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 505714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Thomas Viehmann <tv@beamnet.de> (supplier of updated imlib2 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sat, 22 Nov 2008 10:45:27 +0100
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source amd64
Version: 1.4.0-1.2
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <ljlane@debian.org>
Changed-By: Thomas Viehmann <tv@beamnet.de>
Description:
libimlib2 - powerful image loading and rendering library
libimlib2-dev - Imlib2 development files
Closes: 505714
Changes:
imlib2 (1.4.0-1.2) unstable; urgency=high
.
* Non-maintainer upload.
* Fix crash in XPM loader. Bug and test case by Julien Danjou, patch by
Peter De Wachter, thanks! Closes: #505714 aka CVE-2008-5187
* Change libungif4-dev to libgif-dev in (Build-)Depends.
* Fix doc-base section to drop Apps/.
Checksums-Sha1:
0ac5b27856033fe044dda2d157ca48e70f33a26a 1123 imlib2_1.4.0-1.2.dsc
8462b934a996ebd9814d086b40b09ac5bebd281e 56377 imlib2_1.4.0-1.2.diff.gz
c4c49877be44061131655510849f256676ec82c4 220114 libimlib2_1.4.0-1.2_amd64.deb
00b041b75b8c98d94cf18e6eb265b265b0ed52f8 371766 libimlib2-dev_1.4.0-1.2_amd64.deb
Checksums-Sha256:
99cae7fbe6426c130a808662a35976129a648b604e574e29ed08fbf8e3d11251 1123 imlib2_1.4.0-1.2.dsc
ea0b668fd7a55756ae1d41baccbe5cea5135f598069b09cad2664fa492c0d447 56377 imlib2_1.4.0-1.2.diff.gz
af6d7c11f3ef06c7b62a4763f2f5f6e3ec80d95aa894a4378cdef8117110dbce 220114 libimlib2_1.4.0-1.2_amd64.deb
96bf4018e57ce49e7a035efae20eeda88fa8763b394d300a3a467ef28c86d7ab 371766 libimlib2-dev_1.4.0-1.2_amd64.deb
Files:
45a9571b3454a8a56cf50e8eddc8406f 1123 libs optional imlib2_1.4.0-1.2.dsc
ea54608fda300822f84e8d245dae21d9 56377 libs optional imlib2_1.4.0-1.2.diff.gz
6306baa5fed31c0872d6c2912e202639 220114 libs optional libimlib2_1.4.0-1.2_amd64.deb
b777111fd09c13eb939464f230cc9080 371766 libdevel optional libimlib2-dev_1.4.0-1.2_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iEYEARECAAYFAkkn3KwACgkQriZpaaIa1PmTtQCggejcP52dSEY/zCsejEYzD0+s
Qw8AoLdEois+BD7V4NaJ/nAG0viyG0uA
=nG7Y
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Sun, 23 Nov 2008 19:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Bas Zoetekouw <bas@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Sun, 23 Nov 2008 19:03:03 GMT) (full text, mbox, link).
To: Thomas Viehmann <tv@beamnet.de>, 505714@bugs.debian.org
Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2
Date: Sun, 23 Nov 2008 20:00:36 +0100
Hi!
> diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> --- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> +++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> @@ -246,8 +246,8 @@
> return 0;
> }
> ptr = im->data;
> - end = ptr + (sizeof(DATA32) * w * h);
> pixels = w * h;
> + end = ptr + pixels;
> }
> else
> {
Are you sure this patch actually fixes the bug reported here? I agree
that the use of sizeof(DATA32) here is definately a bug and should be
fixed, but I'm not sure that that's all there is to it.
The reporter of the bug as well as the CVE say the actual problem here
is that the height and width are read from the header, and might not be
the actual size of the picture being loaded. I don't see how this patch
fixes that issue (although must confess I haven't looked at the code in
detail).
Concretely: can't w*h still overflow in the code above, for a suitably crafted
header?
Kind regards,
Bas.
--
+--------------------------------------------------------------+
| Bas Zoetekouw | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie: |
| bas@zoetekouw.net | The dew shall weep thy fall tonight; |
+--------------------| For thou must die. |
+-----------------------------------------+
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Sun, 23 Nov 2008 19:24:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Sun, 23 Nov 2008 19:24:06 GMT) (full text, mbox, link).
Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2
Date: Sun, 23 Nov 2008 20:22:27 +0100
Hi,
thanks for your attention to this.
Bas Zoetekouw wrote:
>> diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> --- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> +++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> @@ -246,8 +246,8 @@
>> return 0;
>> }
>> ptr = im->data;
>> - end = ptr + (sizeof(DATA32) * w * h);
>> pixels = w * h;
>> + end = ptr + pixels;
>> }
>> else
>> {
>
> Are you sure this patch actually fixes the bug reported here? I agree
> that the use of sizeof(DATA32) here is definately a bug and should be
> fixed, but I'm not sure that that's all there is to it.
>
> The reporter of the bug as well as the CVE say the actual problem here
> is that the height and width are read from the header, and might not be
> the actual size of the picture being loaded. I don't see how this patch
> fixes that issue (although must confess I haven't looked at the code in
> detail).
>
> Concretely: can't w*h still overflow in the code above, for a suitably crafted
> header?
ptr and end are both DATA32*.
ptr is initialized to
im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);
(im->w and im->h are equal to w and h, respectively) and later on this
is used as
for (i = 0;
((i < 65536) && (ptr < end) && (line[i]));
i++)
{
...
*ptr++ = ...
}
I think this should be OK even end ends up < ptr because some one of w,h
is negative for some reason or an overflow, but I'm more happy to be
corrected than have imlib2 in the release with an incorrect patch. :)
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Sun, 23 Nov 2008 21:36:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Peter De Wachter <pdewacht@gmail.com>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Sun, 23 Nov 2008 21:36:03 GMT) (full text, mbox, link).
To: Thomas Viehmann <tv@beamnet.de>, Bas Zoetekouw <bas@debian.org>
Cc: 505714@bugs.debian.org
Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2
Date: Sun, 23 Nov 2008 22:31:43 +0100
On Sun, 23 Nov 2008 20:22:27 +0100
Thomas Viehmann <tv@beamnet.de> wrote:
> > Concretely: can't w*h still overflow in the code above, for a
> > suitably crafted header?
> ptr and end are both DATA32*.
>
> ptr is initialized to
> im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);
>
> (im->w and im->h are equal to w and h, respectively) and later on this
> is used as
>
> for (i = 0;
> ((i < 65536) && (ptr < end) && (line[i]));
> i++)
> {
> ...
> *ptr++ = ...
> }
>
> I think this should be OK even end ends up < ptr because some one of
> w,h is negative for some reason or an overflow, but I'm more happy to
> be corrected than have imlib2 in the release with an incorrect
> patch. :)
The code also checks that w and h are positive and at most 8192.
--
Peter De Wachter
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Tue, 25 Nov 2008 11:51:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Bas Zoetekouw <bas@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Tue, 25 Nov 2008 11:51:04 GMT) (full text, mbox, link).
Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2
Date: Tue, 25 Nov 2008 12:48:14 +0100
Hi Thomas!
You wrote:
> I think this should be OK even end ends up < ptr because some one of w,h
> is negative for some reason or an overflow, but I'm more happy to be
> corrected than have imlib2 in the release with an incorrect patch. :)
Isee.
Thanks for your analysis, and sorry for the noise.
Regards,
Bas.
--
+--------------------------------------------------------------+
| Bas Zoetekouw | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie: |
| bas@zoetekouw.net | The dew shall weep thy fall tonight; |
+--------------------| For thou must die. |
+-----------------------------------------+
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 24 Dec 2008 07:26:03 GMT) (full text, mbox, link).
Bug unarchived.
Request was from tv@beamnet.de (Thomas Viehmann)
to control@bugs.debian.org.
(Mon, 12 Jan 2009 13:48:09 GMT) (full text, mbox, link).
Bug marked as found in version 1.4.0-1.
Request was from tv@beamnet.de (Thomas Viehmann)
to control@bugs.debian.org.
(Mon, 12 Jan 2009 13:48:10 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Mon, 12 Jan 2009 15:00:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Mon, 12 Jan 2009 15:00:22 GMT) (full text, mbox, link).
Subject: handling of NMUs and reintroducing #505714
Date: Mon, 12 Jan 2009 15:51:04 +0100
Hi Laurence,
apologies for misspelling your name in my communication of this bug
report. Nonetheless I would suggest to not drop the security bug fix for
#505714. Generally, it might be a good idea to make a habit out of
incorporating NMUs as per Developer's Reference 5.11.6.
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Mon, 12 Jan 2009 17:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to "Laurence J. Lane" <ljlane@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Mon, 12 Jan 2009 17:18:06 GMT) (full text, mbox, link).
To: "Thomas Viehmann" <tv@beamnet.de>, 505714@bugs.debian.org
Subject: Re: Bug#505714: handling of NMUs and reintroducing #505714
Date: Mon, 12 Jan 2009 12:14:48 -0500
On Mon, Jan 12, 2009 at 9:51 AM, Thomas Viehmann <tv@beamnet.de> wrote:
> apologies for misspelling your name in my communication of this bug
> report. Nonetheless I would suggest to not drop the security bug fix for
> #505714. Generally, it might be a good idea to make a habit out of
> incorporating NMUs as per Developer's Reference 5.11.6.
Oops.
Information forwarded
to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane): Bug#505714; Package libimlib2.
(Mon, 12 Jan 2009 19:06:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane).
(Mon, 12 Jan 2009 19:06:02 GMT) (full text, mbox, link).
Subject: Re: Bug#505714: handling of NMUs and reintroducing #505714
Date: Mon, 12 Jan 2009 20:01:59 +0100
# nitpicking the version tracking for Daniel Holbach's reference :)...
found 505714 1.4.2-1
fixed 505714 1.4.2-2
thanks
Hi,
Thanks for the quick fix!
Kind regards
T.
--
Thomas Viehmann, http://thomas.viehmann.net/
Bug marked as found in version 1.4.2-1 and reopened.
Request was from Thomas Viehmann <tv@beamnet.de>
to control@bugs.debian.org.
(Mon, 12 Jan 2009 19:06:04 GMT) (full text, mbox, link).
Bug marked as fixed in version 1.4.2-2.
Request was from Thomas Viehmann <tv@beamnet.de>
to control@bugs.debian.org.
(Mon, 12 Jan 2009 19:06:05 GMT) (full text, mbox, link).
Reply sent
to Jakub Wilk <jwilk@debian.org>:
You have taken responsibility.
(Sat, 28 Apr 2012 12:27:03 GMT) (full text, mbox, link).
Notification sent
to Julien Danjou <acid@debian.org>:
Bug acknowledged by developer.
(Sat, 28 Apr 2012 12:27:06 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.