Debian Bug report logs - #505714
Crash on loading XPM file

version graph

Package: libimlib2; Maintainer for libimlib2 is Alessandro Ghedini <ghedo@debian.org>; Source for libimlib2 is src:imlib2.

Reported by: Julien Danjou <acid@debian.org>

Date: Fri, 14 Nov 2008 15:09:02 UTC

Severity: grave

Tags: patch, security

Found in versions imlib2/1.4.0-1.1, imlib2/1.4.0-1, imlib2/1.4.2-1

Fixed in versions 1.4.0-1.2, imlib2/1.4.2-2

Done: Jakub Wilk <jwilk@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Fri, 14 Nov 2008 15:09:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Danjou <acid@debian.org>:
New Bug report received and forwarded. Copy sent to ljlane@debian.org (Laurence J. Lane). (Fri, 14 Nov 2008 15:09:06 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Julien Danjou <acid@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Crash on loading XPM file
Date: Fri, 14 Nov 2008 16:06:33 +0100
[Message part 1 (text/plain, inline)]
Package: libimlib2
Version: 1.4.0-1.1
Severity: grave

Hi,

imlib2 crashes with the following backtrace when loading the attached
XPM file.

#0  0x00007fdcf6288166 in load (im=0x7fdcf19d3f90, progress=0, progress_granularity=0 '\0', immediate_load=1 '\001') at loader_xpm.c:475
        ptr = (unsigned int *) 0x7fdcf280200c
        end = (unsigned int *) 0x7fdcf2805000
        f = (FILE *) 0x7fdcf1e89dc8
        c = 34
        i = 2
        j = 146
        k = <value optimized out>
        w = 32
        h = 32
        ncolors = 146
        cpp = 2
        comment = 0
        transp = 1
        quote = <value optimized out>
        context = 2
        len = 12
        done = 0
        r = 255
        g = 0
        b = 0
        backslash = 0
        line = 0x7fdcf3acaf00 ' ' <repeats 66 times>
        s = "#FFFFFF\000/", '\0' <repeats 136 times>, "\001", '\0'
<repeats 38 times>,
"GG�002�177\000\000\000�000\000\000\000\000\000`\000\004\000\000\000\000\000\002\000\000\000\000\000\000\000�",
'\0' <repeats 14 times>,
"[\177�005�177\000\000\000\020\000\000\000\000\000\000��005�177\000"
        tok =
"#FFFFFF\000�237��177\000\000�237��177\000\000\234�\r�\177\000\000\001\000\000\000\000\000\000\000[\177�005�177\000\000�226��177\000\000��005�177\000\000�\016�002�177\000\000\004\000\000\000\000\000\000\000�237��177\000\000���\177\000\000د��\177\000\000\234�\r�\177\000\000\001",
'\0' <repeats 14 times>
        col = "
FFFFF\000[\177�005�177\000\000�P��177\000\000��005�177\000\000`�\r�\177\000\000[\177�005�177\000\000���177\000\000��005�177\000\000\000\000\000\000\000\000\000\000\020\000\000\000\000\000\000\000
\000\000\000\000\000\000\000�\031�\177", '\0' <repeats 18 times>,
"`\000\000\000\000\000\000\000�|�005�177\000\000�P��177\000\000�\236\005�177\000\000��r�\177\000\000xnP��177\000\000\000oP��177\000\000�P��177\000\000\001\000\t\034",
'\0' <repeats 12 times>,
"��\r�\177\000\000\001\000\000\000\000\000\000\000�"...
        lsz = 256
        cmap = (struct _cmap *) 0x7fdcf27ff804
        lookup = {{0 <repeats 14 times>, 92, 0 <repeats 81 times>}, {16,
0 <repeats 13 times>, 108, 
    0 <repeats 81 times>}, {0 <repeats 96 times>}, {4, 0 <repeats 13
times>, 96, 0 <repeats 81 times>}, 
  {5, 0 <repeats 13 times>, 97, 0 <repeats 81 times>}, {6, 0 <repeats 13
times>, 98, 
    0 <repeats 81 times>}, {7, 0 <repeats 13 times>, 99, 0 <repeats 81
times>}, {14, 
    0 <repeats 13 times>, 106, 0 <repeats 81 times>}, {22, 0 <repeats 13
times>, 114, 
    0 <repeats 81 times>}, {15, 0 <repeats 13 times>, 107, 0 <repeats 81
times>}, {8, 
    0 <repeats 13 times>, 100, 0 <repeats 81 times>}, {2, 0 <repeats 13
times>, 94, 
    0 <repeats 81 times>}, {13, 0 <repeats 13 times>, 105, 0 <repeats 81
times>}, {10, 
    0 <repeats 13 times>, 102, 0 <repeats 81 times>}, {1, 0 <repeats 13
times>, 93, 
    0 <repeats 81 times>}, {21, 0 <repeats 13 times>, 113, 0 <repeats 81
times>}, {38, 
    0 <repeats 13 times>, 130, 0 <repeats 81 times>}, {29, 0 <repeats 13
times>, 121, 
    0 <repeats 81 times>}, {30, 0 <repeats 13 times>, 122, 0 <repeats 81
times>}, {31, 
    0 <repeats 13 times>, 123, 0 <repeats 81 times>}, {32, 0 <repeats 13
times>, 124, 
    0 <repeats 81 times>}, {33, 0 <repeats 13 times>, 125, 0 <repeats 81
times>}, {34, 
    0 <repeats 13 times>, 126, 0 <repeats 81 times>}, {35, 0 <repeats 13
times>, 127, 
    0 <repeats 81 times>}, {36, 0 <repeats 13 times>, 128, 0 <repeats 81
times>}, {37, 
    0 <repeats 13 times>, 129, 0 <repeats 81 times>}, {24, 0 <repeats 13
times>, 116, 
    0 <repeats 81 times>}, {11, 0 <repeats 13 times>, 103, 0 <repeats 81
times>}, {25, 
    0 <repeats 13 times>, 117, 0 <repeats 81 times>}, {9, 0 <repeats 13
times>, 101, 
    0 <repeats 81 times>}, {12, 0 <repeats 13 times>, 104, 0 <repeats 81
times>}, {
    0 <repeats 96 times>}, {3, 0 <repeats 13 times>, 95, 0 <repeats 81
times>}, {65, 
    0 <repeats 95 times>}, {66, 0 <repeats 95 times>}, {67, 0 <repeats
95 times>}, {68, 
    0 <repeats 95 times>}, {69, 0 <repeats 95 times>}, {70, 0 <repeats
95 times>}, {71, 
    0 <repeats 95 times>}, {72, 0 <repeats 95 times>}, {73, 0 <repeats
95 times>}, {74, 
    0 <repeats 95 times>}, {75, 0 <repeats 95 times>}, {76, 0 <repeats
95 times>}, {77, 
    0 <repeats 95 times>}, {78, 0 <repeats 95 times>}, {79, 0 <repeats
95 times>}, {80, 
    0 <repeats 95 times>}, {81, 0 <repeats 95 times>}, {82, 0 <repeats
95 times>}, {83, 
    0 <repeats 95 times>}, {84, 0 <repeats 95 times>}, {85, 0 <repeats
95 times>}, {86, 
    0 <repeats 95 times>}, {87, 0 <repeats 95 times>}, {88, 0 <repeats
95 times>}, {89, 
    0 <repeats 95 times>}, {90, 0 <repeats 95 times>}, {26, 0 <repeats
13 times>, 118, 
    0 <repeats 81 times>}, {0 <repeats 96 times>}, {19, 0 <repeats 13
times>, 111, 
    0 <repeats 81 times>}, {20, 0 <repeats 13 times>, 112, 0 <repeats 81
times>}, {23, 
    0 <repeats 13 times>, 115, 0 <repeats 81 times>}, {91, 0 <repeats 95
times>}, {39, 
    0 <repeats 13 times>, 131, 0 <repeats 81 times>}, {40, 0 <repeats 13
times>, 132, 
    0 <repeats 81 times>}, {41, 0 <repeats 13 times>, 133, 0 <repeats 81
times>}, {42, 
    0 <repeats 13 times>, 134, 0 <repeats 81 times>}, {43, 0 <repeats 13
times>, 135, 
    0 <repeats 81 times>}, {44, 0 <repeats 13 times>, 136, 0 <repeats 81
times>}, {45, 
    0 <repeats 13 times>, 137, 0 <repeats 81 times>}, {46, 0 <repeats 13
times>, 138, 
    0 <repeats 81 times>}, {47, 0 <repeats 13 times>, 139, 0 <repeats 81
times>}, {48, 
    0 <repeats 13 times>, 140, 0 <repeats 81 times>}, {49, 0 <repeats 13
times>, 141, 
    0 <repeats 81 times>}, {50, 0 <repeats 13 times>, 142, 0 <repeats 81
times>}, {51, 
    0 <repeats 13 times>, 143, 0 <repeats 81 times>}, {52, 0 <repeats 13
times>, 144, 
    0 <repeats 81 times>}, {53, 0 <repeats 13 times>, 145, 0 <repeats 81
times>}, {54, 
    0 <repeats 95 times>}, {55, 0 <repeats 95 times>}, {56, 0 <repeats
95 times>}, {57, 
    0 <repeats 95 times>}, {58, 0 <repeats 95 times>}, {59, 0 <repeats
95 times>}, {60, 
    0 <repeats 95 times>}, {61, 0 <repeats 95 times>}, {62, 0 <repeats
95 times>}, {63, 
    0 <repeats 95 times>}, {64, 0 <repeats 95 times>}, {18, 0 <repeats
13 times>, 110, 
    0 <repeats 81 times>}, {28, 0 <repeats 13 times>, 120, 0 <repeats 81
times>}, {27, 
    0 <repeats 13 times>, 119, 0 <repeats 81 times>}, {17, 0 <repeats 13
times>, 109, 
    0 <repeats 81 times>}, {0 <repeats 96 times>}}
        per = 3.02734375
        per_inc = 0.09765625
        last_per = 0
        last_y = 0
        count = 1025
        pixels = 1024
#1  0x00007fdd02e9da38 in __imlib_LoadImage (
    file=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm",
progress=0, 
    progress_granularity=0 '\0', immediate_load=0 '\0', dont_cache=0
'\0', er=0x7fff0de1c99c)
    at image.c:1027
        im = <value optimized out>
        best_loader = (ImlibLoader *) 0x7fdcf673cfc8
        loader_ret = <value optimized out>
#2  0x00007fdd02e89b24 in imlib_load_image_with_error_return (
    file=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm",
error_return=0x7fff0de1c9dc)
    at api.c:1328
        im = <value optimized out>
        er = <value optimized out>
        prev_ctxt_image = (Imlib_Image) 0x7fdcf2555f90
#3  0x000000000042ea3c in image_new_from_file (
    filename=0x7fdcf9024fd8 "/usr/share/pixmaps/atlantikdesigner.xpm")
    at /home/jdanjou/Work/src/awesome/src/image.c:141
        imimage = (Imlib_Image) 0x7fdcefeb96f0
        e = IMLIB_LOAD_ERROR_NONE
        image = (image_t *) 0x7fff0de1ca40
        __FUNCTION__ = "image_new_from_file"
#4  0x000000000042eadd in luaA_image_new (L=0x7fdcffad4d98)
    at /home/jdanjou/Work/src/awesome/src/image.c:172
        image = (image_t *) 0x7fdcffad4d98
        filename = 0x7fdcf9024fd8
"/usr/share/pixmaps/atlantikdesigner.xpm"
[…]

-- System Information:
Debian Release: lenny/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.26-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=C, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libimlib2 depends on:
ii  libbz2-1.0             1.0.5-1           high-quality block-sorting file co
ii  libc6                  2.7-16            GNU C Library: Shared libraries
ii  libfreetype6           2.3.7-2           FreeType 2 font engine, shared lib
ii  libgif4                4.1.6-6           library for GIF images (library)
ii  libid3tag0             0.15.1b-10        ID3 tag reading library from the M
ii  libjpeg62              6b-14             The Independent JPEG Group's JPEG 
ii  libpng12-0             1.2.27-2          PNG library - runtime
ii  libtiff4               3.8.2-11          Tag Image File Format (TIFF) libra
ii  libx11-6               2:1.1.5-2         X11 client-side library
ii  libxext6               2:1.0.4-1         X11 miscellaneous extension librar
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libimlib2 recommends no packages.

libimlib2 suggests no packages.

-- no debconf information

-- 
Julien Danjou
// ᐰ <julien@danjou.info>   http://julien.danjou.info
// 9A0D 5FD9 EB42 22F6 8974  C95C A462 B51E C2FE E5CD
// Don't give up.
[atlantikdesigner.xpm (image/x-xpixmap, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Fri, 14 Nov 2008 15:42:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Julien Danjou <acid@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Fri, 14 Nov 2008 15:42:12 GMT) Full text and rfc822 format available.

Message #10 received at 505714@bugs.debian.org (full text, mbox):

From: Julien Danjou <acid@debian.org>
To: 505714@bugs.debian.org
Subject: Re: Bug#505714: Acknowledgement (Crash on loading XPM file)
Date: Fri, 14 Nov 2008 16:41:15 +0100
[Message part 1 (text/plain, inline)]
I opened bug #547 on bugs.enlightenment.org.

Cheers,
-- 
Julien Danjou
.''`.  Debian Developer
: :' : http://julien.danjou.info
`. `'  http://people.debian.org/~acid
  `-   9A0D 5FD9 EB42 22F6 8974  C95C A462 B51E C2FE E5CD
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Wed, 19 Nov 2008 20:42:09 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter De Wachter <pdewacht@gmail.com>:
Extra info received and forwarded to list. Copy sent to team@security.debian.org, ljlane@debian.org (Laurence J. Lane). (Wed, 19 Nov 2008 20:42:13 GMT) Full text and rfc822 format available.

Message #15 received at 505714@bugs.debian.org (full text, mbox):

From: Peter De Wachter <pdewacht@gmail.com>
To: Debian Bug Tracking System <505714@bugs.debian.org>
Subject: libimlib2-dev: another imlib2 xpm buffer overflow
Date: Wed, 19 Nov 2008 21:39:50 +0100
Package: libimlib2-dev
Version: 1.4.0-1.1
Tags: security
Followup-For: Bug #505714

This is another buffer overflow in the XPM loader. (The xpm attached
to this bug report is a 32x32 image according to the header, but
contains 33x32 pixels.)

--- a/src/modules/loaders/loader_xpm.c
+++ b/src/modules/loaders/loader_xpm.c
@@ -246,8 +246,8 @@
                                  return 0;
                               }
                             ptr = im->data;
-                            end = ptr + (sizeof(DATA32) * w * h);
                             pixels = w * h;
+                            end = ptr + pixels;
                          }
                        else
                          {




Tags added: security, patch Request was from pdewacht@gmail.com (Peter De Wachter) to control@bugs.debian.org. (Wed, 19 Nov 2008 21:33:11 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Sat, 22 Nov 2008 10:23:55 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Sat, 22 Nov 2008 10:23:55 GMT) Full text and rfc822 format available.

Message #22 received at 505714@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: 505714@bugs.debian.org
Subject: imlib2: diff for NMU version 1.4.0-1.2
Date: Sat, 22 Nov 2008 11:18:22 +0100
tags 505714 + patch pending
thanks

Hi Laurance,

Here is the NMU for imlib2 (versioned as 1.4.0-1.2) and to be uploaded.

Kind regards

T.

diff -u imlib2-1.4.0/debian/control imlib2-1.4.0/debian/control
--- imlib2-1.4.0/debian/control
+++ imlib2-1.4.0/debian/control
@@ -2,7 +2,7 @@
 Section: libs
 Priority: optional
 Maintainer: Laurence J. Lane <ljlane@debian.org>
-Build-Depends: libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libungif4-dev, libx11-dev, libxext-dev, libfreetype6-dev, cdbs, libltdl3-dev, libbz2-dev, libid3tag0-dev, debhelper (>> 5)
+Build-Depends: libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libgif-dev, libx11-dev, libxext-dev, libfreetype6-dev, cdbs, libltdl3-dev, libbz2-dev, libid3tag0-dev, debhelper (>> 5)
 Standards-Version: 3.7.2
 
 Package: libimlib2
@@ -22,7 +22,7 @@
 Architecture: any
 Section: libdevel
 Replaces: libimlib2
-Depends: libimlib2 (=${binary:Version}), libc6-dev, libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libungif4-dev, libx11-dev, libxext-dev, libfreetype6-dev, libltdl3-dev
+Depends: libimlib2 (=${binary:Version}), libc6-dev, libjpeg62-dev, libpng12-dev, libtiff4-dev, zlib1g-dev, libgif-dev, libx11-dev, libxext-dev, libfreetype6-dev, libltdl3-dev
 Description: Imlib2 development files
  Headers, static libraries and documentation for developing
  software that uses Imlib2.
diff -u imlib2-1.4.0/debian/libimlib2-dev.doc-base imlib2-1.4.0/debian/libimlib2-dev.doc-base
--- imlib2-1.4.0/debian/libimlib2-dev.doc-base
+++ imlib2-1.4.0/debian/libimlib2-dev.doc-base
@@ -3,7 +3,7 @@
 Author: Carsten Haitzler
 Abstract: This document describes Imlib2 API
  and provides sample C code.
-Section: Apps/Programming
+Section: Programming
 
 Format: HTML
 Index: /usr/share/doc/libimlib2-dev/html/index.html
diff -u imlib2-1.4.0/debian/changelog imlib2-1.4.0/debian/changelog
--- imlib2-1.4.0/debian/changelog
+++ imlib2-1.4.0/debian/changelog
@@ -1,3 +1,13 @@
+imlib2 (1.4.0-1.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * Fix crash in XPM loader. Bug and test case by Julien Danjou, patch by
+    Peter De Wachter, thanks! Closes: #505714 aka CVE-2008-5187
+  * Change libungif4-dev to libgif-dev in (Build-)Depends.
+  * Fix doc-base section to drop Apps/.
+
+ -- Thomas Viehmann <tv@beamnet.de>  Sat, 22 Nov 2008 10:45:27 +0100
+
 imlib2 (1.4.0-1.1) unstable; urgency=high
 
   * Non-maintainer upload by the Security Team.
diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
--- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
+++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
@@ -246,8 +246,8 @@
                                  return 0;
                               }
                             ptr = im->data;
-                            end = ptr + (sizeof(DATA32) * w * h);
                             pixels = w * h;
+                            end = ptr + pixels;
                          }
                        else
                          {




Tags added: patch, pending Request was from Thomas Viehmann <tv@beamnet.de> to control@bugs.debian.org. (Sat, 22 Nov 2008 10:23:57 GMT) Full text and rfc822 format available.

Reply sent to Thomas Viehmann <tv@beamnet.de>:
You have taken responsibility. (Sat, 22 Nov 2008 10:57:17 GMT) Full text and rfc822 format available.

Notification sent to Julien Danjou <acid@debian.org>:
Bug acknowledged by developer. (Sat, 22 Nov 2008 10:57:17 GMT) Full text and rfc822 format available.

Message #29 received at 505714-close@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: 505714-close@bugs.debian.org
Subject: Bug#505714: fixed in imlib2 1.4.0-1.2
Date: Sat, 22 Nov 2008 10:32:06 +0000
Source: imlib2
Source-Version: 1.4.0-1.2

We believe that the bug you reported is fixed in the latest version of
imlib2, which is due to be installed in the Debian FTP archive:

imlib2_1.4.0-1.2.diff.gz
  to pool/main/i/imlib2/imlib2_1.4.0-1.2.diff.gz
imlib2_1.4.0-1.2.dsc
  to pool/main/i/imlib2/imlib2_1.4.0-1.2.dsc
libimlib2-dev_1.4.0-1.2_amd64.deb
  to pool/main/i/imlib2/libimlib2-dev_1.4.0-1.2_amd64.deb
libimlib2_1.4.0-1.2_amd64.deb
  to pool/main/i/imlib2/libimlib2_1.4.0-1.2_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 505714@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thomas Viehmann <tv@beamnet.de> (supplier of updated imlib2 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 22 Nov 2008 10:45:27 +0100
Source: imlib2
Binary: libimlib2 libimlib2-dev
Architecture: source amd64
Version: 1.4.0-1.2
Distribution: unstable
Urgency: high
Maintainer: Laurence J. Lane <ljlane@debian.org>
Changed-By: Thomas Viehmann <tv@beamnet.de>
Description: 
 libimlib2  - powerful image loading and rendering library
 libimlib2-dev - Imlib2 development files
Closes: 505714
Changes: 
 imlib2 (1.4.0-1.2) unstable; urgency=high
 .
   * Non-maintainer upload.
   * Fix crash in XPM loader. Bug and test case by Julien Danjou, patch by
     Peter De Wachter, thanks! Closes: #505714 aka CVE-2008-5187
   * Change libungif4-dev to libgif-dev in (Build-)Depends.
   * Fix doc-base section to drop Apps/.
Checksums-Sha1: 
 0ac5b27856033fe044dda2d157ca48e70f33a26a 1123 imlib2_1.4.0-1.2.dsc
 8462b934a996ebd9814d086b40b09ac5bebd281e 56377 imlib2_1.4.0-1.2.diff.gz
 c4c49877be44061131655510849f256676ec82c4 220114 libimlib2_1.4.0-1.2_amd64.deb
 00b041b75b8c98d94cf18e6eb265b265b0ed52f8 371766 libimlib2-dev_1.4.0-1.2_amd64.deb
Checksums-Sha256: 
 99cae7fbe6426c130a808662a35976129a648b604e574e29ed08fbf8e3d11251 1123 imlib2_1.4.0-1.2.dsc
 ea0b668fd7a55756ae1d41baccbe5cea5135f598069b09cad2664fa492c0d447 56377 imlib2_1.4.0-1.2.diff.gz
 af6d7c11f3ef06c7b62a4763f2f5f6e3ec80d95aa894a4378cdef8117110dbce 220114 libimlib2_1.4.0-1.2_amd64.deb
 96bf4018e57ce49e7a035efae20eeda88fa8763b394d300a3a467ef28c86d7ab 371766 libimlib2-dev_1.4.0-1.2_amd64.deb
Files: 
 45a9571b3454a8a56cf50e8eddc8406f 1123 libs optional imlib2_1.4.0-1.2.dsc
 ea54608fda300822f84e8d245dae21d9 56377 libs optional imlib2_1.4.0-1.2.diff.gz
 6306baa5fed31c0872d6c2912e202639 220114 libs optional libimlib2_1.4.0-1.2_amd64.deb
 b777111fd09c13eb939464f230cc9080 371766 libdevel optional libimlib2-dev_1.4.0-1.2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkkn3KwACgkQriZpaaIa1PmTtQCggejcP52dSEY/zCsejEYzD0+s
Qw8AoLdEois+BD7V4NaJ/nAG0viyG0uA
=nG7Y
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Sun, 23 Nov 2008 19:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bas Zoetekouw <bas@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Sun, 23 Nov 2008 19:03:03 GMT) Full text and rfc822 format available.

Message #34 received at 505714@bugs.debian.org (full text, mbox):

From: Bas Zoetekouw <bas@debian.org>
To: Thomas Viehmann <tv@beamnet.de>, 505714@bugs.debian.org
Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2
Date: Sun, 23 Nov 2008 20:00:36 +0100
Hi!

> diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> --- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> +++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
> @@ -246,8 +246,8 @@
>                                   return 0;
>                                }
>                              ptr = im->data;
> -                            end = ptr + (sizeof(DATA32) * w * h);
>                              pixels = w * h;
> +                            end = ptr + pixels;
>                           }
>                         else
>                           {

Are you sure this patch actually fixes the bug reported here?  I agree
that the use of sizeof(DATA32) here is definately a bug and should be
fixed, but I'm not sure that that's all there is to it.

The reporter of the bug as well as the CVE say the actual problem here
is that the height and width are read from the header, and might not be
the actual size of the picture being loaded.  I don't see how this patch
fixes that issue (although must confess I haven't looked at the code in
detail).

Concretely: can't w*h still overflow in the code above, for a suitably crafted
header?

Kind regards,
Bas.

-- 
+--------------------------------------------------------------+
| Bas Zoetekouw      | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie:      |
| bas@zoetekouw.net  | The dew shall weep thy fall tonight;    |
+--------------------|                    For thou must die.   |
                     +-----------------------------------------+




Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Sun, 23 Nov 2008 19:24:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Sun, 23 Nov 2008 19:24:06 GMT) Full text and rfc822 format available.

Message #39 received at 505714@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: Bas Zoetekouw <bas@debian.org>
Cc: 505714@bugs.debian.org
Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2
Date: Sun, 23 Nov 2008 20:22:27 +0100
Hi,

thanks for your attention to this.

Bas Zoetekouw wrote:
>> diff -u imlib2-1.4.0/src/modules/loaders/loader_xpm.c imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> --- imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> +++ imlib2-1.4.0/src/modules/loaders/loader_xpm.c
>> @@ -246,8 +246,8 @@
>>                                   return 0;
>>                                }
>>                              ptr = im->data;
>> -                            end = ptr + (sizeof(DATA32) * w * h);
>>                              pixels = w * h;
>> +                            end = ptr + pixels;
>>                           }
>>                         else
>>                           {
> 
> Are you sure this patch actually fixes the bug reported here?  I agree
> that the use of sizeof(DATA32) here is definately a bug and should be
> fixed, but I'm not sure that that's all there is to it.
> 
> The reporter of the bug as well as the CVE say the actual problem here
> is that the height and width are read from the header, and might not be
> the actual size of the picture being loaded.  I don't see how this patch
> fixes that issue (although must confess I haven't looked at the code in
> detail).
> 
> Concretely: can't w*h still overflow in the code above, for a suitably crafted
> header?
ptr and end are both DATA32*.

ptr is initialized to
  im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);

(im->w and im->h are equal to w and h, respectively) and later on this
is used as

for (i = 0;
     ((i < 65536) && (ptr < end) && (line[i]));
     i++)
{
...
  *ptr++ = ...
}

I think this should be OK even end ends up < ptr because some one of w,h
is negative for some reason or an overflow, but I'm more happy to be
corrected than have imlib2 in the release with an incorrect patch. :)

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/




Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Sun, 23 Nov 2008 21:36:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Peter De Wachter <pdewacht@gmail.com>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Sun, 23 Nov 2008 21:36:03 GMT) Full text and rfc822 format available.

Message #44 received at 505714@bugs.debian.org (full text, mbox):

From: Peter De Wachter <pdewacht@gmail.com>
To: Thomas Viehmann <tv@beamnet.de>, Bas Zoetekouw <bas@debian.org>
Cc: 505714@bugs.debian.org
Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2
Date: Sun, 23 Nov 2008 22:31:43 +0100
On Sun, 23 Nov 2008 20:22:27 +0100
Thomas Viehmann <tv@beamnet.de> wrote:

> > Concretely: can't w*h still overflow in the code above, for a
> > suitably crafted header?
> ptr and end are both DATA32*.
> 
> ptr is initialized to
>   im->data = (DATA32 *) malloc(sizeof(DATA32) * im->w * im->h);
> 
> (im->w and im->h are equal to w and h, respectively) and later on this
> is used as
> 
> for (i = 0;
>      ((i < 65536) && (ptr < end) && (line[i]));
>      i++)
> {
> ...
>   *ptr++ = ...
> }
> 
> I think this should be OK even end ends up < ptr because some one of
> w,h is negative for some reason or an overflow, but I'm more happy to
> be corrected than have imlib2 in the release with an incorrect
> patch. :)

The code also checks that w and h are positive and at most 8192.

-- 
Peter De Wachter




Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Tue, 25 Nov 2008 11:51:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Bas Zoetekouw <bas@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Tue, 25 Nov 2008 11:51:04 GMT) Full text and rfc822 format available.

Message #49 received at 505714@bugs.debian.org (full text, mbox):

From: Bas Zoetekouw <bas@debian.org>
To: Thomas Viehmann <tv@beamnet.de>
Cc: 505714@bugs.debian.org
Subject: Re: Bug#505714: imlib2: diff for NMU version 1.4.0-1.2
Date: Tue, 25 Nov 2008 12:48:14 +0100
Hi Thomas!

You wrote:

> I think this should be OK even end ends up < ptr because some one of w,h
> is negative for some reason or an overflow, but I'm more happy to be
> corrected than have imlib2 in the release with an incorrect patch. :)

Isee.
Thanks for your analysis, and sorry for the noise.

Regards,
Bas.

-- 
+--------------------------------------------------------------+
| Bas Zoetekouw      | Sweet day, so cool, so calm, so bright, |
|--------------------| The bridall of the earth and skie:      |
| bas@zoetekouw.net  | The dew shall weep thy fall tonight;    |
+--------------------|                    For thou must die.   |
                     +-----------------------------------------+




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 24 Dec 2008 07:26:03 GMT) Full text and rfc822 format available.

Bug unarchived. Request was from tv@beamnet.de (Thomas Viehmann) to control@bugs.debian.org. (Mon, 12 Jan 2009 13:48:09 GMT) Full text and rfc822 format available.

Bug marked as found in version 1.4.0-1. Request was from tv@beamnet.de (Thomas Viehmann) to control@bugs.debian.org. (Mon, 12 Jan 2009 13:48:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Mon, 12 Jan 2009 15:00:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Mon, 12 Jan 2009 15:00:22 GMT) Full text and rfc822 format available.

Message #60 received at 505714@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: 505714@bugs.debian.org
Subject: handling of NMUs and reintroducing #505714
Date: Mon, 12 Jan 2009 15:51:04 +0100
Hi Laurence,

apologies for misspelling your name in my communication of this bug
report. Nonetheless I would suggest to not drop the security bug fix for
#505714. Generally, it might be a good idea to make a habit out of
incorporating NMUs as per Developer's Reference 5.11.6.

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/




Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Mon, 12 Jan 2009 17:18:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Laurence J. Lane" <ljlane@debian.org>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Mon, 12 Jan 2009 17:18:06 GMT) Full text and rfc822 format available.

Message #65 received at 505714@bugs.debian.org (full text, mbox):

From: "Laurence J. Lane" <ljlane@debian.org>
To: "Thomas Viehmann" <tv@beamnet.de>, 505714@bugs.debian.org
Subject: Re: Bug#505714: handling of NMUs and reintroducing #505714
Date: Mon, 12 Jan 2009 12:14:48 -0500
On Mon, Jan 12, 2009 at 9:51 AM, Thomas Viehmann <tv@beamnet.de> wrote:

> apologies for misspelling your name in my communication of this bug
> report. Nonetheless I would suggest to not drop the security bug fix for
> #505714. Generally, it might be a good idea to make a habit out of
> incorporating NMUs as per Developer's Reference 5.11.6.

Oops.




Information forwarded to debian-bugs-dist@lists.debian.org, ljlane@debian.org (Laurence J. Lane):
Bug#505714; Package libimlib2. (Mon, 12 Jan 2009 19:06:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thomas Viehmann <tv@beamnet.de>:
Extra info received and forwarded to list. Copy sent to ljlane@debian.org (Laurence J. Lane). (Mon, 12 Jan 2009 19:06:02 GMT) Full text and rfc822 format available.

Message #70 received at 505714@bugs.debian.org (full text, mbox):

From: Thomas Viehmann <tv@beamnet.de>
To: "Laurence J. Lane" <ljlane@debian.org>
Cc: 505714@bugs.debian.org, control@bugs.debian.org
Subject: Re: Bug#505714: handling of NMUs and reintroducing #505714
Date: Mon, 12 Jan 2009 20:01:59 +0100
# nitpicking the version tracking for Daniel Holbach's reference :)...
found 505714 1.4.2-1
fixed 505714 1.4.2-2
thanks

Hi,

Thanks for the quick fix!

Kind regards

T.
-- 
Thomas Viehmann, http://thomas.viehmann.net/




Bug marked as found in version 1.4.2-1 and reopened. Request was from Thomas Viehmann <tv@beamnet.de> to control@bugs.debian.org. (Mon, 12 Jan 2009 19:06:04 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1.4.2-2. Request was from Thomas Viehmann <tv@beamnet.de> to control@bugs.debian.org. (Mon, 12 Jan 2009 19:06:05 GMT) Full text and rfc822 format available.

Reply sent to Jakub Wilk <jwilk@debian.org>:
You have taken responsibility. (Sat, 28 Apr 2012 12:27:03 GMT) Full text and rfc822 format available.

Notification sent to Julien Danjou <acid@debian.org>:
Bug acknowledged by developer. (Sat, 28 Apr 2012 12:27:06 GMT) Full text and rfc822 format available.

Message #79 received at 505714-done@bugs.debian.org (full text, mbox):

From: Jakub Wilk <jwilk@debian.org>
To: 505714-done@bugs.debian.org
Subject: Re: Bug#505714: Crash on loading XPM file
Date: Sat, 28 Apr 2012 14:22:00 +0200
This bug is marked as fixed in stable, testing and unstable. There's no 
reason to keep it open. Closing.

-- 
Jakub Wilk




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 27 May 2012 07:34:53 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 23:27:39 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.