Debian Bug report logs - #512122
[devil] fix for #511844 results in an off-by-one

version graph

Package: devil; Maintainer for devil is Debian QA Group <packages@qa.debian.org>;

Reported by: Nico Golde <nion@debian.org>

Date: Sat, 17 Jan 2009 14:15:01 UTC

Severity: grave

Tags: security

Found in version 1.7.5-3

Fixed in version devil/1.7.5-4

Done: Bradley Smith <bradsmith@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, secure-testing-team@lists.alioth.debian.org, Bradley Smith <bradsmith@debian.org>:
Bug#512122; Package devil. (Sat, 17 Jan 2009 14:15:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to secure-testing-team@lists.alioth.debian.org, Bradley Smith <bradsmith@debian.org>. (Sat, 17 Jan 2009 14:15:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: [devil] fix for #511844 results in an off-by-one
Date: Sat, 17 Jan 2009 15:10:36 +0100
[Message part 1 (text/plain, inline)]
Package: devil
Version: 1.7.5-3
Severity: grave
Tags: security
X-Debbugs-CC: secure-testing-team@lists.alioth.debian.org

Hi,
you fix #511844 by:
        while (a != '\n') {
+               if (count >= 80) {  // Line shouldn't be this long at all.
+                       ilSetError(IL_INVALID_FILE_HEADER);
+                       return IL_FALSE;
+               }
                buff[count] = a;

sizeof(buff) is 80. After each loop count is incremented and
a 0 byte is written to buff[count] after the while loop.
In case the header is 79 bytes long this results in an off-by-one and
a 0 byte written to buff[80]. Please fix this by check for count being
>= sizeof(buff) -1.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to Bradley Smith <bradsmith@debian.org>:
You have taken responsibility. (Sat, 17 Jan 2009 15:39:17 GMT) Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. (Sat, 17 Jan 2009 15:39:17 GMT) Full text and rfc822 format available.

Message #10 received at 512122-close@bugs.debian.org (full text, mbox):

From: Bradley Smith <bradsmith@debian.org>
To: 512122-close@bugs.debian.org
Subject: Bug#512122: fixed in devil 1.7.5-4
Date: Sat, 17 Jan 2009 15:17:04 +0000
Source: devil
Source-Version: 1.7.5-4

We believe that the bug you reported is fixed in the latest version of
devil, which is due to be installed in the Debian FTP archive:

devil_1.7.5-4.diff.gz
  to pool/main/d/devil/devil_1.7.5-4.diff.gz
devil_1.7.5-4.dsc
  to pool/main/d/devil/devil_1.7.5-4.dsc
libdevil-dev_1.7.5-4_i386.deb
  to pool/main/d/devil/libdevil-dev_1.7.5-4_i386.deb
libdevil1c2_1.7.5-4_i386.deb
  to pool/main/d/devil/libdevil1c2_1.7.5-4_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 512122@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bradley Smith <bradsmith@debian.org> (supplier of updated devil package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 17 Jan 2009 15:01:18 +0000
Source: devil
Binary: libdevil1c2 libdevil-dev
Architecture: source i386
Version: 1.7.5-4
Distribution: unstable
Urgency: low
Maintainer: Bradley Smith <bradsmith@debian.org>
Changed-By: Bradley Smith <bradsmith@debian.org>
Description: 
 libdevil-dev - Cross-platform image loading and manipulation toolkit
 libdevil1c2 - Cross-platform image loading and manipulation toolkit
Closes: 512122
Changes: 
 devil (1.7.5-4) unstable; urgency=low
 .
   * Actually fix CVE-2008-5262. Closes: #512122.
Checksums-Sha1: 
 5b9f3abc8e0736ba753565eaa3812b56ff6147d7 1269 devil_1.7.5-4.dsc
 48b25284c1122f0622ea90f890e467880ec603b7 13172 devil_1.7.5-4.diff.gz
 47fdcadd67232bc55849210ee704e980ba403ce1 225514 libdevil1c2_1.7.5-4_i386.deb
 bbf4a8e325ce65138e3039dbb0a2fcfc090e6412 267740 libdevil-dev_1.7.5-4_i386.deb
Checksums-Sha256: 
 1c8afe948b328dc33ff6c322d5d8957f1ceb87458b1766e1dddc449fe5da6fec 1269 devil_1.7.5-4.dsc
 1933a64dce740d6e8bd115eecdbd8588d8f1000ae98e85ce10106a4c78a75341 13172 devil_1.7.5-4.diff.gz
 2b90c3754b74dc7f9aeabae69618d22e55ef27b6d439526ac783bcaecd7a7240 225514 libdevil1c2_1.7.5-4_i386.deb
 aa7be0f28c506577e06c729b7f1f8220f87ac0c52a9d5b8317a6c7ab48af5c6b 267740 libdevil-dev_1.7.5-4_i386.deb
Files: 
 0ace64df4b2976970465a2cc3ae2c5cc 1269 devel optional devil_1.7.5-4.dsc
 42aa8544cff3995d33d4db6706fbe47c 13172 devel optional devil_1.7.5-4.diff.gz
 4c77fa4aa7b581eb10c1d7c8cc33889c 225514 libs optional libdevil1c2_1.7.5-4_i386.deb
 fdd059933fbc9f4d93a834d10ffc5271 267740 libdevel optional libdevil-dev_1.7.5-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAklx9EMACgkQj3BimscY00fLkACfVW7BcP0C7Ha5LHRd4u+HPhVW
wp8AnRUXT/n3WCorxUdaYCUFA0VlvjR2
=DBJM
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 15 Feb 2009 07:27:45 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 10:14:35 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.