Debian Bug report logs - #534973
compface: bufer overflow in xbm-file

version graph

Package: compface; Maintainer for compface is Hakan Ardo <hakan@debian.org>; Source for compface is src:libcompface.

Reported by: metalhoney@hushmail.com

Date: Sun, 28 Jun 2009 17:12:01 UTC

Severity: grave

Tags: security

Found in version libcompface/1:1.5.2-4

Fixed in version libcompface/1:1.5.2-5

Done: Hakan Ardo <hakan@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Hakan Ardo <hakan@debian.org>:
Bug#534973; Package compface. (Sun, 28 Jun 2009 17:12:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to metalhoney@hushmail.com:
New Bug report received and forwarded. Copy sent to Hakan Ardo <hakan@debian.org>. (Sun, 28 Jun 2009 17:12:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: metalhoney@hushmail.com
To: submit@bugs.debian.org
Subject: compface: bufer overflow in xbm-file
Date: Sun, 28 Jun 2009 19:10:45 +0200
Subject: compface: bufer overflow in xbm-file
Package: compface
Version: 1:1.5.2-4
Severity: grave
Justification: user security hole
Tags: security

*** Please type your report below this line ***

please note that serius bufer overflow vuln in compface:

  http://milw0rm.org/exploits/8982

-- System Information:
Debian Release: 5.0.2
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages compface depends on:
ii  libc6                         2.7-18     GNU C Library: Shared 
libraries
pi  libcompfaceg1                 1:1.5.2-4  Compress/decompress 
images for mai

compface recommends no packages.

compface suggests no packages.

-- no debconf information

--
Improve your driving ability with a stop at traffic school. Click now!
 http://tagline.hushmail.com/fc/BLSrjkqhynuzyryeUmYRzlGlYnNeBH1StpEla6mapWGfI2Km3snlzpriJVG/





Information forwarded to debian-bugs-dist@lists.debian.org, Hakan Ardo <hakan@debian.org>:
Bug#534973; Package compface. (Mon, 29 Jun 2009 07:36:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hakan Ardo <Hakan@ardoe.net>:
Extra info received and forwarded to list. Copy sent to Hakan Ardo <hakan@debian.org>. (Mon, 29 Jun 2009 07:36:03 GMT) Full text and rfc822 format available.

Message #10 received at 534973@bugs.debian.org (full text, mbox):

From: Hakan Ardo <Hakan@ardoe.net>
To: metalhoney@hushmail.com, 534973@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#534973: compface: bufer overflow in xbm-file
Date: Mon, 29 Jun 2009 09:30:48 +0200
[Message part 1 (text/plain, inline)]
Hi,
thx for the report. Attached is a patch fixing the buffer overflow.
I'll prepare a new release tonight.

On Sun, Jun 28, 2009 at 7:10 PM, <metalhoney@hushmail.com> wrote:
> Subject: compface: bufer overflow in xbm-file
> Package: compface
> Version: 1:1.5.2-4
> Severity: grave
> Justification: user security hole
> Tags: security
>
> *** Please type your report below this line ***
>
> please note that serius bufer overflow vuln in compface:
>
>  http://milw0rm.org/exploits/8982
>
> -- System Information:
> Debian Release: 5.0.2
>  APT prefers stable
>  APT policy: (500, 'stable')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.26-2-686 (SMP w/1 CPU core)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages compface depends on:
> ii  libc6                         2.7-18     GNU C Library: Shared
> libraries
> pi  libcompfaceg1                 1:1.5.2-4  Compress/decompress
> images for mai
>
> compface recommends no packages.
>
> compface suggests no packages.
>
> -- no debconf information
>
> --
> Improve your driving ability with a stop at traffic school. Click now!
>  http://tagline.hushmail.com/fc/BLSrjkqhynuzyryeUmYRzlGlYnNeBH1StpEla6mapWGfI2Km3snlzpriJVG/
>
>
>
>



-- 
Håkan Ardö
[patch (application/octet-stream, attachment)]

Reply sent to Hakan Ardo <hakan@debian.org>:
You have taken responsibility. (Mon, 29 Jun 2009 17:45:06 GMT) Full text and rfc822 format available.

Notification sent to metalhoney@hushmail.com:
Bug acknowledged by developer. (Mon, 29 Jun 2009 17:45:06 GMT) Full text and rfc822 format available.

Message #15 received at 534973-close@bugs.debian.org (full text, mbox):

From: Hakan Ardo <hakan@debian.org>
To: 534973-close@bugs.debian.org
Subject: Bug#534973: fixed in libcompface 1:1.5.2-5
Date: Mon, 29 Jun 2009 17:17:04 +0000
Source: libcompface
Source-Version: 1:1.5.2-5

We believe that the bug you reported is fixed in the latest version of
libcompface, which is due to be installed in the Debian FTP archive:

compface_1.5.2-5_amd64.deb
  to pool/main/libc/libcompface/compface_1.5.2-5_amd64.deb
libcompface_1.5.2-5.diff.gz
  to pool/main/libc/libcompface/libcompface_1.5.2-5.diff.gz
libcompface_1.5.2-5.dsc
  to pool/main/libc/libcompface/libcompface_1.5.2-5.dsc
libcompfaceg1-dev_1.5.2-5_amd64.deb
  to pool/main/libc/libcompface/libcompfaceg1-dev_1.5.2-5_amd64.deb
libcompfaceg1_1.5.2-5_amd64.deb
  to pool/main/libc/libcompface/libcompfaceg1_1.5.2-5_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 534973@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hakan Ardo <hakan@debian.org> (supplier of updated libcompface package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Mon, 29 Jun 2009 18:49:13 +0200
Source: libcompface
Binary: libcompfaceg1-dev libcompfaceg1 compface
Architecture: source amd64
Version: 1:1.5.2-5
Distribution: unstable
Urgency: high
Maintainer: Hakan Ardo <hakan@debian.org>
Changed-By: Hakan Ardo <hakan@debian.org>
Description: 
 compface   - Compress/decompress images for mailheaders, user tools
 libcompfaceg1 - Compress/decompress images for mailheaders, libc6 runtime
 libcompfaceg1-dev - Compress/decompress images for mailheaders, libc6 devel
Closes: 534973
Changes: 
 libcompface (1:1.5.2-5) unstable; urgency=high
 .
   * Fixed bufferoverflow when reading xbm files (closes: #534973)
Checksums-Sha1: 
 369aa31c692f1ee51f0a3a0bc76448e85ebff082 1004 libcompface_1.5.2-5.dsc
 185e3b16f6a2dcb54a94ec4e073dc679feb97c16 13673 libcompface_1.5.2-5.diff.gz
 732f6ff5792afff37a70bbe54db4036953ec51aa 17224 libcompfaceg1-dev_1.5.2-5_amd64.deb
 68abcd056ad364e9b53985f32c6e10075d01d35e 14612 libcompfaceg1_1.5.2-5_amd64.deb
 cf00eaa46e42ab9be748d3ec895d3523decc186b 12714 compface_1.5.2-5_amd64.deb
Checksums-Sha256: 
 971c0eaccdc38aba0ad3229c28c89a1f5a017f546e3168054e35c057c2d94c0d 1004 libcompface_1.5.2-5.dsc
 0587f531d09aa229618e4f648ca085a816a8d35cb4d35e216446c7462ffef733 13673 libcompface_1.5.2-5.diff.gz
 39581d832406db25a53f44bea9f0748ae7c5f13b35557dc7ff57a5794946529b 17224 libcompfaceg1-dev_1.5.2-5_amd64.deb
 46b501c88a05f04b04298241c9328f75b97ff8e65dd717f888b0a0da802b1898 14612 libcompfaceg1_1.5.2-5_amd64.deb
 d0f0969fc579eae2a6f58c00a5455448750d0d811c0d48dccdc2cbc94a3c288c 12714 compface_1.5.2-5_amd64.deb
Files: 
 3a22884201f3ad8b300df687f97b7e02 1004 mail optional libcompface_1.5.2-5.dsc
 6f47cc3d1f23b9bc92b4b0ca2b9fd7dd 13673 mail optional libcompface_1.5.2-5.diff.gz
 af4d209aba05272ebf87022cc5b8cafc 17224 devel optional libcompfaceg1-dev_1.5.2-5_amd64.deb
 562573e53011c729b16952359c53f510 14612 libs optional libcompfaceg1_1.5.2-5_amd64.deb
 71c81bb08ace427a7b903ac9de3b5082 12714 mail optional compface_1.5.2-5_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAkpI9MEACgkQAbtddT3jfcBOfwCdE02d+q8RLb69x3dQ4CzBD1D7
54cAn0lFPWq+0pjL5IjuoN/hU/TVgSi4
=f/Kr
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org, Hakan Ardo <hakan@debian.org>:
Bug#534973; Package compface. (Wed, 01 Jul 2009 17:54:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to Hakan Ardo <hakan@debian.org>. (Wed, 01 Jul 2009 17:54:03 GMT) Full text and rfc822 format available.

Message #20 received at 534973@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 534973@bugs.debian.org
Subject: CVE id
Date: Wed, 1 Jul 2009 19:48:34 +0200
[Message part 1 (text/plain, inline)]
Hi,
A CVE id has been assigned to this bug:
======================================================
Name: CVE-2009-2286
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2286
Reference: MLIST:[oss-security] 20090629 CVE id request: compface
Reference: URL:http://www.openwall.com/lists/oss-security/2009/06/29/2
Reference: MLIST:[oss-security] 20090629 Re: CVE id request: compface
Reference: URL:http://www.openwall.com/lists/oss-security/2009/06/29/4
Reference: CONFIRM:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=534973

Buffer overflow in compface 1.5.2 and earlier allows user-assisted
attackers to cause a denial of service (crash) via a long declaration
in a .xbm file.

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Hakan Ardo <hakan@debian.org>:
Bug#534973; Package compface. (Sat, 04 Jul 2009 23:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Hakan Ardo <hakan@debian.org>. (Sat, 04 Jul 2009 23:03:02 GMT) Full text and rfc822 format available.

Message #25 received at 534973@bugs.debian.org (full text, mbox):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: 534973@bugs.debian.org
Subject: stable updates
Date: Sat, 4 Jul 2009 18:59:53 -0400
reopen 534973
fixed 534973 1:1.5.2-5
thanks

hello,

please assist the security team to prepare updates for this issue in
the stable releases.  thank you.

mike




Bug reopened, originator not changed. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 05 Jul 2009 01:03:02 GMT) Full text and rfc822 format available.

Bug marked as fixed in version 1:1.5.2-5. Request was from "Michael S. Gilbert" <michael.s.gilbert@gmail.com> to control@bugs.debian.org. (Sun, 05 Jul 2009 01:03:03 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Hakan Ardo <hakan@debian.org>:
Bug#534973; Package compface. (Mon, 06 Jul 2009 06:18:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hakan Ardo <Hakan@ardoe.net>:
Extra info received and forwarded to list. Copy sent to Hakan Ardo <hakan@debian.org>. (Mon, 06 Jul 2009 06:18:02 GMT) Full text and rfc822 format available.

Message #34 received at 534973@bugs.debian.org (full text, mbox):

From: Hakan Ardo <Hakan@ardoe.net>
To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 534973@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#534973: stable updates
Date: Mon, 6 Jul 2009 08:16:11 +0200
[Message part 1 (text/plain, inline)]
Hi,
version 1:1.5.2-5 that I released to unstable is suitable for stable
aswell. Prior to this bugfix unstable and stable both contained
version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
build it for stable aswell?

On Sun, Jul 5, 2009 at 12:59 AM, Michael S.
Gilbert<michael.s.gilbert@gmail.com> wrote:
> reopen 534973
> fixed 534973 1:1.5.2-5
> thanks
>
> hello,
>
> please assist the security team to prepare updates for this issue in
> the stable releases.  thank you.
>
> mike
>
>
>



-- 
Håkan Ardö
[patch (application/octet-stream, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Hakan Ardo <hakan@debian.org>:
Bug#534973; Package compface. (Mon, 06 Jul 2009 19:48:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Thijs Kinkhorst <thijs@debian.org>:
Extra info received and forwarded to list. Copy sent to Hakan Ardo <hakan@debian.org>. (Mon, 06 Jul 2009 19:48:02 GMT) Full text and rfc822 format available.

Message #39 received at 534973@bugs.debian.org (full text, mbox):

From: Thijs Kinkhorst <thijs@debian.org>
To: Hakan Ardo <Hakan@ardoe.net>
Cc: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 534973@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#534973: stable updates
Date: Mon, 6 Jul 2009 21:44:44 +0200
[Message part 1 (text/plain, inline)]
Hi Håkan,

> version 1:1.5.2-5 that I released to unstable is suitable for stable
> aswell. Prior to this bugfix unstable and stable both contained
> version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
> build it for stable aswell?

Thank you for getting in touch with us. Judging from the context in which this 
bug manifests itself, I think releasing a DSA for it is overkill. It happens 
when creating a new X-Face header, which is something you would do rarely,
mostly not with any random image you didn't check out before, always as an 
unprivileged user and what can happen is a crash of the conversion which is 
harly harmful. The security implications of this are very minor. Normally 
there's a process to fix minor security issues through a stable point update 
but I think this one is even too minor for that. It's great that testing and 
unstable are fixed for the future, but I propose that we just leave it at 
that and consider this case closed.

Thank you for getting sid/squeeze fixed quickly.


cheers,
Thijs
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Hakan Ardo <hakan@debian.org>:
Bug#534973; Package compface. (Tue, 07 Jul 2009 05:15:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to "Michael S. Gilbert" <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Hakan Ardo <hakan@debian.org>. (Tue, 07 Jul 2009 05:15:03 GMT) Full text and rfc822 format available.

Message #44 received at 534973@bugs.debian.org (full text, mbox):

From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
To: 534973@bugs.debian.org, team@security.debian.org
Subject: Re: Bug#534973: stable updates
Date: Tue, 7 Jul 2009 01:09:57 -0400
On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote:
> > version 1:1.5.2-5 that I released to unstable is suitable for stable
> > aswell. Prior to this bugfix unstable and stable both contained
> > version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
> > build it for stable aswell?
> 
> Thank you for getting in touch with us. Judging from the context in which this 
> bug manifests itself, I think releasing a DSA for it is overkill. It happens 
> when creating a new X-Face header, which is something you would do rarely,
> mostly not with any random image you didn't check out before, always as an 
> unprivileged user and what can happen is a crash of the conversion which is 
> harly harmful. The security implications of this are very minor. Normally 
> there's a process to fix minor security issues through a stable point update 
> but I think this one is even too minor for that. It's great that testing and 
> unstable are fixed for the future, but I propose that we just leave it at 
> that and consider this case closed.

i would agree.  the implications (a user-initiated application crash on
invalid input) are so minor that this probably should not have been
tagged as a security concern nor given a CVE in the first place.
although, has the possibility of code injection been fully ruled out?

mike




Information forwarded to debian-bugs-dist@lists.debian.org, Hakan Ardo <hakan@debian.org>:
Bug#534973; Package compface. (Sat, 11 Jul 2009 08:42:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Hakan Ardo <Hakan@ardoe.net>:
Extra info received and forwarded to list. Copy sent to Hakan Ardo <hakan@debian.org>. (Sat, 11 Jul 2009 08:42:03 GMT) Full text and rfc822 format available.

Message #49 received at 534973@bugs.debian.org (full text, mbox):

From: Hakan Ardo <Hakan@ardoe.net>
To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>, 534973@bugs.debian.org
Cc: team@security.debian.org
Subject: Re: Bug#534973: stable updates
Date: Sat, 11 Jul 2009 10:15:42 +0200
I don't know, but I would agree that the risk is small enough to drop
the matter and close the case.

On Tue, Jul 7, 2009 at 7:09 AM, Michael S.
Gilbert<michael.s.gilbert@gmail.com> wrote:
> On Mon, 6 Jul 2009 21:44:44 +0200 Thijs Kinkhorst wrote:
>> > version 1:1.5.2-5 that I released to unstable is suitable for stable
>> > aswell. Prior to this bugfix unstable and stable both contained
>> > version 1:1.5.2-4. Attached is a patch with the fix. Do you want me to
>> > build it for stable aswell?
>>
>> Thank you for getting in touch with us. Judging from the context in which this
>> bug manifests itself, I think releasing a DSA for it is overkill. It happens
>> when creating a new X-Face header, which is something you would do rarely,
>> mostly not with any random image you didn't check out before, always as an
>> unprivileged user and what can happen is a crash of the conversion which is
>> harly harmful. The security implications of this are very minor. Normally
>> there's a process to fix minor security issues through a stable point update
>> but I think this one is even too minor for that. It's great that testing and
>> unstable are fixed for the future, but I propose that we just leave it at
>> that and consider this case closed.
>
> i would agree.  the implications (a user-initiated application crash on
> invalid input) are so minor that this probably should not have been
> tagged as a security concern nor given a CVE in the first place.
> although, has the possibility of code injection been fully ruled out?
>
> mike
>
>
>



-- 
Håkan Ardö




Reply sent to Hakan Ardo <hakan@debian.org>:
You have taken responsibility. (Sat, 11 Feb 2012 11:12:04 GMT) Full text and rfc822 format available.

Notification sent to metalhoney@hushmail.com:
Bug acknowledged by developer. (Sat, 11 Feb 2012 11:12:05 GMT) Full text and rfc822 format available.

Message #54 received at 534973-close@bugs.debian.org (full text, mbox):

From: Hakan Ardo <hakan@debian.org>
To: 534973-close@bugs.debian.org
Subject: Fixed in v 1.5.2-5
Date: Sat, 11 Feb 2012 12:09:44 +0100
-- 
Håkan Ardö




Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 11 Mar 2012 07:39:08 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Mon Apr 21 12:50:14 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.