Report forwarded
to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>: Bug#550978; Package gif2png.
(Wed, 14 Oct 2009 15:36:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Patroklos Argyroudis <argp@census-labs.com>:
New Bug report received and forwarded. Copy sent to Erik Schanze <eriks@debian.org>.
(Wed, 14 Oct 2009 15:36:05 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gif2png: Command line buffer overflow
Date: Wed, 14 Oct 2009 18:30:31 +0300
Package: gif2png
Version: 2.5.1-3
Severity: normal
gif2png is prone to a command line buffer overflow since there is an
strcpy(3) call that fails to bounds-check user-supplied data before copying
them to a fixed size buffer. Here is a transcript:
[argp@hegel /tmp]$ gif2png `python -c 'print "A"*2048'`
Segmentation fault (core dumped)
[argp@hegel /tmp]$ gdb -q gif2png -c core
(no debugging symbols found)
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libpng12.so.0...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libpng12.so.0
Reading symbols from /lib/i686/cmov/libm.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/cmov/libm.so.6
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/i686/cmov/libc.so.6...(no debugging symbols found)...done.
Loaded symbols for /lib/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
(no debugging symbols found)
Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0xb7e6c6ed in ?? () from /lib/i686/cmov/libc.so.6
gdb $ i r
eax 0x41414141 0x41414141
ecx 0xb7f5960c 0xb7f5960c
edx 0xbfffe960 0xbfffe960
ebx 0xb7f57ff4 0xb7f57ff4
esp 0xbfffe384 0xbfffe384
ebp 0xbfffe3d8 0xbfffe3d8
esi 0xb7f3b1da 0xb7f3b1da
edi 0xb7f3b1e4 0xb7f3b1e4
eip 0xb7e6c6ed 0xb7e6c6ed
eflags 0x10206 [ PF IF RF ]
cs 0x73 0x73
ss 0x7b 0x7b
ds 0x7b 0x7b
es 0x7b 0x7b
fs 0x0 0x0
gs 0x33 0x33
The bug is located at file gif2png.c, line number 901
(strcpy(name, argv[i])) where name is a fixed size char array. This may
have security repercussions if gif2png is configured as a handler for
other applications that can pass user-supplied filenames as command line
input to gif2png (e.g. from a CGI or other).
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages gif2png depends on:
ii libc6 2.9-25 GNU C Library: Shared libraries
ii libpng12-0 1.2.39-1 PNG library - runtime
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
Versions of packages gif2png recommends:
ii python 2.5.4-2 An interactive high-level object-o
gif2png suggests no packages.
-- no debconf information
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#550978; Package gif2png.
(Tue, 10 Nov 2009 21:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik Schanze <eriks@debian.org>:
Extra info received and forwarded to list.
(Tue, 10 Nov 2009 21:21:04 GMT) (full text, mbox, link).
Subject: Re: Bug#550978: gif2png: Command line buffer overflow
Date: Tue, 10 Nov 2009 22:17:32 +0100
Hi Eric,
[please let 550978-forwarded@bugs.debian.org on CC:]
I'm the maintainer of Gif2png's Debian package.
A Debian GNU/Linux user had reported a bug describe below.
Could you please have a look at it and fix it upstream?
Thank you in advance.
Patroklos Argyroudis Patroklos Argyroudis <argp@census-labs.com>:
> Package: gif2png
> Version: 2.5.1-3
> Severity: normal
>
>
> gif2png is prone to a command line buffer overflow since there is an
> strcpy(3) call that fails to bounds-check user-supplied data before copying
> them to a fixed size buffer. Here is a transcript:
>
> [argp@hegel /tmp]$ gif2png `python -c 'print "A"*2048'`
> Segmentation fault (core dumped)
> [argp@hegel /tmp]$ gdb -q gif2png -c core
> (no debugging symbols found)
>
> warning: Can't read pathname for load map: Input/output error.
> Reading symbols from /usr/lib/libpng12.so.0...(no debugging symbols found)...done.
> Loaded symbols for /usr/lib/libpng12.so.0
> Reading symbols from /lib/i686/cmov/libm.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib/i686/cmov/libm.so.6
> Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
> Loaded symbols for /usr/lib/libz.so.1
> Reading symbols from /lib/i686/cmov/libc.so.6...(no debugging symbols found)...done.
> Loaded symbols for /lib/i686/cmov/libc.so.6
> Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
> Loaded symbols for /lib/ld-linux.so.2
> (no debugging symbols found)
> Core was generated by `AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
> Program terminated with signal 11, Segmentation fault.
> #0 0xb7e6c6ed in ?? () from /lib/i686/cmov/libc.so.6
> gdb $ i r
> eax 0x41414141 0x41414141
> ecx 0xb7f5960c 0xb7f5960c
> edx 0xbfffe960 0xbfffe960
> ebx 0xb7f57ff4 0xb7f57ff4
> esp 0xbfffe384 0xbfffe384
> ebp 0xbfffe3d8 0xbfffe3d8
> esi 0xb7f3b1da 0xb7f3b1da
> edi 0xb7f3b1e4 0xb7f3b1e4
> eip 0xb7e6c6ed 0xb7e6c6ed
> eflags 0x10206 [ PF IF RF ]
> cs 0x73 0x73
> ss 0x7b 0x7b
> ds 0x7b 0x7b
> es 0x7b 0x7b
> fs 0x0 0x0
> gs 0x33 0x33
>
> The bug is located at file gif2png.c, line number 901
> (strcpy(name, argv[i])) where name is a fixed size char array. This may
> have security repercussions if gif2png is configured as a handler for
> other applications that can pass user-supplied filenames as command line
> input to gif2png (e.g. from a CGI or other).
>
> -- System Information:
> Debian Release: squeeze/sid
> APT prefers testing
> APT policy: (500, 'testing')
> Architecture: i386 (i686)
>
> Kernel: Linux 2.6.26-1-686-bigmem (SMP w/4 CPU cores)
> Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/bash
>
> Versions of packages gif2png depends on:
> ii libc6 2.9-25 GNU C Library: Shared libraries
> ii libpng12-0 1.2.39-1 PNG library - runtime
> ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
>
> Versions of packages gif2png recommends:
> ii python 2.5.4-2 An interactive high-level object-o
>
> gif2png suggests no packages.
>
> -- no debconf information
>
>
Bye,
Erik
--
www.ErikSchanze.de *********************************************
Bitte keine HTML-E-Mails! No HTML mails, please! Limit: 100 kB *
- Linux-Info-Tag in Dresden auch 2010 wieder *
Info: http://www.linux-info-tag.de/ *
Reply sent
to Erik Schanze <eriks@debian.org>:
You have marked Bug as forwarded.
(Tue, 10 Nov 2009 21:21:09 GMT) (full text, mbox, link).
Reply sent
to Erik Schanze <eriks@debian.org>:
You have taken responsibility.
(Sun, 06 Dec 2009 12:51:24 GMT) (full text, mbox, link).
Notification sent
to Patroklos Argyroudis <argp@census-labs.com>:
Bug acknowledged by developer.
(Sun, 06 Dec 2009 12:51:24 GMT) (full text, mbox, link).
Source: gif2png
Source-Version: 2.5.2-1
We believe that the bug you reported is fixed in the latest version of
gif2png, which is due to be installed in the Debian FTP archive:
gif2png_2.5.2-1.diff.gz
to main/g/gif2png/gif2png_2.5.2-1.diff.gz
gif2png_2.5.2-1.dsc
to main/g/gif2png/gif2png_2.5.2-1.dsc
gif2png_2.5.2-1_i386.deb
to main/g/gif2png/gif2png_2.5.2-1_i386.deb
gif2png_2.5.2.orig.tar.gz
to main/g/gif2png/gif2png_2.5.2.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 550978@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Erik Schanze <eriks@debian.org> (supplier of updated gif2png package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 04 Dec 2009 23:29:18 +0100
Source: gif2png
Binary: gif2png
Architecture: source i386
Version: 2.5.2-1
Distribution: unstable
Urgency: low
Maintainer: Erik Schanze <eriks@debian.org>
Changed-By: Erik Schanze <eriks@debian.org>
Description:
gif2png - GIF -> PNG conversions
Closes: 550978
Changes:
gif2png (2.5.2-1) unstable; urgency=low
.
* New upstream release
+ Removed 10_write_text_comment.dpatch and
20_manpage_fixes.dpatch, included upstream
* Added 10_fix_gif2png_c.dpatch, closes: #550978
* Added dpatch 20_remove_unneeded_libs to remove unneeded lib depends
(was shown by checklib)
* debian/control:
+ Updated to Standard version 3.8.3
+ Move Homepage into header
+ Increased debhelper version to 5
+ Added Build-Dep for xmlto, removed autotools
* Added debian/compat and debian/README.source files
* debian/rules:
+ Fix clean target, adapt and extend DEB_BUILD_OPTIONS
+ Reintroduced German manpage creation with xmlto, removed autotools stuff
Checksums-Sha1:
e866a684e5e4e5fe5ccf6c103640a3ff923c7ad1 1010 gif2png_2.5.2-1.dsc
0e9e66d6728fe7e2dcde61ad0e398a60894946b3 171740 gif2png_2.5.2.orig.tar.gz
01f1b327dfad3edb17995d7f06c7acefa0ab9023 13620 gif2png_2.5.2-1.diff.gz
1dc99ca4662d83f0c880f64948708d249e31eda2 38338 gif2png_2.5.2-1_i386.deb
Checksums-Sha256:
71f82ae08a80a7506d00dae51f6ca3186c6ec6b023d51e3e356d151d6aa3ed88 1010 gif2png_2.5.2-1.dsc
c1b4066ad37cdcb8681cecedd63daed8cb5c827344da465270f324bc12ff3ed7 171740 gif2png_2.5.2.orig.tar.gz
8d414e375274da33b810b3d43b532519d90c97ff6fca1901debec093b604d10b 13620 gif2png_2.5.2-1.diff.gz
e0ad06af9b40c9098251f84324fc7c2c07606db85615057d6603a686c62515c4 38338 gif2png_2.5.2-1_i386.deb
Files:
6bb50760e8fc28e298fff220713a05b2 1010 graphics optional gif2png_2.5.2-1.dsc
2200841f027c8481c4b8519dabf745b0 171740 graphics optional gif2png_2.5.2.orig.tar.gz
e295787637932a1e95f3a0f10b02a7de 13620 graphics optional gif2png_2.5.2-1.diff.gz
5cf8a23779f5a6bd74e105c768d9fdb1 38338 graphics optional gif2png_2.5.2-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAksbioYACgkQwAfeuzCCU0Uq2ACgpy5jwx3lzuuwcWfcUtxi0J94
OdkAoKiXiomQ2gODmgIfEbw/1vqX+2U4
=RzQk
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>: Bug#550978; Package gif2png.
(Sun, 13 Dec 2009 15:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Erik Schanze <eriks@debian.org>.
(Sun, 13 Dec 2009 15:57:05 GMT) (full text, mbox, link).
Bug No longer marked as fixed in versions gif2png/2.5.2-1 and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 13 Dec 2009 15:57:06 GMT) (full text, mbox, link).
Reply sent
to Raphael Geissert <geissert@debian.org>:
You have taken responsibility.
(Sun, 13 Dec 2009 18:27:05 GMT) (full text, mbox, link).
Notification sent
to Patroklos Argyroudis <argp@census-labs.com>:
Bug acknowledged by developer.
(Sun, 13 Dec 2009 18:27:05 GMT) (full text, mbox, link).
To: 550978-done@bugs.debian.org,
Michael Gilbert <michael.s.gilbert@gmail.com>
Subject: Re: Bug#550978: fixed in gif2png 2.5.2-1
Date: Sun, 13 Dec 2009 12:25:09 -0600
Source-Version: 2.5.2-1
> It is claimed that 2.5.2-1 is still affected by this issue [0].
> Please check. Thank you.
Debian version 2.5.2-1 is not, upstream 2.5.2 is.
Regards,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#550978; Package gif2png.
(Sun, 13 Dec 2009 19:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik Schanze <eriks@debian.org>:
Extra info received and forwarded to list.
(Sun, 13 Dec 2009 19:36:03 GMT) (full text, mbox, link).
To: Michael Gilbert <michael.s.gilbert@gmail.com>,
550978@bugs.debian.org
Subject: Re: Bug#550978: Incomplete fix?
Date: Sun, 13 Dec 2009 20:32:25 +0100
Hi Michael,
Michael Gilbert <michael.s.gilbert@gmail.com>:
> It is claimed that 2.5.2-1 is still affected by this issue [0].
> Please check. Thank you.
>
Please have a look on package changelog:
* Added 10_fix_gif2png_c.dpatch, closes: #550978
Because upstream didn't answer my bug forwarding, I added a fix for this
issue as a dpatch in the package by myself.
Afterwards I checked with the suggested exploit:
--------------------8<---------------------------------------8<------------------------
es@neo:~$ gif2png `python -c 'print "A"*2048'`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA: File name too long
--------------------8<---------------------------------------8<------------------------
Kind regards,
Erik
--
www.ErikSchanze.de *********************************************
Bitte keine HTML-E-Mails! No HTML mails, please! Limit: 100 kB *
- Linux-Info-Tag in Dresden auch 2010 wieder *
Info: http://www.linux-info-tag.de/ *
Information forwarded
to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>: Bug#550978; Package gif2png.
(Sun, 13 Dec 2009 20:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Michael Gilbert <michael.s.gilbert@gmail.com>:
Extra info received and forwarded to list. Copy sent to Erik Schanze <eriks@debian.org>.
(Sun, 13 Dec 2009 20:36:03 GMT) (full text, mbox, link).
From: Michael Gilbert <michael.s.gilbert@gmail.com>
To: 550978@bugs.debian.org
Subject: Re: Bug#550978: Incomplete fix?
Date: Sun, 13 Dec 2009 15:32:49 -0500
On Sun, 13 Dec 2009 20:32:25 +0100 Erik Schanze wrote:
> Hi Michael,
>
> Michael Gilbert <michael.s.gilbert@gmail.com>:
> > It is claimed that 2.5.2-1 is still affected by this issue [0].
> > Please check. Thank you.
> >
>
> Please have a look on package changelog:
> * Added 10_fix_gif2png_c.dpatch, closes: #550978
>
> Because upstream didn't answer my bug forwarding, I added a fix for this
> issue as a dpatch in the package by myself.
>
> Afterwards I checked with the suggested exploit:
> --------------------8<---------------------------------------8<------------------------
> es@neo:~$ gif2png `python -c 'print "A"*2048'`
[...]
> File name too long
> --------------------8<---------------------------------------8<------------------------
ok, i just wanted to see if there was any validity to the full
disclosure claims. they said they tested against 2.5.2-1, but they
very well could have been mistaken. looks like this can be safely
closed.
mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>: Bug#550978; Package gif2png.
(Fri, 01 Jan 2010 16:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>:
Extra info received and forwarded to list. Copy sent to Erik Schanze <eriks@debian.org>.
(Fri, 01 Jan 2010 16:24:03 GMT) (full text, mbox, link).
Hi,
I am the Fedora maintainer of gif2png and think that the supplied patch
is incomplete. In main(), there is done
| - strcpy(name, argv[i]);
| + strncpy( name, argv[i], sizeof( name ) );
| ...
| strcat(name, ".gif");
which could still overflow 'name'. I think that
http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup
solves the issue better. It omits the changes in processfile() because
main() guarantees that 'fname' is short enough.
FWIW, 2.5.2 *is* affected; the -ENAMETOOLONG comes from the open(2)
call. Applying a modified exploit like
gif2png `perl -e "print '/' x 1024"`/a
still triggers the issue.
Enrico
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#550978; Package gif2png.
(Fri, 01 Jan 2010 21:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Erik Schanze <eriks@debian.org>:
Extra info received and forwarded to list.
(Fri, 01 Jan 2010 21:18:06 GMT) (full text, mbox, link).
reopen 550978
thanks
Hi Enrico,
Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>:
> I am the Fedora maintainer of gif2png and think that the supplied patch
> is incomplete. In main(), there is done
>
> | - strcpy(name, argv[i]);
> | + strncpy( name, argv[i], sizeof( name ) );
> | ...
> | strcat(name, ".gif");
>
> which could still overflow 'name'. I think that
>
> http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup
>
> solves the issue better.
You're right. Thank you for your attention.
> It omits the changes in processfile() because
> main() guarantees that 'fname' is short enough.
>
But processfile() will remain insecure.
I will adapt my patch with your suggestions.
> FWIW, 2.5.2 *is* affected; the -ENAMETOOLONG comes from the open(2)
> call.
> Applying a modified exploit like
>
> gif2png `perl -e "print '/' x 1024"`/a
>
> still triggers the issue.
>
Not for me:
$ gif2png `perl -e "print '/' x 1024"`/a
/////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////a: No such file or directory
Kind regards,
Erik
Bug No longer marked as fixed in versions 2.5.2-1 and reopened.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 01 Jan 2010 21:18:11 GMT) (full text, mbox, link).
Reply sent
to Erik Schanze <eriks@debian.org>:
You have taken responsibility.
(Fri, 01 Jan 2010 23:51:12 GMT) (full text, mbox, link).
Notification sent
to Patroklos Argyroudis <argp@census-labs.com>:
Bug acknowledged by developer.
(Fri, 01 Jan 2010 23:51:12 GMT) (full text, mbox, link).
Source: gif2png
Source-Version: 2.5.2-2
We believe that the bug you reported is fixed in the latest version of
gif2png, which is due to be installed in the Debian FTP archive:
gif2png_2.5.2-2.diff.gz
to main/g/gif2png/gif2png_2.5.2-2.diff.gz
gif2png_2.5.2-2.dsc
to main/g/gif2png/gif2png_2.5.2-2.dsc
gif2png_2.5.2-2_i386.deb
to main/g/gif2png/gif2png_2.5.2-2_i386.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 550978@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Erik Schanze <eriks@debian.org> (supplier of updated gif2png package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Fri, 01 Jan 2010 21:29:18 +0100
Source: gif2png
Binary: gif2png
Architecture: source i386
Version: 2.5.2-2
Distribution: unstable
Urgency: low
Maintainer: Erik Schanze <eriks@debian.org>
Changed-By: Erik Schanze <eriks@debian.org>
Description:
gif2png - GIF -> PNG conversions
Closes: 550978
Changes:
gif2png (2.5.2-2) unstable; urgency=low
.
* Adapted 10_fix_gif2png_c.dpatch, closes: #550978
Checksums-Sha1:
8d0e9eca7b0f8b0a592a0870adfc277daf59ad16 1010 gif2png_2.5.2-2.dsc
4edc5056a19435430779f62ab50b15372a5dbe28 13655 gif2png_2.5.2-2.diff.gz
fae9001604d783ca0a7e05525bb93583deb36a0f 38640 gif2png_2.5.2-2_i386.deb
Checksums-Sha256:
af2702290aff36475e33bcb0501722b265d294054ccde11131ed2893b7568453 1010 gif2png_2.5.2-2.dsc
5f3418b8f9a61fbc20326eadb6f0ac467b8c802a72d9a8a576e9fdecb0516342 13655 gif2png_2.5.2-2.diff.gz
93874ba04f9e9f6c2ecd5674196f3aedfcea3950a7531efa2548bc6868c96abf 38640 gif2png_2.5.2-2_i386.deb
Files:
2644d3ec599722e0af93bee188da27f0 1010 graphics optional gif2png_2.5.2-2.dsc
51d2cc3eb4eab1e0d26bd4027d5cd6e0 13655 graphics optional gif2png_2.5.2-2.diff.gz
68e2f726a364aeb3ace679cf4dae745a 38640 graphics optional gif2png_2.5.2-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAks+hY8ACgkQwAfeuzCCU0Ww1gCeMgCMVioPAFowQmq7NUdFCwYZ
ZZoAnAv7ZrNylTUbSmwdgg+d+vkfbYw9
=8nkf
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Erik Schanze <eriks@debian.org>: Bug#550978; Package gif2png.
(Sat, 02 Jan 2010 11:33:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Enrico Scholz <enrico.scholz@informatik.tu-chemnitz.de>:
Extra info received and forwarded to list. Copy sent to Erik Schanze <eriks@debian.org>.
(Sat, 02 Jan 2010 11:33:03 GMT) (full text, mbox, link).
Erik Schanze <schanzi_@gmx.de> writes:
>> http://cvs.fedoraproject.org/viewvc/rpms/gif2png/devel/gif2png-overflow.patch?revision=HEAD&root=extras&view=markup
>>
>> solves the issue better.
>
> You're right. Thank you for your attention.
fwiw, I changed my patch to abort/fail when filename length exceeds a
certain size. That's better than the current strncpy() stuff which
might cause to process a different file than this what was given (and
perhaps validated) by the caller.
>> It omits the changes in processfile() because main() guarantees that
>> 'fname' is short enough.
>>
> But processfile() will remain insecure.
does not matter... it is called from main() only which does all the
range checking.
> I will adapt my patch with your suggestions.
>
>> FWIW, 2.5.2 *is* affected; the -ENAMETOOLONG comes from the open(2)
>> call.
>> Applying a modified exploit like
>>
>> gif2png `perl -e "print '/' x 1024"`/a
>>
>> still triggers the issue.
>>
> Not for me:
Adjust the '1024'; on Fedora/RHEL not the buffer overflow caused the
crash but the FORTIFY_SORUCE checks.
$ gif2png `perl -e "print '/' x 1024"`/a
*** buffer overflow detected ***: gif2png terminated
======= Backtrace: =========
/lib/libc.so.6(__chk_fail+0x41)[0xb76b31c1]
/lib/libc.so.6(__strcpy_chk+0x43)[0xb76b25e3]
gif2png[0x804aae6]
/lib/libc.so.6(__libc_start_main+0xdc)[0xb75e2e9c]
gif2png[0x8048f21]
======= Memory map: ========
Enrico
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Tue, 09 Feb 2010 07:35:14 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.