Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Markus Koschany <apo@gambaru.de>: Bug#778261; Package byzanz.
(Thu, 12 Feb 2015 22:18:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Markus Koschany <apo@gambaru.de>.
(Thu, 12 Feb 2015 22:18:06 GMT) (full text, mbox, link).
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Buffer overflow in GIF encoder
Date: Thu, 12 Feb 2015 23:13:57 +0100
Package: byzanz
Severity: important
Tags: security
Hi,
this was reported by Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=852481
I'm afraid there are no further details, but maybe you can
get in touch with upstream; I suppose Red Hat had contacted
them and it might already be fixed by now?
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#778261; Package byzanz.
(Thu, 12 Feb 2015 23:30:13 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@gambaru.de>:
Extra info received and forwarded to list.
(Thu, 12 Feb 2015 23:30:13 GMT) (full text, mbox, link).
Control: tags -1 moreinfo
On Thu, 12. Feb 23:13 Moritz Muehlenhoff <jmm@debian.org> wrote:
> Package: byzanz
> Severity: important
> Tags: security
>
> Hi,
> this was reported by Red Hat:
> https://bugzilla.redhat.com/show_bug.cgi?id=852481
>
> I'm afraid there are no further details, but maybe you can
> get in touch with upstream; I suppose Red Hat had contacted
> them and it might already be fixed by now?
Hi Moritz,
I have been trying to find out more about this security issue but so far
without having any luck. Apparently the bug was reported 2,5 years ago
but there are no hints at redhat's bug tracker which could help us or
would at least point us to the affected code in question. Why
did they escalate this to seclists.org just now?
http://seclists.org/oss-sec/2015/q1/447
I checked upstream's git repository but I could not find any commits
related to some kind of security issue with the GIF encoder or the
playback tool.
https://git.gnome.org/browse/byzanz/
However I know for sure, if upstream released a fix it would be
included in Debian. The package is up to date and only some minor language
updates from November 2014 are currently missing.
I couldn't find anything useful at Fedora either.
http://pkgs.fedoraproject.org/cgit/byzanz.git/
I will keep an eye on this Red Hat bug report but at the moment I just
have not enough information to work on something.
Regards,
Markus
Added tag(s) moreinfo.
Request was from Markus Koschany <apo@gambaru.de>
to 778261-submit@bugs.debian.org.
(Thu, 12 Feb 2015 23:30:13 GMT) (full text, mbox, link).
Changed Bug title to 'byzanz: Buffer overflow in GIF encoder' from 'Buffer overflow in GIF encoder'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 13 Feb 2015 18:57:09 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Markus Koschany <apo@gambaru.de>: Bug#778261; Package byzanz.
(Sun, 15 Feb 2015 12:18:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Markus Koschany <apo@gambaru.de>.
(Sun, 15 Feb 2015 12:18:05 GMT) (full text, mbox, link).
To: Markus Koschany <apo@gambaru.de>, mmcallis@redhat.com
Cc: 778261@bugs.debian.org
Subject: Re: Bug#778261: Buffer overflow in GIF encoder
Date: Sun, 15 Feb 2015 13:15:33 +0100
On Fri, Feb 13, 2015 at 12:28:28AM +0100, Markus Koschany wrote:
> Control: tags -1 moreinfo
>
> On Thu, 12. Feb 23:13 Moritz Muehlenhoff <jmm@debian.org> wrote:
> > Package: byzanz
> > Severity: important
> > Tags: security
> >
> > Hi,
> > this was reported by Red Hat:
> > https://bugzilla.redhat.com/show_bug.cgi?id=852481
> >
> > I'm afraid there are no further details, but maybe you can
> > get in touch with upstream; I suppose Red Hat had contacted
> > them and it might already be fixed by now?
>
> Hi Moritz,
>
> I have been trying to find out more about this security issue but so far
> without having any luck. Apparently the bug was reported 2,5 years ago
> but there are no hints at redhat's bug tracker which could help us or
> would at least point us to the affected code in question. Why
> did they escalate this to seclists.org just now?
>
> http://seclists.org/oss-sec/2015/q1/447
They did some spring cleaning of embargoed issues which fell through the cracks.
> I checked upstream's git repository but I could not find any commits
> related to some kind of security issue with the GIF encoder or the
> playback tool.
>
> https://git.gnome.org/browse/byzanz/
>
> However I know for sure, if upstream released a fix it would be
> included in Debian. The package is up to date and only some minor language
> updates from November 2014 are currently missing.
>
> I couldn't find anything useful at Fedora either.
>
> http://pkgs.fedoraproject.org/cgit/byzanz.git/
>
> I will keep an eye on this Red Hat bug report but at the moment I just
> have not enough information to work on something.
Let's add Murray McAllister (the original reporter) to CC:
Murray, can you provide additional information on the
byzanz issue discovered by you, was it forwarded upstream?
Cheers,
Moritz
Changed Bug title to 'byzanz: CVE-2015-2785: Buffer overflow in GIF encoder' from 'byzanz: Buffer overflow in GIF encoder'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Sun, 29 Mar 2015 20:18:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org: Bug#778261; Package byzanz.
(Thu, 21 May 2015 11:27:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Markus Koschany <apo@gambaru.de>:
Extra info received and forwarded to list.
(Thu, 21 May 2015 11:27:05 GMT) (full text, mbox, link).
tags 778261 - moreinfo
forwarded 778261 https://bugzilla.gnome.org/show_bug.cgi?id=749674
thanks
A short summary about what happened so far:
I asked for additional information by sending an e-mail to Red Hat's bug
tracker.
https://bugzilla.redhat.com/show_bug.cgi?id=852481
I was contacted by Stefan Cornelius from the Red Hat security team and
he sent me a reproducer for this vulnerability. This one is not intended
for public use, so interested parties who would like to fix this issue
should contact
secalert@redhat.com
and ask for it there.
I have reported this issue upstream.
https://bugzilla.gnome.org/show_bug.cgi?id=749674
Red Hat has already closed this bug report again and marked it as
"wontfix". This means they "deem the overall real world risks to
be very low and have no immediate plans to fix the issue."
I think it is quite unlikely that someone is able to exploit this
vulnerability remotely. It might be possible to send someone a specially
crafted .byzanz file and possibly execute arbitrary code. The producer
which I have received causes a segmentation fault.
However .byzanz files are only used for debugging purposes and more
targeted at developers or benchmarks. A user also has to convert the
.byzanz file to a gif file with byzanz playback like this
byzanz-playback test.byzanz test.gif
I haven't heard anything from upstream so far. I consider the overall
risk being low but this is still a bug that should be fixed. If someone
can come up with a patch, please let me know.
Markus
Removed tag(s) moreinfo.
Request was from Markus Koschany <apo@gambaru.de>
to control@bugs.debian.org.
(Thu, 21 May 2015 11:27:17 GMT) (full text, mbox, link).
Debbugs is free software and licensed under the terms of the GNU General
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
