Your message dated Sun, 13 Dec 2009 12:25:09 -0600
with message-id <[email protected]>
and subject line Re: Bug#550978: fixed in gif2png 2.5.2-1
has caused the Debian Bug report #550978,
regarding gif2png: Command line buffer overflow
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
550978: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gif2png
Version: 2.5.1-3
Severity: normal
gif2png is prone to a command line buffer overflow since there is an
strcpy(3) call that fails to bounds-check user-supplied data before copying
them to a fixed size buffer. Here is a transcript:
[a...@hegel /tmp]$ gif2png `python -c 'print "A"*2048'`
Segmentation fault (core dumped)
[a...@hegel /tmp]$ gdb -q gif2png -c core
(no debugging symbols found)
warning: Can't read pathname for load map: Input/output error.
Reading symbols from /usr/lib/libpng12.so.0...(no debugging symbols
found)...done.
Loaded symbols for /usr/lib/libpng12.so.0
Reading symbols from /lib/i686/cmov/libm.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/i686/cmov/libm.so.6
Reading symbols from /usr/lib/libz.so.1...(no debugging symbols found)...done.
Loaded symbols for /usr/lib/libz.so.1
Reading symbols from /lib/i686/cmov/libc.so.6...(no debugging symbols
found)...done.
Loaded symbols for /lib/i686/cmov/libc.so.6
Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
(no debugging symbols found)
Core was generated by
`AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'.
Program terminated with signal 11, Segmentation fault.
#0 0xb7e6c6ed in ?? () from /lib/i686/cmov/libc.so.6
gdb $ i r
eax 0x41414141 0x41414141
ecx 0xb7f5960c 0xb7f5960c
edx 0xbfffe960 0xbfffe960
ebx 0xb7f57ff4 0xb7f57ff4
esp 0xbfffe384 0xbfffe384
ebp 0xbfffe3d8 0xbfffe3d8
esi 0xb7f3b1da 0xb7f3b1da
edi 0xb7f3b1e4 0xb7f3b1e4
eip 0xb7e6c6ed 0xb7e6c6ed
eflags 0x10206 [ PF IF RF ]
cs 0x73 0x73
ss 0x7b 0x7b
ds 0x7b 0x7b
es 0x7b 0x7b
fs 0x0 0x0
gs 0x33 0x33
The bug is located at file gif2png.c, line number 901
(strcpy(name, argv[i])) where name is a fixed size char array. This may
have security repercussions if gif2png is configured as a handler for
other applications that can pass user-supplied filenames as command line
input to gif2png (e.g. from a CGI or other).
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-1-686-bigmem (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=el_GR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages gif2png depends on:
ii libc6 2.9-25 GNU C Library: Shared libraries
ii libpng12-0 1.2.39-1 PNG library - runtime
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
Versions of packages gif2png recommends:
ii python 2.5.4-2 An interactive high-level object-o
gif2png suggests no packages.
-- no debconf information
--- End Message ---
--- Begin Message ---
Source-Version: 2.5.2-1
> It is claimed that 2.5.2-1 is still affected by this issue [0].
> Please check. Thank you.
Debian version 2.5.2-1 is not, upstream 2.5.2 is.
Regards,
--
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net
--- End Message ---
