Package: libpano13-bin Version: 2.9.20~rc2+dfsg-3 Severity: normal X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer, In libpano13, there is a format string vulnerability that can lead to read and write arbitrary memory values. The vulnerability starts in panoCroppingMain() in PTcommon.c. The program get 'outputPrefix' using getopt() at line 1829. 1829 case 'p': 1830 if (strlen(optarg) < MAX_PATH_LENGTH) { 1831 strcpy(outputPrefix, optarg); 1832 } else { 1833 PrintError("Illegal length for output prefix"); 1834 return -1; 1835 } 1836 break; Then 'outputPrefix' is passed to sprintf() in panoFileOutputNamesCreate() without sanitizing. This causes the format string bug which can crash the program. 1882 if (panoFileOutputNamesCreate(ptrOutputFiles, filesCount, outputPrefix) == 0) { 1883 return -1; 1884 } 2915 sprintf( outputFilename, outputPrefix, i ); (in file.c) There is a simple example of this vulnerability using tests/simpleTiff16/060520_3398.TIF. > PTcrop -p "%p.%p.%p.%p" -f ./060520_3398.TIF PTcrop Version 2.9.20 , by Daniel M German Output prefix 1 %p.%p.%p.%p Cropping 1 files Processing 0 reading ./060520_3398.TIF creating (nil).0x1c.0x78302e296c696e28.tif TIFFFetchNormalTag: Warning, Incorrect value for "RichTIFFIPTC"; tag ignored. Thank you. -- System Information: Debian Release: bullseye/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.4.72-microsoft-standard-WSL2 (SMP w/16 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages libpano13-bin depends on: ii libc6 2.31-9 ii libpano13-3 2.9.20~rc2+dfsg-3 libpano13-bin recommends no packages. libpano13-bin suggests no packages. -- no debconf information