Package: xloadimage
Version: 4.1-14
Severity: normal
Tags: security, patch
Good day,
>From CAN-2005-0638 :
| xloadimage before 4.1-r2, and xli before 1.17, allows attackers to
| execute arbitrary commands via shell metacharacters in filenames for
| compressed images, which are not properly quoted when calling the
| gunzip command.
More info available here :
http://bugs.gentoo.org/show_bug.cgi?id=79762
Attached to this mail is Gentoo patch that fixed the shell
metacharacters issue but not the buffer overflow issue mentionned
in the bug report. I have mailed Gentoo guy Tavis Ormandy about this
other vulnerability and will open another bug if necessary.
I think woody is also vulnerable.
Regards.
-- System Information:
Debian Release: 3.1
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: powerpc (ppc)
Kernel: Linux 2.6.10-powerpc
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=ISO-8859-15)
Versions of packages xloadimage depends on:
ii libc6 2.3.2.ds1-20 GNU C Library: Shared libraries an
ii libjpeg62 6b-10 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libtiff4 3.7.1-4 Tag Image File Format (TIFF) libra
ii libx11-6 4.3.0.dfsg.1-12 X Window System protocol client li
ii xlibs 4.3.0.dfsg.1-12 X Keyboard Extension (XKB) configu
ii zlib1g 1:1.2.2-4 compression library - runtime
-- no debconf information
--- xloadimage.4.1/zio.c 1993-10-28 17:10:02.000000000 +0000
+++ xloadimage.4.1/zio.c 2005-02-28 15:32:05.895470680 +0000
@@ -210,9 +211,30 @@
if ((strlen(name) > strlen(filter->extension)) &&
!strcmp(filter->extension,
name + (strlen(name) - strlen(filter->extension)))) {
- debug(("Filtering image through '%s'\n", filter->filter));
- zf->type= ZPIPE;
- sprintf(buf, "%s %s", filter->filter, name);
+ char *fname, *t, *s;
+
+ /* meta-char protection from xli.
+ *
+ * protect in single quotes, replacing single quotes
+ * with '"'"', so worst-case expansion is 5x
+ */
+
+ s = fname = (char *) lmalloc(1 + (5 * strlen(name)) + 1 + 1);
+ *s++ = '\'';
+ for (t = name; *t; ++t) {
+ if ('\'' == *t) {
+ /* 'foo'bar' -> 'foo'"'"'bar' */
+ strcpy(s, "'\"'\"'");
+ s += strlen(s);
+ } else {
+ *s++ = *t;
+ }
+ }
+ strcpy (s, "'");
+ debug(("Filtering image through '%s'\n", filter->filter));
+ zf->type= ZPIPE;
+ sprintf(buf, "%s %s", filter->filter, fname);
+ lfree (fname);
if (! (zf->stream= popen(buf, "r"))) {
lfree((byte *)zf->filename);
zf->filename= NULL;
