Package: netpbm Version: 2:10.0-10.1 Severity: grave Justification: heap corruption, possible user security hole Tags: security
pnmtopng can be called with an -text <filename> parameter to embed additional textual information in the created png file. Each line in <filename> is a key-value pair with the first space or tab character as separator (folded lines are possible, too. See the manpage for details). The read_text routine does not properly deal with empty lines and with end of file if the last character in the file is the newline character which is a usual case. In such a situation a buffer of one byte length is allocated and filled with the previous(!) line's value. If that value is more than 14 bytes long (on i386, might be different on other architectures), the heap allocation appearently gets corrupted and pnmtopng segfaults later somewhere deep in libpng's write routines. How to repeat: 1. Pick an arbitrary pnm file e.g. $ wget http://www.debian.org/logos/openlogo-nd-50.png $ pngtopnm openlogo-nd-50.png >logo.pnm 2. Create a key/value text file with a value more than 14 bytes long e.g. $ echo 'key 0123456789abcdef' >textfile 3. Create a png from the pnm file, embed the text $ pnmtopng -text textfile logo.pnm >logo.png pnmtopng: 17 colors found Segmentation fault (core dumped) $ Additional information: - This problem also exists in Debian sarge (aka stable). - A shorter value avoids the situation $ echo 'key 0123456789abcd' >textfile $ pnmtopng -text textfile logo.pnm >logo.png pnmtopng: 17 colors found $ - But: ltrace shows that this was just plain luck [ "key 0123456789abcd" has already been processed here ] (...) _IO_getc(0x804f170) = 'EOF' overflow_add(0, 1, 16, 255, 20534) = 0x7ffffffe malloc(1) = 0x8066400 malloc(1) = 0x8066410 [1] strcpy(0x8066410, "0123456789abcd") = 0x8066410 [2] strlen("0123456789abcd") = 14 png_write_info(0x804f2d8, 0x80515c8, 16, 255, 20534) = 0 (...) [1] one byte buffer allocated [2] but filled with more than one byte - No \n at EOF is OK, the following works: $ echo -n 'key 0123456789abcdef' >textfile Workaround: Remove all empty lines and any \n at end of file in the text file. Solution (slightly tested): Ignore empty lines, this includes files with \n as last character. --- OLD/pnm/pnmtopng.c 2007-01-20 02:06:49.000000000 +0000 +++ NEW/pnm/pnmtopng.c 2007-01-20 01:57:48.000000000 +0000 @@ -344,6 +344,8 @@ overflow_add(textpos, 1); textline[textpos++] = c; } else { + if (textpos == 0) + continue; overflow_add(textpos, 1); textline[textpos++] = '\0'; if ((textline[0] != ' ') && (textline[0] != '\t')) { -- System Information: Debian Release: 4.0 APT prefers testing APT policy: (500, 'testing') Architecture: i386 (i686) Shell: /bin/sh linked to /bin/bash Kernel: Linux 2.6.19.2 Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8) Versions of packages netpbm depends on: ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries ii libjpeg62 6b-13 The Independent JPEG Group's JPEG ii libnetpbm10 2:10.0-10.1 Shared libraries for netpbm ii libpng12-0 1.2.15~beta5-1 PNG library - runtime ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra ii zlib1g 1:1.2.3-13 compression library - runtime Versions of packages netpbm recommends: ii gs 8.54.dfsg.1-5 Transitional package ii gs-gpl [gs] 8.54.dfsg.1-5 The GPL Ghostscript PostScript int -- no debconf information
signature.asc
Description: Digital signature
