severity 386896 wishlist
quit
On Mon, Sep 11, 2006 at 01:41:15AM +0200, Tobias Herzke wrote:
> Bill Allombert wrote:
> >>The jpeg comment printed by the tool rdjpgcom differs from the jpeg
> >>comment present in the jpeg file.
> >>
> >>For example, rdjpegcom replaces "unprintable" bytes with a
> >>backslash-sequence (see function process_COM in file rdjpgcom.c).
>
> >>
> >>This is a problem if the comment is in a different encoding than the
> >>system's locale, or if the comment is in a multibyte encoding (e.g. utf-8).
>
> > Actually this is a security-feature. As I wrote in bug #116589:
> > For safety reason, rdjpgcom output non printable characters in jpeg
> > comments as octal sequences, to avoid security problem when reading
> > comments in 'untrusted' jpeg files.
> >
> > You can convert octal sequence to character with
> >
> > % /bin/echo -e `rdjpgcom orig1.jpg`
> >
> > I am not sure how this can be improved.
>
> This would not help with the line-endings alterations.
>
> I am not really convinced that rdjpgcom needs such a security feature.
> Just imagine /bin/cat were affected that way. It would be useless.
Actually, cat -v implement that.
> What kind of attack do you have in mind that is possible with literal
> output and impossible with the quoted output?
Someone send you a JPEG file with a comment that contain the VT100
sequence to redefine newline to ";rm -rf $HOME\n". You just need to
do
rdjpgcom trojan.jpg
ls
to get your home dir removed.
> Anyway, I imagine some programs already depend on the current behaviour.
> (the echo -e workaround sure does)
>
> Suggestion: You could introduce a new command line option ("-raw" or
> something) that leaves the comment untouched. Please set severity to
> "wishlist", if you don't mind.
Done. Is there a usage case that is not essentially unsafe ? rdjpgcom is
only meant to be used in shell script where echo -e is available
anyway.
Cheers,
--
Bill. <[EMAIL PROTECTED]>
Imagine a large red swirl here.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
