Thanks Andreas, if somebody can please create a patch (this is not something I feel confident doing), then we can release a new libpano13. The current release candidate doesn't have any issues that would prevent a release.
I should point out that if an attacker has the ability to specify the output filename, then they already have plenty of ways to make mischief without this bug. -- Bruno On 15 March 2021 17:16:50 GMT, Andreas Metzler <[email protected]> wrote: >Hello, > >this is a copy of https://bugs.debian.org/985249 submitted by Wooseok >Kang > >----- Forwarded message from Wooseok Kang <[email protected]> ----- >Date: Mon, 15 Mar 2021 12:08:01 +0900 >From: Wooseok Kang <[email protected]> > >In libpano13, there is a format string vulnerability >that can lead to read and write arbitrary memory values. > >The vulnerability starts in panoCroppingMain() in PTcommon.c. >The program get 'outputPrefix' using getopt() at line 1829. > >1829 case 'p': >1830 if (strlen(optarg) < MAX_PATH_LENGTH) { >1831 strcpy(outputPrefix, optarg); >1832 } else { >1833 PrintError("Illegal length for output prefix"); >1834 return -1; >1835 } >1836 break; > >Then 'outputPrefix' is passed to sprintf() in >panoFileOutputNamesCreate() without sanitizing. >This causes the format string bug which can crash the program. > >1882 if (panoFileOutputNamesCreate(ptrOutputFiles, filesCount, >outputPrefix) == 0) { >1883 return -1; >1884 } > >2915 sprintf( outputFilename, outputPrefix, i ); >(in file.c) > >There is a simple example of this vulnerability using >tests/simpleTiff16/060520_3398.TIF. > >> PTcrop -p "%p.%p.%p.%p" -f ./060520_3398.TIF >PTcrop Version 2.9.20 , by Daniel M German >Output prefix 1 %p.%p.%p.%p >Cropping 1 files >Processing 0 reading ./060520_3398.TIF creating >(nil).0x1c.0x78302e296c696e28.tif >TIFFFetchNormalTag: Warning, Incorrect value for "RichTIFFIPTC"; tag >ignored. -- A list of frequently asked questions is available at: http://wiki.panotools.org/Hugin_FAQ --- You received this message because you are subscribed to the Google Groups "hugin and other free panoramic software" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/hugin-ptx/A623185C-961C-4783-A29B-4603C076C2A3%40postle.net.
