Bug#993596: futatabi: potential integer overflow vulnerability in util.cpp
Package: futatabi Severity: normal X-Debbugs-Cc: kangwoos...@gmail.com Dear Maintainer, I found a potential integer overflow vulnerability in util.cpp. At line 14 to 15, the program reads the value of 'width' and 'height' using fread. Since there is no bound checking, it may cause an integer overflow by maliciously crafted input file. Then it leads a small buffer allocation which may cause buggy behavior. 14 fread(, sizeof(width), 1, flowfp); 15 fread(, sizeof(height), 1, flowfp); 16 17 unique_ptr flow(new Vec2[width * height]); Thank you. -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: unable to detect Versions of packages futatabi depends on: pn libasound2 pn libavcodec58 pn libavformat58 pn libavutil56 ii libc62.31-17 ii libepoxy01.5.8-1 ii libgcc-s111.2.0-3 ii libjpeg62-turbo 1:2.0.6-4 pn libmicrohttpd12 pn libmovit8 pn libprotobuf23 ii libqt5core5a 5.15.2+dfsg-10 ii libqt5gui5 5.15.2+dfsg-10 ii libqt5network5 5.15.2+dfsg-10 pn libqt5opengl5 ii libqt5widgets5 5.15.2+dfsg-10 ii libsqlite3-0 3.36.0-2 ii libstdc++6 11.2.0-3 pn libswscale5 pn libva-drm2 pn libva-x11-2 pn libva2 ii libx11-6 2:1.7.2-1 futatabi recommends no packages. futatabi suggests no packages.
Bug#992413: nickle: potential buffer overflow vulnerability in edit.c
Package: nickle
Version: 2.90
Severity: normal
X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer,
I found a potential buffer overflow vulnerability in edit.c.
At line 30, the program reads the value of 'editor' from an environment
variable.
Since size of 'buf' is fixed to 1024, if a malicious attack puts a large string
to 'editor',
it may cause stack buffer overflow at line 34 which leads to buggy behavior.
30 if (!(editor = getenv ("EDITOR")))
31 editor = DEFAULT_EDITOR;
32 if (!file_name)
33 file_name = "";
34 (void) sprintf (buf, "%s %s", editor, file_name);
Thank you.
-- System Information:
Debian Release: 11.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages nickle depends on:
ii libc6 2.31-13
ii libreadline8 8.1-1
nickle recommends no packages.
nickle suggests no packages.
Bug#992412: ispell: buffer overflow through sprintf
Package: ispell
Version: 3.4.02
Severity: normal
X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer,
there are potential buffer overflow vulnerabilities in ispell.
In tree.c:163, the program reads the value of 'h' from an environment variable.
Then at line 219 and 278, it is used to sprintf with no length check.
Since the size of 'personaldict' is fixed, it may cause buffer overflow which
leads to buggy behavior.
--
163 if ((h = getenv (HOME)) == NULL)
...
219 (void) sprintf (personaldict, "%s/%s%s", h == NULL ? "" : h,
220 DEFPDICT, LibDict);
...
278 (void) sprintf (personaldict, "%s/%s", h, p);
--
Similar issus are appear in ispell.c
--
295 p = getenv (DICTIONARYVAR);
296 if (p != NULL)
297 {
298 if (last_slash (p) != NULL)
299 (void) strcpy (hashname, p);
300 else
301 (void) sprintf (hashname, "%s/%s", libdir, p);
--
1013 (void) sprintf (logfilename, "%s/%s/%s",
1014 getenv ("HOME") == NULL ? "" : getenv ("HOME"),
1015 DEFLOGDIR, LibDict);
--
Thank you.
-- System Information:
Debian Release: 11.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages ispell depends on:
ii libc6 2.31-13
ii libtinfo6 6.2+20201114-2
Versions of packages ispell recommends:
pn iamerican | ispell-dictionary
pn wamerican | wordlist
Versions of packages ispell suggests:
pn spell
Bug#992407: elvis-tiny: potential buffer overflow in main.c
Package: elvis-tiny
Severity: normal
X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer,
I found some potential buffer overflow vulnerability in main.c.
--
264 str = getenv("HOME");
265 if (str)
266 {
267 sprintf(tmpblk.c, "%s%c%s", str, SLASH, HMEXRC);
--
At line 264, the program reads the value of 'str' from an environment variable.
Since the size of 'tmpblk.c' is fixed to 1024 and there is no range check,
if a malicious attacker puts large string, it may cause buffer overflow which
leads to buggy behavior.
Thank you.
-- System Information:
Debian Release: 11.0
APT prefers stable
APT policy: (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 5.10.16.3-microsoft-standard-WSL2 (SMP w/8 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages elvis-tiny depends on:
ii libc6 2.31-13
ii libtinfo6 6.2+20201114-2
elvis-tiny recommends no packages.
elvis-tiny suggests no packages.
Bug#985249: libpano13-bin: format string bug in panoFileOutputNamesCreate()
Package: libpano13-bin
Version: 2.9.20~rc2+dfsg-3
Severity: normal
X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer,
In libpano13, there is a format string vulnerability
that can lead to read and write arbitrary memory values.
The vulnerability starts in panoCroppingMain() in PTcommon.c.
The program get 'outputPrefix' using getopt() at line 1829.
1829 case 'p':
1830 if (strlen(optarg) < MAX_PATH_LENGTH) {
1831 strcpy(outputPrefix, optarg);
1832 } else {
1833 PrintError("Illegal length for output prefix");
1834 return -1;
1835 }
1836 break;
Then 'outputPrefix' is passed to sprintf() in panoFileOutputNamesCreate()
without sanitizing.
This causes the format string bug which can crash the program.
1882 if (panoFileOutputNamesCreate(ptrOutputFiles, filesCount, outputPrefix) ==
0) {
1883 return -1;
1884 }
2915 sprintf( outputFilename, outputPrefix, i );
(in file.c)
There is a simple example of this vulnerability using
tests/simpleTiff16/060520_3398.TIF.
> PTcrop -p "%p.%p.%p.%p" -f ./060520_3398.TIF
PTcrop Version 2.9.20 , by Daniel M German
Output prefix 1 %p.%p.%p.%p
Cropping 1 files
Processing 0 reading ./060520_3398.TIF creating
(nil).0x1c.0x78302e296c696e28.tif
TIFFFetchNormalTag: Warning, Incorrect value for "RichTIFFIPTC"; tag ignored.
Thank you.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.72-microsoft-standard-WSL2 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages libpano13-bin depends on:
ii libc62.31-9
ii libpano13-3 2.9.20~rc2+dfsg-3
libpano13-bin recommends no packages.
libpano13-bin suggests no packages.
-- no debconf information
Bug#985248: gnuplot: format string bug in PS_load_fontfile()
Package: gnuplot
Version: 5.4.1+dfsg1-1
Severity: normal
X-Debbugs-Cc: kangwoos...@gmail.com
Dear Maintainer,
In gnuplot, there is a format string vulnerability
that can lead to read and write arbitrary memory values.
In term/post.trm, the program get string from getenv() and pass it to sprintf()
directly in line 1420.
This causes the format string bug which can crash the program.
1420 envcmd = getenv("GNUPLOT_TTFTOPFA");
1421 if (envcmd != NULL)
1422 sprintf(cmd,envcmd,current_ps_fontfile->fontfile_fullname);
Thank you.
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 5.4.72-microsoft-standard-WSL2 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect
Versions of packages gnuplot depends on:
ii gnuplot-qt [gnuplot-x11] 5.4.1+dfsg1-1
gnuplot recommends no packages.
Versions of packages gnuplot suggests:
pn gnuplot-doc
-- no debconf information
