Your message dated Mon, 24 Aug 2015 15:43:25 +0200 with message-id <20150824134325.ga5...@jwilk.net> and subject line Re: Bug#781123: libexiv2-13: buffer overflow in RIFF video parser has caused the Debian Bug report #781123, regarding libexiv2-13: buffer overflow in RIFF video parser to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 781123: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=781123 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libexiv2-13 Version: 0.24-4.1 Tags: security Usertags: afl Exiv2 crashes on the attached file: $ exiv2 pr crash.riff *** Error in `exiv2': double free or corruption (!prev): 0x09669910 *** Aborted Valgrind says it's a buffer overflow: ==5509== Invalid write of size 4 ==5509== at 0x452BD6C: __GI_mempcpy (mempcpy.S:54) ==5509== by 0x451E307: _IO_file_xsgetn (fileops.c:1388) ==5509== by 0x45200B7: _IO_sgetn (genops.c:495) ==5509== by 0x4513998: fread (iofread.c:42) ==5509== by 0x40AF816: fread (stdio2.h:295) ==5509== by 0x40AF816: Exiv2::FileIo::read(unsigned char*, long) (basicio.cpp:941) ==5509== by 0x415B513: Exiv2::RiffVideo::dateTimeOriginal(long, int) (riffvideo.cpp:695) ==5509== by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&, unsigned long) (riffvideo.cpp:611) ==5509== by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574) ==5509== by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549) ==5509== by 0x805F61F: Action::Print::printSummary() (actions.cpp:258) ==5509== by 0x8061AFC: Action::Print::run(std::string const&) (actions.cpp:236) ==5509== by 0x804C3D0: main (exiv2.cpp:171) ==5509== Address 0x46b6081 is 97 bytes inside a block of size 100 alloc'd ==5509== at 0x4029DFC: operator new[](unsigned int) (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==5509== by 0x415B4F9: DataBuf (types.hpp:199) ==5509== by 0x415B4F9: Exiv2::RiffVideo::dateTimeOriginal(long, int) (riffvideo.cpp:694) ==5509== by 0x4162401: Exiv2::RiffVideo::tagDecoder(Exiv2::DataBuf&, unsigned long) (riffvideo.cpp:611) ==5509== by 0x41625C8: Exiv2::RiffVideo::decodeBlock() (riffvideo.cpp:574) ==5509== by 0x41629B0: Exiv2::RiffVideo::readMetadata() (riffvideo.cpp:549) ==5509== by 0x805F61F: Action::Print::printSummary() (actions.cpp:258) ==5509== by 0x8061AFC: Action::Print::run(std::string const&) (actions.cpp:236) ==5509== by 0x804C3D0: main (exiv2.cpp:171) This bug was found using American fuzzy lop: http://lcamtuf.coredump.cx/afl/ (available in Debian experimental) -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (990, 'unstable'), (500, 'experimental') Architecture: i386 (x86_64) Foreign Architectures: amd64 Kernel: Linux 3.2.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=C, LC_CTYPE=pl_PL.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: sysvinit (via /sbin/init) Versions of packages libexiv2-13:i386 depends on: ii libc6 2.19-17 ii libexpat1 2.1.0-6+b3 ii libgcc1 1:5-20150321-1 ii libstdc++6 5-20150321-1 ii multiarch-support 2.19-17 ii zlib1g 1:1.2.8.dfsg-2+b1 Versions of packages libexiv2-13:i386 suggests: ii exiv2 0.24-4.1 -- Jakub Wilkcrash.riff
Description: video/riff
--- End Message ---
--- Begin Message ---Version: 0.25-1 * Jakub Wilk <jw...@debian.org>, 2015-08-10, 13:29:I can't reproduce it with exiv2_0.25-2: $ exiv2 pr crash.riff Exiv2 exception in print action for file crash.riff: crash.riff: The file contains data of an unknown image typeBut that may be only because video support was (accidentally?) disabled. From the build log:checking whether to compile with video support... noUpstream says that video support is disabled by default for security reasons, so Debian probably shouldn't re-enable it.Let's close the bug. -- Jakub Wilk
--- End Message ---
_______________________________________________ pkg-kde-extras mailing list pkg-kde-extras@lists.alioth.debian.org http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-kde-extras