Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 16 Apr 2013 02:57:11 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Murray McAllister <mmcallis@...hat.com>
Subject: Re: autotrace: stack-based buffer overflow in bmp
 parser

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/16/2013 01:13 AM, Murray McAllister wrote:
> Good morning,
> 
> There is a stack-based buffer overflow in autotrace 0.31.1 in 
> Fedora[1]. In input-bmp.c, the input_bmp_reader() function creates
> a buffer on the stack:
> 
> 91   unsigned char buffer[64];
> 
> Later on
> 
> 169   else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x
> */ 170     { 171       if (!ReadOK (fd, buffer,
> Bitmap_File_Head.biSize - 4))
> 
> We control Bitmap_File_Head.biSize. A value of 0 meets the <=64 
> requirements, and 0 - 4 should result in almost 4294967295 bytes
> being read into the buffer.
> 
> I am told:
> 
> "" The same code is in Gimp, it was introduced in commit 
> d9c6f88141aecf956c5d721168f795de0e3027b8 and accidentally fixed in 
> 57f805a159874107c6c98065f9aa648c3634b8fd:
> 
> https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7 
> https://git.gnome.org/browse/gimp/commit/?h=57f805a159874107c6c98
> 
> Similar code can also be found in sam2p. ""
> 
> On Fedora 18, the issue was caught by FORTIFY_SOURCE.
> 
> Murray.
> 
> [1] http://koji.fedoraproject.org/koji/buildinfo?buildID=340458

Please use CVE-2013-1953 for this issue.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRbRJnAAoJEBYNRVNeJnmTyTUQALq73LhHHyNIrOBq4O8ExhGi
k59+nIh2hl4MLY5gTLzLPpJF582BLfcNuEIdsucHj/5heBofhDFe9E6sXqRV1d2o
ymiT7JDzO4NpWnyln/XbBss0aI5TPVflHaax3/SHC44p5hifudLKZae6Rvh8qFGp
8eqY38tH5fIIqAU3g4ZvQnJrVdRFhojHpdMHBLsdNC1fxMPkN/ksywdr2V1u5l38
sl1DEFJZopGQ7VECTT1//5db0urSqMIBtTs2XR9VkBRX5+4QyJczqzk2m88UNi4q
iuaZ3I9pwN/09V3chkD2B1S3EErRvBD/ql26LZIz5WUtRgAQDW4/F7wFPU0ek0T8
bQbaZUmSxgEO7VPYB+FetjPGCe0pa3U51cViRRXYzWcGxhKZIsWAacxIQQUEvhah
75UHuP7UQf61H5aj7u/RygJU2wo8eevEiVlvRFQgEFZWcWUHKPrt4gqAXBJ/OgaG
ugp/eScOqXVwiW31421cKJzFf4+5OpVAZNkX7UC8H4lxd+BIiSgxhigG2zees+pU
yYP81H0I5rkuuG66OddIOdqBQ//X5MDoWDDcGw+pyd4SGcc3TsxV3wcZi8HhbQOd
k0DpNnIT+9RaTf7HZ6Ir3egwv1Q56LmBBeV9+xJmiThHqPEdANRhcGAyAp7zDSYH
F6S18MuKRRaNZ1h0Pdpv
=Ar0e
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ