Package: gif2png Version: 2.5.8-1+b2 Severity: grave Tags: security Justification: user security hole
I happened to notice the entry for 2.5.14 (which I realise is newer than the one in Debian) on http://www.catb.org/~esr/gif2png/NEWS: "Redirect segfault to a graceful exit. Tired of meaningless fuzzer bugs." This is from https://gitlab.com/esr/gif2png/issues/5, where the upstream maintainer says: "Crash confirmed. Buthis program is not expected to be able to deal with arbitrarily broken input. All I'm going to do about it is add a SIGSEGV handler." I understand that security vulnerabilities happen and that normally they are patched and life goes on. But this is a different case: here we have an upstream maintainer explicitly saying that an image-processing program is not suitable for use on arbitrary input, and explicitly adding code to defeat fuzzers that might otherwise help to find bugs in it. I'm honestly flabbergasted by this approach to what must surely be undefined behaviour in C code. I suppose that one might still safely use gif2png to convert one's own website if all it had to deal with was trusted images. However, this is an undocumented limitation, and it's quite easy to believe that unsuspecting people might try to use gif2png as part of a larger system where the input files cannot be trusted, such as an image-upload widget on a website. At the very least, the limitation that this program cannot safely be used with untrusted input needs to be prominently documented (I'd suggest the package description and the manual page). web2png would be harder to replace this way, but at least people wanting to make straightforward use of gif2png should perhaps be advised to use some other image processing system instead whose maintainers have a more reasonable approach to reports of undefined behaviour in their programs. -- System Information: Debian Release: 10.0 APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8), LANGUAGE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages gif2png depends on: ii libc6 2.28-10 ii libpng16-16 1.6.36-6 Versions of packages gif2png recommends: ii python 2.7.16-1 gif2png suggests no packages. -- no debconf information Thanks, -- Colin Watson [cjwat...@debian.org]
