tags 463907 + patch thanks Hi, attached is an NMU that fixes the mentioned security issue. It will be also archived on: http://people.debian.org/~nion/nmu-diff/netpbm-free-10.0-11_10.0-11.1.patch
I am going to upload this as 0-day NMU with the maintainers permission. Cheers Nico -- Nico Golde - http://www.ngolde.de - [EMAIL PROTECTED] - GPG: 0x73647CFF For security reasons, all text in this mail is double-rot13 encrypted.
diff -u netpbm-free-10.0/debian/changelog netpbm-free-10.0/debian/changelog
--- netpbm-free-10.0/debian/changelog
+++ netpbm-free-10.0/debian/changelog
@@ -1,3 +1,13 @@
+netpbm-free (2:10.0-11.1) unstable; urgency=high
+
+ * Non-maintainer upload by security team.
+ * This update addresses the following security issue:
+ - CVE-2008-0554: The readImageData function in giftopnm.c does not
+ properly check the upper bound of a fixed size array leading to a
+ buffer overflow and possibly code execution (Closes: #464056).
+
+ -- Nico Golde <[EMAIL PROTECTED]> Thu, 07 Feb 2008 20:31:46 +0100
+
netpbm-free (2:10.0-11) unstable; urgency=high
* Fix heap corruption in pnmtopng (no CVE yet),
only in patch2:
unchanged:
--- netpbm-free-10.0.orig/pnm/giftopnm.c
+++ netpbm-free-10.0/pnm/giftopnm.c
@@ -575,6 +575,10 @@
pm_error("GIF stream ends (or read error) "
"right after an image separator; no "
"image data follows.");
+ if(lzwMinCodeSize > MAX_LZW_BITS)
+ pm_error("Invalid minimum code size value in image data: %u. "
+ "Maximum allowable code size in GIF is %u",
+ lzwMinCodeSize, MAX_LZW_BITS);
if (lzwReadByte(ifP, TRUE, lzwMinCodeSize) < 0)
pm_error("GIF stream ends (or read error) right after the "
pgpU3pzHjE8ao.pgp
Description: PGP signature
