Your message dated Sat, 20 Jan 2007 08:32:09 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#407605: fixed in netpbm-free 2:10.0-11
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: netpbm
Version: 2:10.0-10.1
Severity: grave
Justification: heap corruption, possible user security hole
Tags: security
pnmtopng can be called with an -text <filename> parameter to embed
additional textual information in the created png file. Each line in
<filename> is a key-value pair with the first space or tab character
as separator (folded lines are possible, too. See the manpage for
details).
The read_text routine does not properly deal with empty lines and with
end of file if the last character in the file is the newline character
which is a usual case. In such a situation a buffer of one byte length
is allocated and filled with the previous(!) line's value. If that
value is more than 14 bytes long (on i386, might be different on
other architectures), the heap allocation appearently gets corrupted
and pnmtopng segfaults later somewhere deep in libpng's write
routines.
How to repeat:
1. Pick an arbitrary pnm file e.g.
$ wget http://www.debian.org/logos/openlogo-nd-50.png
$ pngtopnm openlogo-nd-50.png >logo.pnm
2. Create a key/value text file with a value more than 14 bytes
long e.g.
$ echo 'key 0123456789abcdef' >textfile
3. Create a png from the pnm file, embed the text
$ pnmtopng -text textfile logo.pnm >logo.png
pnmtopng: 17 colors found
Segmentation fault (core dumped)
$
Additional information:
- This problem also exists in Debian sarge (aka stable).
- A shorter value avoids the situation
$ echo 'key 0123456789abcd' >textfile
$ pnmtopng -text textfile logo.pnm >logo.png
pnmtopng: 17 colors found
$
- But: ltrace shows that this was just plain luck
[ "key 0123456789abcd" has already been processed here ]
(...)
_IO_getc(0x804f170) = 'EOF'
overflow_add(0, 1, 16, 255, 20534) = 0x7ffffffe
malloc(1) = 0x8066400
malloc(1) = 0x8066410 [1]
strcpy(0x8066410, "0123456789abcd") = 0x8066410 [2]
strlen("0123456789abcd") = 14
png_write_info(0x804f2d8, 0x80515c8, 16, 255, 20534) = 0
(...)
[1] one byte buffer allocated
[2] but filled with more than one byte
- No \n at EOF is OK, the following works:
$ echo -n 'key 0123456789abcdef' >textfile
Workaround:
Remove all empty lines and any \n at end of file in the text file.
Solution (slightly tested):
Ignore empty lines, this includes files with \n as last character.
--- OLD/pnm/pnmtopng.c 2007-01-20 02:06:49.000000000 +0000
+++ NEW/pnm/pnmtopng.c 2007-01-20 01:57:48.000000000 +0000
@@ -344,6 +344,8 @@
overflow_add(textpos, 1);
textline[textpos++] = c;
} else {
+ if (textpos == 0)
+ continue;
overflow_add(textpos, 1);
textline[textpos++] = '\0';
if ((textline[0] != ' ') && (textline[0] != '\t')) {
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.19.2
Locale: [EMAIL PROTECTED], [EMAIL PROTECTED] (charmap=UTF-8)
Versions of packages netpbm depends on:
ii libc6 2.3.6.ds1-8 GNU C Library: Shared libraries
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libnetpbm10 2:10.0-10.1 Shared libraries for netpbm
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra
ii zlib1g 1:1.2.3-13 compression library - runtime
Versions of packages netpbm recommends:
ii gs 8.54.dfsg.1-5 Transitional package
ii gs-gpl [gs] 8.54.dfsg.1-5 The GPL Ghostscript PostScript int
-- no debconf information
signature.asc
Description: Digital signature
--- End Message ---
--- Begin Message ---
Source: netpbm-free
Source-Version: 2:10.0-11
We believe that the bug you reported is fixed in the latest version of
netpbm-free, which is due to be installed in the Debian FTP archive:
libnetpbm10-dev_10.0-11_amd64.deb
to pool/main/n/netpbm-free/libnetpbm10-dev_10.0-11_amd64.deb
libnetpbm10_10.0-11_amd64.deb
to pool/main/n/netpbm-free/libnetpbm10_10.0-11_amd64.deb
libnetpbm9-dev_10.0-11_amd64.deb
to pool/main/n/netpbm-free/libnetpbm9-dev_10.0-11_amd64.deb
libnetpbm9_10.0-11_amd64.deb
to pool/main/n/netpbm-free/libnetpbm9_10.0-11_amd64.deb
netpbm-free_10.0-11.diff.gz
to pool/main/n/netpbm-free/netpbm-free_10.0-11.diff.gz
netpbm-free_10.0-11.dsc
to pool/main/n/netpbm-free/netpbm-free_10.0-11.dsc
netpbm_10.0-11_amd64.deb
to pool/main/n/netpbm-free/netpbm_10.0-11_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Andreas Barth <[EMAIL PROTECTED]> (supplier of updated netpbm-free package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Sat, 20 Jan 2007 08:15:53 +0000
Source: netpbm-free
Binary: libnetpbm10-dev netpbm libnetpbm9 libnetpbm9-dev libnetpbm10
Architecture: source amd64
Version: 2:10.0-11
Distribution: unstable
Urgency: high
Maintainer: Andreas Barth <[EMAIL PROTECTED]>
Changed-By: Andreas Barth <[EMAIL PROTECTED]>
Description:
libnetpbm10 - Shared libraries for netpbm
libnetpbm10-dev - Development libraries and header files
libnetpbm9 - Shared libraries for netpbm
libnetpbm9-dev - Development libraries and header files
netpbm - Graphics conversion tools
Closes: 352261 362983 407605
Changes:
netpbm-free (2:10.0-11) unstable; urgency=high
.
* Fix heap corruption in pnmtopng (no CVE yet),
thanks to Christoph Biedl for detection and the patch.
Closes: #407605
* Fix xwdtopnm on 64-bit systems. Thanks to Jim Paris for
detection and the patch. Closes: #352261
* Use current location of rgb.txt. Thanks to Roland Stigge.
Closes: #362983
Files:
d2b17584551d47f127eee81ff278820c 739 graphics optional netpbm-free_10.0-11.dsc
d11adf49e734b06c066464d082c1ba74 49941 graphics optional
netpbm-free_10.0-11.diff.gz
7263014de730d451554209488769c8d4 1246262 graphics optional
netpbm_10.0-11_amd64.deb
59b3212c3a55fe88cbc7d29d6f14b555 67308 libs optional
libnetpbm10_10.0-11_amd64.deb
76bc8e6454de25c57d0d516145d78cb4 117164 libdevel optional
libnetpbm10-dev_10.0-11_amd64.deb
20b6093eac0dae1063b778ae9f0d739b 75620 libs optional
libnetpbm9_10.0-11_amd64.deb
97d5f53c467028d470bf83e2a93b3450 117612 libdevel optional
libnetpbm9-dev_10.0-11_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFFsdKHmdOZoew2oYURAjiGAJwMpLiKOFCQfFjA7WsVLbcIww8hCQCfd+f1
AiUkCQBEXZv/JwrY6SY32wM=
=IGS6
-----END PGP SIGNATURE-----
--- End Message ---
