Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 226969 - Buffer overflow in netpbm's pbmtomacp
Summary: Buffer overflow in netpbm's pbmtomacp
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: netpbm
Version: rawhide
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Jindrich Novy
QA Contact: Ben Levenson
URL:
Whiteboard: impact=none
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-02-02 11:59 UTC by Lubomir Kundrak
Modified: 2013-07-02 23:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-09-21 10:53:33 UTC


Attachments (Terms of Use)
No comment... (deleted)
2007-02-02 13:04 UTC, Jindrich Novy
no flags Details | Diff

Description Lubomir Kundrak 2007-02-02 11:59:25 UTC
Description of problem:

pbmtocap uses statically sized buffer to store the file name.
In converter/pbm/pbmtomacp.c it is declared as follows:

 41   char name[100];

And then a command line argument gets copied to it.

 90   { ifp = pm_openr( argv[argn] );
 91     strcpy( name, argv[argn] );

As on line 90 there is a check that the file can be opened, the
file must exist to trigger the bug. When the file name is more than
100 characters (less than filesystem's limit, so it can be succesfully
opened), the call to strcpy() result in stack overflow, that can cause
execution of arbitrary code (when certain circumstances are met).
This gets caught by FORTIFY_SOURCE.

Version-Release number of selected component (if applicable):

At least RHEL-5 and FC-6. The code seems to exists since middle 90's,
so all other releases are likely affected.

How reproducible:

Always.

Steps to Reproduce:

$ FILE=$(perl -e 'print "x" x 200')
$ touch $FILE
$ pbmtomacp $FILE
  
Actual results:

*** buffer overflow detected ***: pbmtomacp terminated

Expected results:

I expected that :)

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.

Comment 1 Jindrich Novy 2007-02-02 13:04:21 UTC
Created attachment 147217 [details]
No comment...

Comment 2 Lubomir Kundrak 2007-09-21 10:53:33 UTC
No need to fix this anywhere other than rawhide, and seems it's done so. Closing
this.


Note You need to log in before you can comment on or make changes to this bug.