Your message dated Thu, 24 May 2007 06:32:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#421582: fixed in libimager-perl 0.58-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: libimager-perl
Version: 0.50-1
Severity: grave
Tags: security patch
Justification: user security hole
I'm the upstream maintainer for the Imager perl module.
The BMP reader in Imager 0.56 and earlier can cause a memory overflow
in a malloced() buffer when reading an 8-bit/pixel compressed image
where a literal or RLE run overflows the scan-line boundary.
This typically causes the program to exit with a glibc bug, but it may
also be possible to corrupt the memory arena in such a way as to
execute arbitrary code, though I don't see how. At the very least
this could be a denial of service.
I've attached a patch that should apply to Imager 0.45 through 0.56
(with some fuzz).
I've released Imager 0.57 to CPAN which fixes this issue.
-- System Information:
Debian Release: 4.0
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-686
Locale: LANG=C, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Versions of packages libimager-perl depends on:
ii libc6 2.3.6.ds1-13 GNU C Library: Shared libraries
ii libfreetype6 2.2.1-5 FreeType 2 font engine, shared lib
ii libjpeg62 6b-13 The Independent JPEG Group's JPEG
ii libpng12-0 1.2.15~beta5-1 PNG library - runtime
ii libt1-5 5.1.0-2 Type 1 font rasterizer library - r
ii libtiff4 3.8.2-7 Tag Image File Format (TIFF) libra
ii libungif4g 4.1.4-4 shared library for GIF images
ii perl 5.8.8-7 Larry Wall's Practical Extraction
ii perl-base [perlapi-5.8.8] 5.8.8-7 The Pathologically Eclectic Rubbis
ii zlib1g 1:1.2.3-13 compression library - runtime
libimager-perl recommends no packages.
-- no debconf information
Index: bmp.c
===================================================================
--- bmp.c (revision 1210)
+++ bmp.c (working copy)
@@ -916,6 +916,13 @@
}
}
else if (packed[0]) {
+ if (x + packed[0] > xsize) {
+ /* this file is corrupt */
+ myfree(line);
+ i_push_error(0, "invalid data during decompression");
+ i_img_destroy(im);
+ return NULL;
+ }
line[0] = packed[1] >> 4;
line[1] = packed[1] & 0x0F;
for (i = 0; i < packed[0]; i += 2) {
@@ -958,6 +965,13 @@
default:
count = packed[1];
+ if (x + count > xsize) {
+ /* this file is corrupt */
+ myfree(line);
+ i_push_error(0, "invalid data during decompression");
+ i_img_destroy(im);
+ return NULL;
+ }
size = (count + 1) / 2;
read_size = (size+1) / 2 * 2;
if (ig->readcb(ig, packed, read_size) != read_size) {
@@ -1113,6 +1127,13 @@
}
}
if (packed[0]) {
+ if (x + packed[0] > xsize) {
+ /* this file isn't incomplete, it's corrupt */
+ myfree(line);
+ i_push_error(0, "invalid data during decompression");
+ i_img_destroy(im);
+ return NULL;
+ }
memset(line, packed[1], packed[0]);
i_ppal(im, x, x+packed[0], y, line);
x += packed[0];
@@ -1147,6 +1168,14 @@
default:
count = packed[1];
+ if (x + count > xsize) {
+ /* runs shouldn't cross a line boundary */
+ /* this file isn't incomplete, it's corrupt */
+ myfree(line);
+ i_push_error(0, "invalid data during decompression");
+ i_img_destroy(im);
+ return NULL;
+ }
read_size = (count+1) / 2 * 2;
if (ig->readcb(ig, line, read_size) != read_size) {
myfree(line);
--- End Message ---
--- Begin Message ---
Source: libimager-perl
Source-Version: 0.58-1
We believe that the bug you reported is fixed in the latest version of
libimager-perl, which is due to be installed in the Debian FTP archive:
libimager-perl_0.58-1.diff.gz
to pool/main/libi/libimager-perl/libimager-perl_0.58-1.diff.gz
libimager-perl_0.58-1.dsc
to pool/main/libi/libimager-perl/libimager-perl_0.58-1.dsc
libimager-perl_0.58-1_i386.deb
to pool/main/libi/libimager-perl/libimager-perl_0.58-1_i386.deb
libimager-perl_0.58.orig.tar.gz
to pool/main/libi/libimager-perl/libimager-perl_0.58.orig.tar.gz
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jay Bonci <[EMAIL PROTECTED]> (supplier of updated libimager-perl package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 24 May 2007 01:57:26 -0400
Source: libimager-perl
Binary: libimager-perl
Architecture: source i386
Version: 0.58-1
Distribution: unstable
Urgency: low
Maintainer: Jay Bonci <[EMAIL PROTECTED]>
Changed-By: Jay Bonci <[EMAIL PROTECTED]>
Description:
libimager-perl - Perl extension for Generating 24 bit Images
Closes: 421582
Changes:
libimager-perl (0.58-1) unstable; urgency=low
.
* New upstream release
* Fixes CVE 2007-2413 and CVE 2007-2459 (Closes: #421582)
* Adds zoso as co-maint
Files:
91fff6d741774ab24ef42918e146bb30 787 perl optional libimager-perl_0.58-1.dsc
c953f53b2680a67dfbef743e77a230b0 849124 perl optional
libimager-perl_0.58.orig.tar.gz
24c17e901ce806c4159a0ba74450b260 5060 perl optional
libimager-perl_0.58-1.diff.gz
6a5af1e68da2eb69e44c70278281ae10 659524 perl optional
libimager-perl_0.58-1_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGVTW7ZNh5D+C4st4RAmCqAJ9tR76LV6TVhsjZVB59uVU6SLwD1gCeL4rk
pCEK6ezNcnIJFUoikYDXf0U=
=Xm/N
-----END PGP SIGNATURE-----
--- End Message ---
