Hello, this is a copy of https://bugs.debian.org/985249 submitted by Wooseok Kang
----- Forwarded message from Wooseok Kang <[email protected]> ----- Date: Mon, 15 Mar 2021 12:08:01 +0900 From: Wooseok Kang <[email protected]> In libpano13, there is a format string vulnerability that can lead to read and write arbitrary memory values. The vulnerability starts in panoCroppingMain() in PTcommon.c. The program get 'outputPrefix' using getopt() at line 1829. 1829 case 'p': 1830 if (strlen(optarg) < MAX_PATH_LENGTH) { 1831 strcpy(outputPrefix, optarg); 1832 } else { 1833 PrintError("Illegal length for output prefix"); 1834 return -1; 1835 } 1836 break; Then 'outputPrefix' is passed to sprintf() in panoFileOutputNamesCreate() without sanitizing. This causes the format string bug which can crash the program. 1882 if (panoFileOutputNamesCreate(ptrOutputFiles, filesCount, outputPrefix) == 0) { 1883 return -1; 1884 } 2915 sprintf( outputFilename, outputPrefix, i ); (in file.c) There is a simple example of this vulnerability using tests/simpleTiff16/060520_3398.TIF. > PTcrop -p "%p.%p.%p.%p" -f ./060520_3398.TIF PTcrop Version 2.9.20 , by Daniel M German Output prefix 1 %p.%p.%p.%p Cropping 1 files Processing 0 reading ./060520_3398.TIF creating (nil).0x1c.0x78302e296c696e28.tif TIFFFetchNormalTag: Warning, Incorrect value for "RichTIFFIPTC"; tag ignored. Thank you. ----------------------------------------------------------------------- cu Andreas -- A list of frequently asked questions is available at: http://wiki.panotools.org/Hugin_FAQ --- You received this message because you are subscribed to the Google Groups "hugin and other free panoramic software" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/hugin-ptx/YE%2BWguG2bQc%2BjKi%2B%40argenau.bebt.de.
