Bug 226969

Summary: Buffer overflow in netpbm's pbmtomacp
Product: [Fedora] Fedora Reporter: Lubomir Kundrak <lkundrak>
Component: netpbmAssignee: Jindrich Novy <jnovy>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: pknirsch
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=none
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-09-21 10:53:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
No comment... none

Description Lubomir Kundrak 2007-02-02 11:59:25 UTC 
Description of problem:

pbmtocap uses statically sized buffer to store the file name.
In converter/pbm/pbmtomacp.c it is declared as follows:

 41   char name[100];

And then a command line argument gets copied to it.

 90   { ifp = pm_openr( argv[argn] );
 91     strcpy( name, argv[argn] );

As on line 90 there is a check that the file can be opened, the
file must exist to trigger the bug. When the file name is more than
100 characters (less than filesystem's limit, so it can be succesfully
opened), the call to strcpy() result in stack overflow, that can cause
execution of arbitrary code (when certain circumstances are met).
This gets caught by FORTIFY_SOURCE.

Version-Release number of selected component (if applicable):

At least RHEL-5 and FC-6. The code seems to exists since middle 90's,
so all other releases are likely affected.

How reproducible:

Always.

Steps to Reproduce:

$ FILE=$(perl -e 'print "x" x 200')
$ touch $FILE
$ pbmtomacp $FILE
  
Actual results:

*** buffer overflow detected ***: pbmtomacp terminated

Expected results:

I expected that :)

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.
Comment 1 Jindrich Novy 2007-02-02 13:04:21 UTC 
Created attachment 147217 [details]
No comment...
Comment 2 Lubomir Kundrak 2007-09-21 10:53:33 UTC 
No need to fix this anywhere other than rawhide, and seems it's done so. Closing
this.