Bug 251674 (CVE-2007-2956)

Summary: CVE-2007-2956 Buffer overflow triggerable by crafted .hdr file
Product: [Fedora] Fedora Reporter: Lubomir Kundrak <lkundrak>
Component: qtpfsguiAssignee: Douglas E. Warner <silfreed>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: high    
Version: 6Keywords: Security
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: 1.8.12-1.fc7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-08-13 17:05:41 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Lubomir Kundrak 2007-08-10 11:34:08 UTC 
Description of problem:

Stefan Cornelius of Secunia discovered the following flaw:

Credit: Stefan Cornelius, Secunia Research
Upstream contacted: CCed to this email.
Disclosure date: As soon as the vendor releases a patch, or 22-08-2007.
Note that this may be changed if vendors or this list request it. 


-- Background --

Qtpfsgui:
"Qtpfsgui is an open source graphical user interface application that
aims to provide a workflow for HDR imaging."

pfstools:
"pfstools package is a set of command line (and one GUI) programs for
reading, writing, manipulating and viewing high-dynamic range (HDR) images
and video frames."

-- Details --

There is a boundary error in Qtpfsgui and pfstools when reading the
header of a Radiance RGBE (*.hdr) file within the "readRadianceHeader()"
function in src/fileformat/rgbeio.cpp (Qtpfsgui) or 
src/Fileformat/rgbeio.cpp (pfstools). 

---

  // image size
  char xbuf[4], ybuf[4];   [1]
  int rez = fscanf(file, "%s %d %s %d\n", ybuf, &height, xbuf, &width);
[2]
  if( rez!=4 ) [3] 
  {
    throw pfs::Exception( "RGBE: unknown image size" );
  }

---

[1] Allocate space on the stack
[2] Read in data from the file without limiting the size
[3] Check return value of fscanf() and continue execution

Version-Release number of selected component (if applicable):

        Affects: FC7

Additional info:

This went public before disclosure date proposed by Secuina, as it was
publically commited into pfstools CVS [1] and Secunia agrees with calling this
public.

[1]
http://pfstools.cvs.sourceforge.net/pfstools/pfstools/src/fileformat/rgbeio.cpp?r1=1.8&r2=1.9
Comment 1 Lubomir Kundrak 2007-08-13 09:01:45 UTC 
silfreed has submitted a new update for Fedora 7

================================================================================
  qtpfsgui-1.8.12-1.fc7
================================================================================
    Release: Fedora 7
     Status: pending
       Type: security
       Bugs: 251674 - CVE-2007-2956 Buffer overflow triggerable by crafted .hdr file
       CVEs: 2007-2956
  Submitter: silfreed
  Submitted: 2007-08-12 06:07:51
Comment 2 Fedora Update System 2007-08-13 17:05:35 UTC 
qtpfsgui-1.8.12-1.fc7 has been pushed to the Fedora 7 stable repository.  If problems still persist, please make note of it in this bug report.