Bug 546580 (CVE-2009-4274)

Summary: CVE-2009-4274 netpbm: Stack-based buffer overflow by processing X PixMap image header fields
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, jnovy, kreilly, psplicha, security-response-team, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 567597 (view as bug list) Environment:
Last Closed: 2011-12-13 07:51:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 563288, 567597, 760848, 760849, 760850    
Bug Blocks: 580448    
Attachments:
Description Flags
Proposed patch none

Description Jan Lieskovsky 2009-12-11 09:57:58 UTC 
Marc Schoenefeld found a stack-based buffer overflow in
the way netpbm graphics file formats handling library used
to process content of header fields of the X PixMap (XPM)
image file. A remote attacker could provide a specially-crafted
XPM image file and trick the local user into processing it,
which would lead to denial of service (crash of application
using the netpbm library) or, potentially, to execution of
arbitrary code with the privileges of that application.
Comment 3 Jan Lieskovsky 2009-12-11 10:27:45 UTC 
This issue affects the versions of the netpbm package, as shipped with
Red Hat Enterprise Linux 3, 4, and 5.

This issue affects the versions of the netpbm package, as shipped with
Fedora release of 10, 11, and 12.
Comment 5 Jindrich Novy 2009-12-11 18:09:49 UTC 
Created attachment 377777 [details]
Proposed patch

I have inspected the code and it looks like a next of the upstream thinko series. The attached patch should fix it.
Comment 6 Josh Bressers 2009-12-17 20:55:02 UTC 
Jindrich,

I'd like to send this patch upstream, do you have a contact? I'm not interested in an embargo, but I don't want to make this public until they have a chance to apply the patch.

Thanks.
Comment 8 Vincent Danen 2010-02-09 03:03:05 UTC 
This was corrected upstream in 10.47.07 on 20091229:

http://netpbm.svn.sourceforge.net/viewvc/netpbm/stable/converter/ppm/xpmtoppm.c?view=patch&r1=995&r2=1076&pathrev=1076

The upstream changelog contains:

xpmtoppm: fix wild pointer with color index > 127.

so it is unclear whether they were aware of the security implications of this issue.

I have assigned CVE-2009-4274 to this issue.
Comment 12 Vincent Danen 2010-02-09 18:03:00 UTC 
Notified the oss-security mailing list.
Comment 17 errata-xmlrpc 2011-12-12 21:08:30 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2011:1811 https://rhn.redhat.com/errata/RHSA-2011-1811.html
Comment 18 Vincent Danen 2011-12-13 15:50:49 UTC 
Statement:

(none)