Bug 61788

Summary: netpbm contains multiple unsafe input handling errors
Product: [Retired] Red Hat Linux Reporter: Alan Cox <alan>
Component: netpbmAssignee: Phil Knirsch <pknirsch>
Status: CLOSED CURRENTRELEASE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: high    
Version: 7.3CC: kmaraas, rvokal, twaugh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2003-04-02 23:19:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 61901, 67218, 79579    

Description Alan Cox 2002-03-24 16:26:01 UTC
NetPBM is pretty much in need of a complete from scratch rewrite to fix the
problems it has. Now (before 7.3) would be a very good time to drop it, since
imlib drops requirements/use of it in the 7.2 imlib errata

Comment 1 Michael Fulbright 2002-03-25 21:55:14 UTC
Is there any other program that can duplicate the commandline functionality of it?

Comment 2 Alan Cox 2002-03-25 22:51:22 UTC
Posting your root password to slashdot is about the equivalent functionality, or
do you mean image processing. On the image handling side ImageMagick does some
of it, and somewhat more safely

Basically netpbm is not supportable, if people install it from Bero's collection
or powerstools or similar things fine, but if we had to fix the mess that netpbm
is then it probably represents multiple man weeks of engineering time.

We have it in the tree solely because in our early days package QA was a bit lax.


Comment 3 Alan Cox 2002-03-26 13:18:13 UTC
You honestly think the typical user uses or even knows what netpbm is - I'd
count you as very atypical. You are extremely brave if you use those tools on
anything that didn't come out of an app you personally trust to process those
image formats correctly.

We are not tslking complex stuff here, we are talking beginning C programmer
errors. I'm also curious what features you use that imagemagick does not have ?


Comment 4 Tim Waugh 2002-08-29 11:06:00 UTC
Er.. perhaps we should take out the 
/usr/share/printconf/mf_rules/mf50-netpbm_filters file then? 
 
# 
# netpbm magicfilter rules 
# 
/p[gbp]m/               pipe/postscript/        /usr/bin/pnmtops -quiet 
/gif/                   pipe/p[gbp]m/           /usr/bin/giftopnm 
/jpeg/                  pipe/p[gbp]m/           /usr/bin/djpeg -pnm 
/png/                   pipe/p[gbp]m/           /usr/bin/pngtopnm 
/TIFF image/            fpipe/p[gbp]m/          /usr/bin/tifftopnm $FILE 
/PC bitmap data/        pipe/p[gbp]m/           /usr/bin/bmptoppm 
/Sun raster image/      pipe/p[gbp]m/           /usr/bin/rasttopnm 
/SGI image data/        pipe/p[gbp]m/           /usr/bin/sgitopnm 
 
(These get run by the print spooler)

Comment 5 Kjartan Maraas 2003-04-02 22:57:53 UTC
This was done for 8.0? or 9?

Comment 6 Kjartan Maraas 2003-04-02 23:03:42 UTC
9 it seems. Is it still as horrible as it was? The package seems to have had ten
releases since the 7.2 one at least...