Bug 1629985 - mgetty: Out-of-bound access in putwhitespan() function g3/g32pbm.c
Summary: mgetty: Out-of-bound access in putwhitespan() function g3/g32pbm.c
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1629986
Blocks: 1629987
TreeView+ depends on / blocked
 
Reported: 2018-09-17 17:50 UTC by Pedro Sampaio
Modified: 2019-09-29 14:58 UTC (History)
8 users (show)

Fixed In Version: mgetty 1.2.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-22 09:49:42 UTC
Embargoed:


Attachments (Terms of Use)
upstream patch (535 bytes, patch)
2018-09-24 08:48 UTC, Riccardo Schirone
no flags Details | Diff

Description Pedro Sampaio 2018-09-17 17:50:29 UTC
When converting pbm files using g3/pbm2g3.c, out of bounds accesses can occur with malformed input files in putwhitespan().

References:

https://www.x41-dsec.de/lab/advisories/x41-2018-007-mgetty

Comment 1 Pedro Sampaio 2018-09-17 17:50:58 UTC
Created mgetty tracking bugs for this issue:

Affects: fedora-all [bug 1629986]

Comment 2 Riccardo Schirone 2018-09-24 08:44:32 UTC
The main function in g3/pbm2g3.c does not check whether `xsize` and `ysize` variables are negative, which result in an out-of-bounds read in putwhitespan() when called from convert_pbm().

Comment 3 Riccardo Schirone 2018-09-24 08:48:34 UTC
Created attachment 1486347 [details]
upstream patch

This patch was extracted from mgetty-1.2.1.

Comment 4 Riccardo Schirone 2018-10-22 09:49:42 UTC
Closing as NOTABUG as it was not deemed to be CVE-worthy.

Comment 5 Fedora Update System 2019-02-27 01:15:33 UTC
mgetty-1.1.37-10.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Fedora Update System 2019-02-27 03:28:23 UTC
mgetty-1.1.37-11.fc29 has been pushed to the Fedora 29 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.