Bug 226969 - Buffer overflow in netpbm's pbmtomacp
Buffer overflow in netpbm's pbmtomacp
Product: Fedora
Classification: Fedora
Component: netpbm (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Jindrich Novy
Ben Levenson
Depends On:
  Show dependency treegraph
Reported: 2007-02-02 06:59 EST by Lubomir Kundrak
Modified: 2013-07-02 19:19 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2007-09-21 06:53:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
No comment... (574 bytes, patch)
2007-02-02 08:04 EST, Jindrich Novy
no flags Details | Diff

  None (edit)
Description Lubomir Kundrak 2007-02-02 06:59:25 EST
Description of problem:

pbmtocap uses statically sized buffer to store the file name.
In converter/pbm/pbmtomacp.c it is declared as follows:

 41   char name[100];

And then a command line argument gets copied to it.

 90   { ifp = pm_openr( argv[argn] );
 91     strcpy( name, argv[argn] );

As on line 90 there is a check that the file can be opened, the
file must exist to trigger the bug. When the file name is more than
100 characters (less than filesystem's limit, so it can be succesfully
opened), the call to strcpy() result in stack overflow, that can cause
execution of arbitrary code (when certain circumstances are met).
This gets caught by FORTIFY_SOURCE.

Version-Release number of selected component (if applicable):

At least RHEL-5 and FC-6. The code seems to exists since middle 90's,
so all other releases are likely affected.

How reproducible:


Steps to Reproduce:

$ FILE=$(perl -e 'print "x" x 200')
$ touch $FILE
$ pbmtomacp $FILE
Actual results:

*** buffer overflow detected ***: pbmtomacp terminated

Expected results:

I expected that :)

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.
Comment 1 Jindrich Novy 2007-02-02 08:04:21 EST
Created attachment 147217 [details]
No comment...
Comment 2 Lubomir Kundrak 2007-09-21 06:53:33 EDT
No need to fix this anywhere other than rawhide, and seems it's done so. Closing

Note You need to log in before you can comment on or make changes to this bug.