Description of problem: pbmtocap uses statically sized buffer to store the file name. In converter/pbm/pbmtomacp.c it is declared as follows: 41 char name[100]; And then a command line argument gets copied to it. 90 { ifp = pm_openr( argv[argn] ); 91 strcpy( name, argv[argn] ); As on line 90 there is a check that the file can be opened, the file must exist to trigger the bug. When the file name is more than 100 characters (less than filesystem's limit, so it can be succesfully opened), the call to strcpy() result in stack overflow, that can cause execution of arbitrary code (when certain circumstances are met). This gets caught by FORTIFY_SOURCE. Version-Release number of selected component (if applicable): At least RHEL-5 and FC-6. The code seems to exists since middle 90's, so all other releases are likely affected. How reproducible: Always. Steps to Reproduce: $ FILE=$(perl -e 'print "x" x 200') $ touch $FILE $ pbmtomacp $FILE Actual results: *** buffer overflow detected ***: pbmtomacp terminated Expected results: I expected that :) Additional info: This has no security implications, as is would need a victim to voluntarily interact with the attack mechanism and all he would get would be to execute commands as himself.
Created attachment 147217 [details] No comment...
No need to fix this anywhere other than rawhide, and seems it's done so. Closing this.