Description of problem:

pbmtocap uses statically sized buffer to store the file name.
In converter/pbm/pbmtomacp.c it is declared as follows:

 41   char name[100];

And then a command line argument gets copied to it.

 90   { ifp = pm_openr( argv[argn] );
 91     strcpy( name, argv[argn] );

As on line 90 there is a check that the file can be opened, the
file must exist to trigger the bug. When the file name is more than
100 characters (less than filesystem's limit, so it can be succesfully
opened), the call to strcpy() result in stack overflow, that can cause
execution of arbitrary code (when certain circumstances are met).
This gets caught by FORTIFY_SOURCE.

Version-Release number of selected component (if applicable):

At least RHEL-5 and FC-6. The code seems to exists since middle 90's,
so all other releases are likely affected.

How reproducible:

Always.

Steps to Reproduce:

$ FILE=$(perl -e 'print "x" x 200')
$ touch $FILE
$ pbmtomacp $FILE
  
Actual results:

*** buffer overflow detected ***: pbmtomacp terminated

Expected results:

I expected that :)

Additional info:

This has no security implications, as is would need a victim to
voluntarily interact with the attack mechanism and all he would get
would be to execute commands as himself.