Description of problem: Stefan Cornelius of Secunia discovered the following flaw: Credit: Stefan Cornelius, Secunia Research Upstream contacted: CCed to this email. Disclosure date: As soon as the vendor releases a patch, or 22-08-2007. Note that this may be changed if vendors or this list request it. -- Background -- Qtpfsgui: "Qtpfsgui is an open source graphical user interface application that aims to provide a workflow for HDR imaging." pfstools: "pfstools package is a set of command line (and one GUI) programs for reading, writing, manipulating and viewing high-dynamic range (HDR) images and video frames." -- Details -- There is a boundary error in Qtpfsgui and pfstools when reading the header of a Radiance RGBE (*.hdr) file within the "readRadianceHeader()" function in src/fileformat/rgbeio.cpp (Qtpfsgui) or src/Fileformat/rgbeio.cpp (pfstools). --- // image size char xbuf[4], ybuf[4]; [1] int rez = fscanf(file, "%s %d %s %d\n", ybuf, &height, xbuf, &width); [2] if( rez!=4 ) [3] { throw pfs::Exception( "RGBE: unknown image size" ); } --- [1] Allocate space on the stack [2] Read in data from the file without limiting the size [3] Check return value of fscanf() and continue execution Version-Release number of selected component (if applicable): Affects: FC7 Additional info: This went public before disclosure date proposed by Secuina, as it was publically commited into pfstools CVS [1] and Secunia agrees with calling this public. [1] http://pfstools.cvs.sourceforge.net/pfstools/pfstools/src/fileformat/rgbeio.cpp?r1=1.8&r2=1.9
silfreed has submitted a new update for Fedora 7 ================================================================================ qtpfsgui-1.8.12-1.fc7 ================================================================================ Release: Fedora 7 Status: pending Type: security Bugs: 251674 - CVE-2007-2956 Buffer overflow triggerable by crafted .hdr file CVEs: 2007-2956 Submitter: silfreed Submitted: 2007-08-12 06:07:51
qtpfsgui-1.8.12-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.