Red Hat Bugzilla – Bug 251674
CVE-2007-2956 Buffer overflow triggerable by crafted .hdr file
Last modified: 2007-11-30 17:12:12 EST
Description of problem:
Stefan Cornelius of Secunia discovered the following flaw:
Credit: Stefan Cornelius, Secunia Research
Upstream contacted: CCed to this email.
Disclosure date: As soon as the vendor releases a patch, or 22-08-2007.
Note that this may be changed if vendors or this list request it.
-- Background --
"Qtpfsgui is an open source graphical user interface application that
aims to provide a workflow for HDR imaging."
"pfstools package is a set of command line (and one GUI) programs for
reading, writing, manipulating and viewing high-dynamic range (HDR) images
and video frames."
-- Details --
There is a boundary error in Qtpfsgui and pfstools when reading the
header of a Radiance RGBE (*.hdr) file within the "readRadianceHeader()"
function in src/fileformat/rgbeio.cpp (Qtpfsgui) or
// image size
char xbuf, ybuf; 
int rez = fscanf(file, "%s %d %s %d\n", ybuf, &height, xbuf, &width);
if( rez!=4 ) 
throw pfs::Exception( "RGBE: unknown image size" );
 Allocate space on the stack
 Read in data from the file without limiting the size
 Check return value of fscanf() and continue execution
Version-Release number of selected component (if applicable):
This went public before disclosure date proposed by Secuina, as it was
publically commited into pfstools CVS  and Secunia agrees with calling this
silfreed has submitted a new update for Fedora 7
Release: Fedora 7
Bugs: 251674 - CVE-2007-2956 Buffer overflow triggerable by crafted .hdr file
Submitted: 2007-08-12 06:07:51
qtpfsgui-1.8.12-1.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.