Marc Schoenefeld found a stack-based buffer overflow in the way netpbm graphics file formats handling library used to process content of header fields of the X PixMap (XPM) image file. A remote attacker could provide a specially-crafted XPM image file and trick the local user into processing it, which would lead to denial of service (crash of application using the netpbm library) or, potentially, to execution of arbitrary code with the privileges of that application.
This issue affects the versions of the netpbm package, as shipped with Red Hat Enterprise Linux 3, 4, and 5. This issue affects the versions of the netpbm package, as shipped with Fedora release of 10, 11, and 12.
Created attachment 377777 [details] Proposed patch I have inspected the code and it looks like a next of the upstream thinko series. The attached patch should fix it.
Jindrich, I'd like to send this patch upstream, do you have a contact? I'm not interested in an embargo, but I don't want to make this public until they have a chance to apply the patch. Thanks.
This was corrected upstream in 10.47.07 on 20091229: http://netpbm.svn.sourceforge.net/viewvc/netpbm/stable/converter/ppm/xpmtoppm.c?view=patch&r1=995&r2=1076&pathrev=1076 The upstream changelog contains: xpmtoppm: fix wild pointer with color index > 127. so it is unclear whether they were aware of the security implications of this issue. I have assigned CVE-2009-4274 to this issue.
Notified the oss-security mailing list.
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Via RHSA-2011:1811 https://rhn.redhat.com/errata/RHSA-2011-1811.html
Statement: (none)