Bug 61788 - netpbm contains multiple unsafe input handling errors
Summary: netpbm contains multiple unsafe input handling errors
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: netpbm   
(Show other bugs)
Version: 7.3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Phil Knirsch
QA Contact: Ben Levenson
Keywords: Security
Depends On:
Blocks: 61901 67218 79579
TreeView+ depends on / blocked
Reported: 2002-03-24 16:26 UTC by Alan Cox
Modified: 2015-03-05 01:10 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2003-04-02 23:19:25 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description Alan Cox 2002-03-24 16:26:01 UTC
NetPBM is pretty much in need of a complete from scratch rewrite to fix the
problems it has. Now (before 7.3) would be a very good time to drop it, since
imlib drops requirements/use of it in the 7.2 imlib errata

Comment 1 Michael Fulbright 2002-03-25 21:55:14 UTC
Is there any other program that can duplicate the commandline functionality of it?

Comment 2 Alan Cox 2002-03-25 22:51:22 UTC
Posting your root password to slashdot is about the equivalent functionality, or
do you mean image processing. On the image handling side ImageMagick does some
of it, and somewhat more safely

Basically netpbm is not supportable, if people install it from Bero's collection
or powerstools or similar things fine, but if we had to fix the mess that netpbm
is then it probably represents multiple man weeks of engineering time.

We have it in the tree solely because in our early days package QA was a bit lax.

Comment 3 Alan Cox 2002-03-26 13:18:13 UTC
You honestly think the typical user uses or even knows what netpbm is - I'd
count you as very atypical. You are extremely brave if you use those tools on
anything that didn't come out of an app you personally trust to process those
image formats correctly.

We are not tslking complex stuff here, we are talking beginning C programmer
errors. I'm also curious what features you use that imagemagick does not have ?

Comment 4 Tim Waugh 2002-08-29 11:06:00 UTC
Er.. perhaps we should take out the 
/usr/share/printconf/mf_rules/mf50-netpbm_filters file then? 
# netpbm magicfilter rules 
/p[gbp]m/               pipe/postscript/        /usr/bin/pnmtops -quiet 
/gif/                   pipe/p[gbp]m/           /usr/bin/giftopnm 
/jpeg/                  pipe/p[gbp]m/           /usr/bin/djpeg -pnm 
/png/                   pipe/p[gbp]m/           /usr/bin/pngtopnm 
/TIFF image/            fpipe/p[gbp]m/          /usr/bin/tifftopnm $FILE 
/PC bitmap data/        pipe/p[gbp]m/           /usr/bin/bmptoppm 
/Sun raster image/      pipe/p[gbp]m/           /usr/bin/rasttopnm 
/SGI image data/        pipe/p[gbp]m/           /usr/bin/sgitopnm 
(These get run by the print spooler)

Comment 5 Kjartan Maraas 2003-04-02 22:57:53 UTC
This was done for 8.0? or 9?

Comment 6 Kjartan Maraas 2003-04-02 23:03:42 UTC
9 it seems. Is it still as horrible as it was? The package seems to have had ten
releases since the 7.2 one at least...

Note You need to log in before you can comment on or make changes to this bug.