Bug 61788 - netpbm contains multiple unsafe input handling errors
netpbm contains multiple unsafe input handling errors
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: netpbm (Show other bugs)
7.3
i386 Linux
high Severity medium
: ---
: ---
Assigned To: Phil Knirsch
Ben Levenson
: Security
Depends On:
Blocks: 61901 67218 79579
  Show dependency treegraph
 
Reported: 2002-03-24 11:26 EST by Alan Cox
Modified: 2015-03-04 20:10 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2003-04-02 18:19:25 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Alan Cox 2002-03-24 11:26:01 EST
NetPBM is pretty much in need of a complete from scratch rewrite to fix the
problems it has. Now (before 7.3) would be a very good time to drop it, since
imlib drops requirements/use of it in the 7.2 imlib errata
Comment 1 Michael Fulbright 2002-03-25 16:55:14 EST
Is there any other program that can duplicate the commandline functionality of it?
Comment 2 Alan Cox 2002-03-25 17:51:22 EST
Posting your root password to slashdot is about the equivalent functionality, or
do you mean image processing. On the image handling side ImageMagick does some
of it, and somewhat more safely

Basically netpbm is not supportable, if people install it from Bero's collection
or powerstools or similar things fine, but if we had to fix the mess that netpbm
is then it probably represents multiple man weeks of engineering time.

We have it in the tree solely because in our early days package QA was a bit lax.
Comment 3 Alan Cox 2002-03-26 08:18:13 EST
You honestly think the typical user uses or even knows what netpbm is - I'd
count you as very atypical. You are extremely brave if you use those tools on
anything that didn't come out of an app you personally trust to process those
image formats correctly.

We are not tslking complex stuff here, we are talking beginning C programmer
errors. I'm also curious what features you use that imagemagick does not have ?
Comment 4 Tim Waugh 2002-08-29 07:06:00 EDT
Er.. perhaps we should take out the 
/usr/share/printconf/mf_rules/mf50-netpbm_filters file then? 
 
# 
# netpbm magicfilter rules 
# 
/p[gbp]m/               pipe/postscript/        /usr/bin/pnmtops -quiet 
/gif/                   pipe/p[gbp]m/           /usr/bin/giftopnm 
/jpeg/                  pipe/p[gbp]m/           /usr/bin/djpeg -pnm 
/png/                   pipe/p[gbp]m/           /usr/bin/pngtopnm 
/TIFF image/            fpipe/p[gbp]m/          /usr/bin/tifftopnm $FILE 
/PC bitmap data/        pipe/p[gbp]m/           /usr/bin/bmptoppm 
/Sun raster image/      pipe/p[gbp]m/           /usr/bin/rasttopnm 
/SGI image data/        pipe/p[gbp]m/           /usr/bin/sgitopnm 
 
(These get run by the print spooler)
Comment 5 Kjartan Maraas 2003-04-02 17:57:53 EST
This was done for 8.0? or 9?
Comment 6 Kjartan Maraas 2003-04-02 18:03:42 EST
9 it seems. Is it still as horrible as it was? The package seems to have had ten
releases since the 7.2 one at least...

Note You need to log in before you can comment on or make changes to this bug.