A buffer overflow flaw was reported in autotrace's input_bmp_reader() function. When autotrace is compiled with FORTIFY_SOURCE, this is caught and turned into a simple denial of service. As reported: In input-bmp.c, the input_bmp_reader() function creates a buffer on the stack: 91 unsigned char buffer[64]; Later on 169 else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */ 170 { 171 if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4)) We control Bitmap_File_Head.biSize. A value of 0 meets the <=64 requirements, and 0 - 4 should result in almost 4294967295 bytes being read into the buffer.
Acknowledgements: This issue was discovered by Murray McAllister of Red Hat Security Response Team.
The CVE identifier of CVE-2013-1953 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2013/04/16/3
Created autotrace tracking bugs for this issue Affects: fedora-all [bug 952668]
Created attachment 766451 [details] Proposed fix sent upstream
autotrace-0.31.1-34.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
autotrace-0.31.1-34.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.