Bug 951257 (CVE-2013-1953) - CVE-2013-1953 autotrace: buffer overflow when parsing BMP files
Summary: CVE-2013-1953 autotrace: buffer overflow when parsing BMP files
Alias: CVE-2013-1953
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Whiteboard: impact=low,public=20130416,reported=2...
Keywords: Security
Depends On: 952668 979244
Blocks: 951258
TreeView+ depends on / blocked
Reported: 2013-04-11 20:46 UTC by Vincent Danen
Modified: 2015-08-22 07:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-08-22 07:00:12 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed fix sent upstream (603 bytes, patch)
2013-06-28 08:26 UTC, Jaroslav Škarvada
no flags Details | Diff

Description Vincent Danen 2013-04-11 20:46:39 UTC
A buffer overflow flaw was reported in autotrace's input_bmp_reader() function.  When autotrace is compiled with FORTIFY_SOURCE, this is caught and turned into a simple denial of service.  As reported:

In input-bmp.c, the input_bmp_reader() function creates a buffer on the 

91 unsigned char buffer[64];

Later on

169 else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
170 {
171 if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4))

We control Bitmap_File_Head.biSize. A value of 0 meets the <=64 
requirements, and 0 - 4 should result in almost 4294967295 bytes being 
read into the buffer.

Comment 1 Vincent Danen 2013-04-12 05:05:00 UTC

This issue was discovered by Murray McAllister of Red Hat Security Response Team.

Comment 2 Jan Lieskovsky 2013-04-16 12:00:52 UTC
The CVE identifier of CVE-2013-1953 has been assigned to this issue:

Comment 3 Jan Lieskovsky 2013-04-16 12:03:15 UTC
Created autotrace tracking bugs for this issue

Affects: fedora-all [bug 952668]

Comment 5 Jaroslav Škarvada 2013-06-28 08:26:45 UTC
Created attachment 766451 [details]
Proposed fix sent upstream

Comment 6 Fedora Update System 2013-07-09 01:40:38 UTC
autotrace-0.31.1-34.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2013-07-09 01:41:14 UTC
autotrace-0.31.1-34.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.