NetPBM, multiple vulnerabilities

From: Alan Cox (alan@lxorguk.ukuu.org.uk)
Date: 02/28/03

  • Next message: Christoph Schnidrig: "JRun: The Easiness of Session Fixation"
    From: Alan Cox <alan@lxorguk.ukuu.org.uk>
    To: bugtraq@securityfocus.com
    Date: 28 Feb 2003 15:10:14 +0000
    

    NetPBM contains large numbers of maths overflow errors, some of which
    are deeply theoretical as they involve passing 2Gb file names, others
    of which are straight forward x * y * depth type overflows, of the
    kind which have shown up in numerous other imaging libraries. Finally
    there are a couple of signed value overflows which appear safe but
    since signed maths overflow is not defined for C may not be.

    An initial set of patches were sent to vendors and to the NetPBM
    maintainers. Today Martin Schulze found two minor errors in the changes
    released so far. These don't appear to leave open holes, just cause
    correctness problems.

    While netpbm is not setuid it is used by some applications for print
    formatting and also for converting untrusted images received from third
    parties. Although the patches appear to address the main problems as
    patch author I believe the right path is probably to recognize that
    netpbm is very old code, written in times with a different threat model
    and use something else instead.

    Al Viro found the original bug. Alan Cox did the initial fixes.
    Martin Schulze and Sebastian Kramer provided additional fixes to the
    patches. www.MachinaeSupremacy.com provided the music to keep me sane
    through the initial tedious process.

    The patches are over 100K so please ask your vendor or check the
    main netpbm site.

    Alan

    --
    'On the other hand, you sometimes wish the world, like nethack, had some
    	sort of "Genocide All Stupid People" key sequence.' 
     			- Alec Muffett