l i n u x - u s e r s - g r o u p - o f - d a v i s
Next Meeting:
July 7: Social gathering
Next Installfest:
Latest News:
Jun. 14: June LUGOD meeting cancelled
Page last updated:
2003 Feb 28 08:20

The following is an archive of a post made to our 'vox mailing list' by one of its subscribers.

Report this post as spam:

(Enter your email address)
[Fwd: NetPBM, multiple vulnerabilities]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Fwd: NetPBM, multiple vulnerabilities]

This is not an urgent or serious threat, more an fyi for you people with
multiple users and netpbm and/o we people who use netpbm incgi to
dynmically modify images served to web users that get to supply images to
the process.


---------------------------- Original Message ----------------------------
Subject: NetPBM, multiple vulnerabilities
From:    "Alan Cox" <alan@lxorguk.ukuu.org.uk>
Date:    Thu, February 27, 2003 11:10 pm
To:      bugtraq@securityfocus.com
NetPBM contains large numbers of maths overflow errors, some of which are
deeply theoretical as they involve passing 2Gb file names, others of which
are straight forward x * y * depth type overflows, of the kind which have
shown up in numerous other imaging libraries. Finally there are a couple
of signed value overflows which appear safe but since signed maths
overflow is not defined for C may not be.

An initial set of patches were sent to vendors and to the NetPBM
maintainers. Today Martin Schulze found two minor errors in the changes
released so far. These don't appear to leave open holes, just cause
correctness problems.

While netpbm is not setuid it is used by some applications for print
formatting and also for converting untrusted images received from third
parties. Although the patches appear to address the main problems as patch
author I believe the right path is probably to recognize that netpbm is
very old code, written in times with a different threat model and use
something else instead.

Al Viro found the original bug. Alan Cox did the initial fixes.
Martin Schulze and Sebastian Kramer provided additional fixes to the
patches. www.MachinaeSupremacy.com provided the music to keep me sane
through the initial tedious process.

The patches are over 100K so please ask your vendor or check the
main netpbm site.

'On the other hand, you sometimes wish the world, like nethack, had some
	sort of "Genocide All Stupid People" key sequence.'
 			- Alec Muffett

LUGOD Group on LinkedIn
Sign up for LUGOD event announcements
Your email address:
LUGOD Group on Facebook
'Like' LUGOD on Facebook:

Hosting provided by:
Sunset Systems
Sunset Systems offers preconfigured Linux systems, remote system administration and custom software development.

LUGOD: Linux Users' Group of Davis
PO Box 2082, Davis, CA 95617
Contact Us

LUGOD is a 501(c)7 non-profit organization
based in Davis, California
and serving the Sacramento area.
"Linux" is a trademark of Linus Torvalds.

Sponsored in part by:
EDGE Tech Corp.
For donating some give-aways for our meetings.