[Pkg-shotwell-maint] Bug#786788: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow
Hubert Chathi
uhoreg at debian.org
Tue May 26 01:28:15 UTC 2015
[Cc:ing other related bugs, to get other maintainers' opinions]
On Mon, 25 May 2015 16:40:00 +0200, Salvatore Bonaccorso <carnil at debian.org> said:
> CVE-2015-3885[0]: | Integer overflow in the ljpeg_start function in
> dcraw 7.00 and earlier | allows remote attackers to cause a denial of
> service (crash) via a | crafted image, which triggers a buffer
> overflow, related to the len | variable.
The patch from rawstudio and libraw is easy enough to port over, being a
one-line change, but I'd like a second opinion. The patch just changes
the type of len from int to ushort. However, len is only ever set to
len = (data[2] << 8 | data[3]) - 2
and so will always be less than 0x10000, so I don't see how len can
overflow with >= 32-bit ints. I can see how it could cause problems
with a signed 16-bit int, but unless I'm missing something, it shouldn't
affect Debian in any way, since all our arch's are >= 32-bits.
Is that correct, or is my assessment wrong?
--
Hubert Chathi <uhoreg at debian.org> -- Jabber: hubert at uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA
More information about the Pkg-shotwell-maint
mailing list