[Pkg-shotwell-maint] Bug#786788: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow

Hubert Chathi uhoreg at debian.org
Tue May 26 01:28:15 UTC 2015


[Cc:ing other related bugs, to get other maintainers' opinions]

On Mon, 25 May 2015 16:40:00 +0200, Salvatore Bonaccorso <carnil at debian.org> said:

> CVE-2015-3885[0]: | Integer overflow in the ljpeg_start function in
> dcraw 7.00 and earlier | allows remote attackers to cause a denial of
> service (crash) via a | crafted image, which triggers a buffer
> overflow, related to the len | variable.

The patch from rawstudio and libraw is easy enough to port over, being a
one-line change, but I'd like a second opinion.  The patch just changes
the type of len from int to ushort.  However, len is only ever set to

    len = (data[2] << 8 | data[3]) - 2

and so will always be less than 0x10000, so I don't see how len can
overflow with >= 32-bit ints.  I can see how it could cause problems
with a signed 16-bit int, but unless I'm missing something, it shouldn't
affect Debian in any way, since all our arch's are >= 32-bits.

Is that correct, or is my assessment wrong?

-- 
Hubert Chathi <uhoreg at debian.org> -- Jabber: hubert at uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA         http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7  5291 AF29 C719 124B 61FA



More information about the Pkg-shotwell-maint mailing list