[Pkg-shotwell-maint] Bug#786788: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow
Raphael Hertzog
hertzog at debian.org
Tue May 26 15:48:49 UTC 2015
On Mon, 25 May 2015, Hubert Chathi wrote:
> the type of len from int to ushort. However, len is only ever set to
>
> len = (data[2] << 8 | data[3]) - 2
>
> and so will always be less than 0x10000, so I don't see how len can
> overflow with >= 32-bit ints. I can see how it could cause problems
> with a signed 16-bit int, but unless I'm missing something, it shouldn't
> affect Debian in any way, since all our arch's are >= 32-bits.
>
> Is that correct, or is my assessment wrong?
It appears to be wrong. See the analysis here:
https://bugzilla.redhat.com/show_bug.cgi?id=1221249#c10
The problem is that you can trigger a negative "len" which will result
in a very big number once implicitly converted to a size_t in the
fread() call.
BTW, RedHat uses a more comprehensive fix that bails out if the
length ends us negative:
https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff
Cheers,
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: http://www.freexian.com/services/debian-lts.html
Learn to master Debian: http://debian-handbook.info/get/
More information about the Pkg-shotwell-maint
mailing list