[Pkg-shotwell-maint] Bug#786788: Bug#786783: ufraw: CVE-2015-3885: input sanitization flaw leading to buffer overflow
Hubert Chathi
uhoreg at debian.org
Tue May 26 18:30:34 UTC 2015
On Tue, 26 May 2015 17:48:49 +0200, Raphael Hertzog <hertzog at debian.org> said:
> On Mon, 25 May 2015, Hubert Chathi wrote:
>> the type of len from int to ushort. However, len is only ever set to
>>
>> len = (data[2] << 8 | data[3]) - 2
>>
>> and so will always be less than 0x10000, so I don't see how len can
>> overflow with >= 32-bit ints. I can see how it could cause problems
>> with a signed 16-bit int, but unless I'm missing something, it
>> shouldn't affect Debian in any way, since all our arch's are >=
>> 32-bits.
>>
>> Is that correct, or is my assessment wrong?
> It appears to be wrong. See the analysis here:
> https://bugzilla.redhat.com/show_bug.cgi?id=1221249#c10
Ah, underflow, of course. I was only thinking overflow. Thanks.
> The problem is that you can trigger a negative "len" which will result
> in a very big number once implicitly converted to a size_t in the
> fread() call.
> BTW, RedHat uses a more comprehensive fix that bails out if the length
> ends us negative:
> https://bugzilla.redhat.com/attachment.cgi?id=1027072&action=diff
Thanks. I'll apply this patch.
--
Hubert Chathi <uhoreg at debian.org> -- Jabber: hubert at uhoreg.ca
PGP/GnuPG key: 1024D/124B61FA http://www.uhoreg.ca/
Fingerprint: 96C5 012F 5F74 A5F7 1FF7 5291 AF29 C719 124B 61FA
More information about the Pkg-shotwell-maint
mailing list