Openwall Project   /home  Owl  JtR  Pro  crypt  pam_passwdqc  tcb  phpass  scanlogd  popa3d  msulogin  /  Linux  BIND  /  advisories  presentations  /  services  donations  /  wordlists  passwords  /  news  community  lists  wiki  CVSweb  mirrors  signatures
bringing security into open environments
 
Password Recovery Resources on the Net
[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list] 
Date: Mon, 01 Sep 2008 09:00:47 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request (gpicview)


Hi Nico!,

On Sun, 2008-08-31 at 01:46 +0200, Nico Golde wrote:
> Same piece of code main-win.c doesn't look too trustworthy 
> to me either:
> 
>     690     int error = jpegtran (filename, "/tmp/rot.jpg" , code);
>     691     if(error)
>     692         return error;
>     693 
>     694     //now copy /tmp/rot.jpg back to the original file
>     695     char command[strlen(filename)+50]; //this should not generate buffer owerflow
>     696     // MS: didn't know, how to make it better, maybe an own copy routine
>     697     sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename);
>     698     system(command);

CVE-2008-3791 was allocated to handle the security issue related
with this part of code. This is at least, how we have reported
https://bugzilla.redhat.com/show_bug.cgi?id=460180 (CVE-2008-3791).

Kind regards
Jan iankko Lieskovsky
RH Security Response Team

> 
> Anyone played with crafted file names?
> Cheers
> Nico
>

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Hosted by DataForce ISP - Powered by Openwall GNU/*/Linux