libpano13-bin: format string bug in panoFileOutputNamesCreate()]
27 views
Skip to first unread message
Andreas Metzler
Mar 15, 2021, 1:16:58 PM3/15/21
to hugi...@googlegroups.com
Hello,
this is a copy of https://bugs.debian.org/985249 submitted by Wooseok Kang
----- Forwarded message from Wooseok Kang <kangw...@gmail.com> -----
Date: Mon, 15 Mar 2021 12:08:01 +0900
From: Wooseok Kang <kangw...@gmail.com>
In libpano13, there is a format string vulnerability
that can lead to read and write arbitrary memory values.
The vulnerability starts in panoCroppingMain() in PTcommon.c.
The program get 'outputPrefix' using getopt() at line 1829.
1829 case 'p':
1830 if (strlen(optarg) < MAX_PATH_LENGTH) {
1831 strcpy(outputPrefix, optarg);
1832 } else {
1833 PrintError("Illegal length for output prefix");
1834 return -1;
1835 }
1836 break;
Then 'outputPrefix' is passed to sprintf() in panoFileOutputNamesCreate() without sanitizing.
This causes the format string bug which can crash the program.
1882 if (panoFileOutputNamesCreate(ptrOutputFiles, filesCount, outputPrefix) == 0) {
1883 return -1;
1884 }
2915 sprintf( outputFilename, outputPrefix, i );
(in file.c)
There is a simple example of this vulnerability using tests/simpleTiff16/060520_3398.TIF.
> PTcrop -p "%p.%p.%p.%p" -f ./060520_3398.TIF
PTcrop Version 2.9.20 , by Daniel M German
Output prefix 1 %p.%p.%p.%p
Cropping 1 files
Processing 0 reading ./060520_3398.TIF creating (nil).0x1c.0x78302e296c696e28.tif
TIFFFetchNormalTag: Warning, Incorrect value for "RichTIFFIPTC"; tag ignored.
Thank you.
-----------------------------------------------------------------------
cu Andreas
this is a copy of https://bugs.debian.org/985249 submitted by Wooseok Kang
----- Forwarded message from Wooseok Kang <kangw...@gmail.com> -----
Date: Mon, 15 Mar 2021 12:08:01 +0900
From: Wooseok Kang <kangw...@gmail.com>
In libpano13, there is a format string vulnerability
that can lead to read and write arbitrary memory values.
The vulnerability starts in panoCroppingMain() in PTcommon.c.
The program get 'outputPrefix' using getopt() at line 1829.
1829 case 'p':
1830 if (strlen(optarg) < MAX_PATH_LENGTH) {
1831 strcpy(outputPrefix, optarg);
1832 } else {
1833 PrintError("Illegal length for output prefix");
1834 return -1;
1835 }
1836 break;
Then 'outputPrefix' is passed to sprintf() in panoFileOutputNamesCreate() without sanitizing.
This causes the format string bug which can crash the program.
1882 if (panoFileOutputNamesCreate(ptrOutputFiles, filesCount, outputPrefix) == 0) {
1883 return -1;
1884 }
2915 sprintf( outputFilename, outputPrefix, i );
(in file.c)
There is a simple example of this vulnerability using tests/simpleTiff16/060520_3398.TIF.
> PTcrop -p "%p.%p.%p.%p" -f ./060520_3398.TIF
PTcrop Version 2.9.20 , by Daniel M German
Output prefix 1 %p.%p.%p.%p
Cropping 1 files
Processing 0 reading ./060520_3398.TIF creating (nil).0x1c.0x78302e296c696e28.tif
TIFFFetchNormalTag: Warning, Incorrect value for "RichTIFFIPTC"; tag ignored.
Thank you.
-----------------------------------------------------------------------
cu Andreas
Bruno Postle
Mar 15, 2021, 5:20:36 PM3/15/21
to hugi...@googlegroups.com
Thanks Andreas, if somebody can please create a patch (this is not something I feel confident doing), then we can release a new libpano13. The current release candidate doesn't have any issues that would prevent a release.
I should point out that if an attacker has the ability to specify the output filename, then they already have plenty of ways to make mischief without this bug.
--
Bruno
I should point out that if an attacker has the ability to specify the output filename, then they already have plenty of ways to make mischief without this bug.
--
Bruno
T. Modes
Mar 16, 2021, 12:25:59 PM3/16/21
to hugin and other free panoramic software
Hi Bruno,
bruno...@gmail.com schrieb am Montag, 15. März 2021 um 22:20:36 UTC+1:
Thanks Andreas, if somebody can please create a patch (this is not something I feel confident doing), then we can release a new libpano13. The current release candidate doesn't have any issues that would prevent a release.
I commited a workaround and left a comment in the source. If someone comes with a better solution it can be improved.
Thomas
Bruno Postle
Mar 16, 2021, 4:59:51 PM3/16/21
to Hugin ptx
release.
--
Bruno
Reply all
Reply to author
Forward
0 new messages