Full Disclosure mailing list archives
[gif2png] long filename Buffer Overrun
From: Razuel Akaharnath <razuel () gmail com>
Date: Sat, 12 Dec 2009 22:59:28 +0200
DESCRIPTION: "The gif2png program converts files from the obsolescent Graphic Interchange Format to Portable Network Graphics <http://www.libpng.org/pub/png/>. The conversion preserves all graphic information, including transparency, perfectly. The gif2png program can even recover data from corrupted GIFs." homepage: http://catb.org/~esr/gif2png/ <http://catb.org/%7Eesr/gif2png/> VULNERABILITY: gif2png does not perform proper bounds checking on the size of input filename. The buffer (1025 in size) is easily overrun with a strcpy function. AFFECTED VERSION: latest: 2.5.2 POC: $> ./gif2png $(perl -e 'print "A" x 1053') #Razuel
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 12)
- Re: [gif2png] long filename Buffer Overrun Patroklos Argyroudis (Dec 13)
- Re: [gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 13)
- Re: [gif2png] long filename Buffer Overrun Nico Golde (Dec 13)
- Re: [gif2png] long filename Buffer Overrun Raphael Geissert (Dec 14)
- Re: [gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 13)
- <Possible follow-ups>
- Re: [gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 13)
- Re: [gif2png] long filename Buffer Overrun Jubei Trippataka (Dec 14)
- Message not available
- Re: [gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 15)
- Re: [gif2png] long filename Buffer Overrun Jubei Trippataka (Dec 14)
- Re: [gif2png] long filename Buffer Overrun Patroklos Argyroudis (Dec 13)