oss-sec mailing list archives
Re: CVE Request (gpicview)
From: Jan Lieskovsky <jlieskov () redhat com>
Date: Mon, 01 Sep 2008 09:00:47 +0200
Hi Nico!, On Sun, 2008-08-31 at 01:46 +0200, Nico Golde wrote:
Same piece of code main-win.c doesn't look too trustworthy
to me either:
690 int error = jpegtran (filename, "/tmp/rot.jpg" , code);
691 if(error)
692 return error;
693
694 //now copy /tmp/rot.jpg back to the original file
695 char command[strlen(filename)+50]; //this should not generate buffer owerflow
696 // MS: didn't know, how to make it better, maybe an own copy routine
697 sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename);
698 system(command);
CVE-2008-3791 was allocated to handle the security issue related with this part of code. This is at least, how we have reported https://bugzilla.redhat.com/show_bug.cgi?id=460180 (CVE-2008-3791). Kind regards Jan iankko Lieskovsky RH Security Response Team
Anyone played with crafted file names? Cheers Nico
Current thread:
- CVE Request (gpicview) Jan Lieskovsky (Aug 25)
- Re: CVE Request (gpicview) Steven M. Christey (Aug 26)
- Re: CVE Request (gpicview) Jan Lieskovsky (Aug 26)
- Re: CVE Request (gpicview) Robert Buchholz (Sep 13)
- Re: CVE Request (gpicview) Nico Golde (Aug 30)
- Re: CVE Request (gpicview) Jan Lieskovsky (Aug 31)
- Re: CVE Request (gpicview) Nico Golde (Sep 04)
- Re: CVE Request (gpicview) Robert Buchholz (Sep 02)
- Re: CVE Request (gpicview) Nico Golde (Sep 04)
- Re: CVE Request (gpicview) Steven M. Christey (Sep 04)
- Re: CVE Request (gpicview) Jan Lieskovsky (Aug 31)
- Re: CVE Request (gpicview) Steven M. Christey (Aug 26)