oss-sec mailing list archives

Re: [oCERT-2015-006] dcraw input sanitization errors

From: Stefan Cornelius <scorneli () redhat com>
Date: Tue, 19 May 2015 11:25:02 +0200

On Mon, 11 May 2015 15:59:55 +0200
Andrea Barisani <lcars () ocert org> wrote:


#2015-006 dcraw input sanitization errors

Description:

The dcraw photo decoder is an open source project for raw image
parsing.

The dcraw tool, as well as several other projects re-using its code,
suffers from an integer overflow condition which lead to a buffer
overflow. The vulnerability concerns the 'len' variable, parsed
without validation from opened images, used in the ljpeg_start()
function.

A maliciously crafted raw image file can be used to trigger the
vulnerability, causing a Denial of Service condition.


Just as a heads-up: This should affect netpbm, too.
https://sourceforge.net/p/netpbm/code/HEAD/tree/advanced/converter/other/cameratopam/ljpeg.c

Although there's a check for "len" in line #37, it shouldn't trigger, as
"len" will be negative at that point.

-- 
Stefan Cornelius / Red Hat Product Security

Come talk to Red Hat Product Security at the Summit!
Red Hat Summit 2015 - https://www.redhat.com/summit/

Current thread:

[oCERT-2015-006] dcraw input sanitization errors Andrea Barisani (May 11)
- Re: [oCERT-2015-006] dcraw input sanitization errors cve-assign (May 12)
- Re: [oCERT-2015-006] dcraw input sanitization errors Stefan Cornelius (May 19)