Bug #26811 for Imager: BMP reader security issue

RT for rt.cpan.org

This queue is for tickets about the Imager CPAN distribution.

Report information

The Basics

Id:	26811
Status:	resolved
Priority:	0/
Queue:	Imager

People

Owner:	TONYC [...] cpan.org
Requestors:	tony [...] develop-help.com
Cc:
AdminCc:

Bug Information

Severity:	Critical
Broken in:	0.21 0.27 0.28 0.29 0.31 0.32 0.35 0.36 0.37 0.38 0.39 0.40 0.41 0.42 0.43 0.43_03 0.44 0.44_01 0.45 0.45_02 0.46 0.47 0.48 0.49 0.49_01 0.50 0.51 0.51_01 0.51_02 0.51_03 0.52 0.53 0.55 0.56
Fixed in:	(no value)

History Show all quoted text

Mon Apr 30 04:06:23 2007 tony [...] develop-help.com - Ticket created

Subject:	placeholder for security issue
Date:	Mon, 30 Apr 2007 18:06:01 +1000
To:	bug-Imager [...] rt.cpan.org
From:	Tony Cook <tony [...] develop-help.com>

placeholder

Mon Apr 30 05:00:33 2007 TONYC [...] cpan.org - Subject changed from 'placeholder for security issue' to 'BMP reader security issue'

Mon Apr 30 05:00:33 2007 TONYC [...] cpan.org - Status changed from 'new' to 'open'

Mon Apr 30 05:00:36 2007 TONYC [...] cpan.org - Severity Critical added

Mon Apr 30 05:00:36 2007 TONYC [...] cpan.org - Broken in 0.21 added

Mon Apr 30 05:00:36 2007 TONYC [...] cpan.org - Broken in 0.27 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.28 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.29 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.31 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.32 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.35 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.36 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.37 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.38 added

Mon Apr 30 05:00:37 2007 TONYC [...] cpan.org - Broken in 0.39 added

Mon Apr 30 05:00:38 2007 TONYC [...] cpan.org - Broken in 0.40 added

Mon Apr 30 05:00:38 2007 TONYC [...] cpan.org - Broken in 0.41 added

Mon Apr 30 05:00:38 2007 TONYC [...] cpan.org - Broken in 0.42 added

Mon Apr 30 05:00:38 2007 TONYC [...] cpan.org - Broken in 0.43 added

Mon Apr 30 05:00:38 2007 TONYC [...] cpan.org - Broken in 0.43_03 added

Mon Apr 30 05:00:38 2007 TONYC [...] cpan.org - Broken in 0.44 added

Mon Apr 30 05:00:38 2007 TONYC [...] cpan.org - Broken in 0.44_01 added

Mon Apr 30 05:00:40 2007 TONYC [...] cpan.org - Broken in 0.45 added

Mon Apr 30 05:00:40 2007 TONYC [...] cpan.org - Broken in 0.45_02 added

Mon Apr 30 05:00:40 2007 TONYC [...] cpan.org - Broken in 0.46 added

Mon Apr 30 05:00:41 2007 TONYC [...] cpan.org - Broken in 0.47 added

Mon Apr 30 05:00:41 2007 TONYC [...] cpan.org - Broken in 0.48 added

Mon Apr 30 05:00:41 2007 TONYC [...] cpan.org - Broken in 0.49 added

Mon Apr 30 05:00:41 2007 TONYC [...] cpan.org - Broken in 0.49_01 added

Mon Apr 30 05:00:41 2007 TONYC [...] cpan.org - Broken in 0.50 added

Mon Apr 30 05:00:41 2007 TONYC [...] cpan.org - Broken in 0.51 added

Mon Apr 30 05:00:41 2007 TONYC [...] cpan.org - Broken in 0.51_01 added

Mon Apr 30 05:00:43 2007 TONYC [...] cpan.org - Broken in 0.51_02 added

Mon Apr 30 05:00:45 2007 TONYC [...] cpan.org - Broken in 0.51_03 added

Mon Apr 30 05:00:46 2007 TONYC [...] cpan.org - Broken in 0.52 added

Mon Apr 30 05:00:46 2007 TONYC [...] cpan.org - Broken in 0.53 added

Mon Apr 30 05:00:46 2007 TONYC [...] cpan.org - Broken in 0.55 added

Mon Apr 30 05:00:46 2007 TONYC [...] cpan.org - Broken in 0.56 added

Mon Apr 30 05:01:09 2007 TONYC [...] cpan.org - Taken

Mon Apr 30 05:07:36 2007 TONYC [...] cpan.org - Correspondence added

Imager 0.56 and all earlier versions with BMP support have security issue when reading compressed 8-bit per pixel BMP files where either a compressed run of data or a literal run of data overflows the scan-line. Such an overflow causes a buffer overflow in a malloc() allocated memory buffer, possibly corrupting the memory arena headers. The effect depends on your system memory allocator, with glibc this typically results in an abort, but with other memory allocators it may be possible to cause local code execution. Imager 0.57 has been released to fix this problem. The PPD archive at http://ppd.develop-help.com has been updated with a 0.57 ppd build of Imager that fixes this issue.

Sat May 05 01:07:19 2007 TONYC [...] cpan.org - Correspondence added

I posted a patch for this to the Debian bug tracking system that patches both read_8bit_bmp and read_4bit_bmp, but the buffer overflow can only occur in read_8bit_bmp, read_4bit_bmp uses a different mechanism to fill out literal and RLE data.

Fri May 11 04:55:24 2007 TONYC [...] cpan.org - Correspondence added

Fixed in 0.57.

Fri May 11 04:55:28 2007 TONYC [...] cpan.org - Status changed from 'open' to 'resolved'