Full Disclosure: Re: [gif2png] long filename Buffer Overrun

Re: [gif2png] long filename Buffer Overrun

From: Patroklos Argyroudis <argp () census-labs com>
Date: Sun, 13 Dec 2009 01:29:49 +0200

On Sat, Dec 12, 2009 at 10:59:28PM +0200, Razuel Akaharnath wrote:

DESCRIPTION:
"The gif2png program converts files from the obsolescent Graphic Interchange
Format to Portable Network Graphics <http://www.libpng.org/pub/png/>. The
conversion preserves all graphic information, including transparency,
perfectly. The gif2png program can even recover data from corrupted GIFs."

homepage: http://catb.org/~esr/gif2png/ <http://catb.org/%7Eesr/gif2png/>

VULNERABILITY:
gif2png does not perform proper bounds checking on the size of input
filename. The buffer (1025 in size) is easily overrun with a strcpy
function.

AFFECTED VERSION:
latest: 2.5.2


I have reported this to Debian about two months ago:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550978

-- 
Patroklos Argyroudis
http://www.census-labs.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

By Date By Thread

Current thread:

[gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 12)
- Re: [gif2png] long filename Buffer Overrun Patroklos Argyroudis (Dec 13)
  - Re: [gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 13)
    - Re: [gif2png] long filename Buffer Overrun Nico Golde (Dec 13)
    - Re: [gif2png] long filename Buffer Overrun Raphael Geissert (Dec 14)
- <Possible follow-ups>
- Re: [gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 13)
  - Re: [gif2png] long filename Buffer Overrun Jubei Trippataka (Dec 14)
    - Message not available
    - Re: [gif2png] long filename Buffer Overrun Razuel Akaharnath (Dec 15)