|

»

Camlimages integer overflows with PNG images

View: New views

6 Messages — Rating Filter: Alert me

	Camlimages integer overflows with PNG images by Richard Jones-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Can the maintainer(s) of camlimages contact me as soon as possible (pref on IRC #ocaml on FreeNode), because of: http://www.ocert.org/advisories/ocert-2009-009.html Rich. -- Richard Jones Red Hat _______________________________________________ Caml-list mailing list. Subscription management: http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list Archives: http://caml.inria.fr Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs
	Re: Camlimages integer overflows with PNG images by Richard Jones-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: > Do you have a patch for this at all? I need to stick it into OpenBSD > fairly urgently as we're in release lock. Yes, I worked up a patch here: https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 Not entirely sure if it is correct and complete though, so if you have any suggested changes, please share them. Rich. -- Richard Jones Red Hat _______________________________________________ Caml-list mailing list. Subscription management: http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list Archives: http://caml.inria.fr Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs
	Re: Camlimages integer overflows with PNG images by Anil Madhavapeddy-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On 3 Jul 2009, at 18:28, Richard Jones wrote: > On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: >> Do you have a patch for this at all? I need to stick it into OpenBSD >> fairly urgently as we're in release lock. > > Yes, I worked up a patch here: > > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 > > Not entirely sure if it is correct and complete though, so if you have > any suggested changes, please share them. Should width and height be clamped further to 31-/63- bits in addition to the multiplication check? It's stored in an OCaml int later on, and it's pretty unlikely anyone would be working with images that size. -anil _______________________________________________ Caml-list mailing list. Subscription management: http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list Archives: http://caml.inria.fr Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs
	Re: Camlimages integer overflows with PNG images by Richard Jones-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote: > On 3 Jul 2009, at 18:28, Richard Jones wrote: > > >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: > >>Do you have a patch for this at all? I need to stick it into OpenBSD > >>fairly urgently as we're in release lock. > > > >Yes, I worked up a patch here: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 > > > >Not entirely sure if it is correct and complete though, so if you have > >any suggested changes, please share them. > > Should width and height be clamped further to 31-/63- bits in addition > to the multiplication check? It's stored in an OCaml int later on, > and it's pretty unlikely anyone would be working with images that size. I don't know, but it sounds like it might be a good idea. I'm open to patches or exploit/testing code for this issue. But at the moment my primary concern is to get the upstream developers to take a look at the issue and deliver a proper, comprehensive patch. And to fix up the immediate security hole for the major distros. At the time of writing, Fedora is going with the patch in comment 11. Rich. -- Richard Jones Red Hat _______________________________________________ Caml-list mailing list. Subscription management: http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list Archives: http://caml.inria.fr Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs
	Re: Camlimages integer overflows with PNG images by Jun Furuse-2 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Coincidentally I am working on png reading code of camlimages again this week. I will check the patch and incorporate it to the CVS version soon. = j On Sat, Jul 4, 2009 at 3:35 AM, Richard Jones<rich@...> wrote: > On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote: >> On 3 Jul 2009, at 18:28, Richard Jones wrote: >> >> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: >> >>Do you have a patch for this at all? I need to stick it into OpenBSD >> >>fairly urgently as we're in release lock. >> > >> >Yes, I worked up a patch here: >> > >> > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 >> > >> >Not entirely sure if it is correct and complete though, so if you have >> >any suggested changes, please share them. >> >> Should width and height be clamped further to 31-/63- bits in addition >> to the multiplication check? It's stored in an OCaml int later on, >> and it's pretty unlikely anyone would be working with images that size. > > I don't know, but it sounds like it might be a good idea. I'm open to > patches or exploit/testing code for this issue. But at the moment my > primary concern is to get the upstream developers to take a look at > the issue and deliver a proper, comprehensive patch. > > And to fix up the immediate security hole for the major distros. At > the time of writing, Fedora is going with the patch in comment 11. > > Rich. > > -- > Richard Jones > Red Hat > > _______________________________________________ > Caml-list mailing list. Subscription management: > http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list > Archives: http://caml.inria.fr > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > Bug reports: http://caml.inria.fr/bin/caml-bugs > _______________________________________________ Caml-list mailing list. Subscription management: http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list Archives: http://caml.inria.fr Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs
	Re: Camlimages integer overflows with PNG images by Richard Jones-4 :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message On Sat, Jul 04, 2009 at 10:56:50AM +0900, Jun Furuse wrote: > Coincidentally I am working on png reading code of camlimages again this week. > I will check the patch and incorporate it to the CVS version soon. I'm not sure if we can get to the CVS version of camlimages? Anyhow, after a series of problems I'm intending to drop camlimages from Fedora ... unless you can assure me that an upstream release which comprehensively fixes the problems is going to appear soon. Rich. -- Richard Jones Red Hat _______________________________________________ Caml-list mailing list. Subscription management: http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list Archives: http://caml.inria.fr Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs