Your message dated Wed, 22 Sep 2021 00:48:24 +0000 with message-id <E1mSqQy-0001I6-Uf@fasolo.debian.org> and subject line Bug#959141: fixed in apngopt 1.2-3 has caused the Debian Bug report #959141, regarding apngopt 1.2-2 stack buffer overflow to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 959141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959141 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: apngopt 1.2-2 stack buffer overflow
- From: David Petek <david.petek@gmail.com>
- Date: Wed, 29 Apr 2020 22:29:20 +0200
- Message-id: <CAB5crE0WZtE6-_+ioE+i9Kzc9riq8SCqYxHH3-tjNZ0cw319HA@mail.gmail.com>
Package: apngopt
Version: 1.2-2
apngopt crashes with stack buffer overflow when calling with command line argument longer than 247 bytes.
Steps to replicate:
```
wget http://deb.debian.org/debian/pool/main/a/apngopt/apngopt_1.2.orig.tar.gz
tar -xf apngopt_1.2.orig.tar.gz
cd apngopt-1.2.orig
make
./apngopt `python -c "print('a'*256)"`
```
Output:
```
APNG Optimizer 1.2
*** buffer overflow detected ***: ./apngopt terminated
[1] 5965 abort ./apngopt `python -c "print('a'*256)"`
```
Bug is caused by copying command line argument into a 256-byte buffer using strcpy on line 2372:
```
2363 szIn = argv[1];
2364
2365 if (argc > 2)
2366 {
2367 strncpy(szOut, argv[2], 255);
2368 szOut[255] = '\0';
2369 }
2370 else
2371 {
2372 strcpy(szOut, szIn);
2373 if ((szExt = strrchr(szOut, '.')) != NULL) *szExt = 0;
2374 strcat(szOut, ".opt.png");
2375 }
```
Suggested fix: use strncpy or verify szIn length before copying.
Proposed patch:
```
2372c2372
< strcpy(szOut, szIn);
---
> strncpy(szOut, szIn, 247);
```
Best regards,--David Petek
--- End Message ---
--- Begin Message ---
- To: 959141-close@bugs.debian.org
- Subject: Bug#959141: fixed in apngopt 1.2-3
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 22 Sep 2021 00:48:24 +0000
- Message-id: <E1mSqQy-0001I6-Uf@fasolo.debian.org>
- Reply-to: Boyuan Yang <byang@debian.org>
Source: apngopt Source-Version: 1.2-3 Done: Boyuan Yang <byang@debian.org> We believe that the bug you reported is fixed in the latest version of apngopt, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 959141@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Boyuan Yang <byang@debian.org> (supplier of updated apngopt package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Tue, 21 Sep 2021 20:04:05 -0400 Source: apngopt Architecture: source Version: 1.2-3 Distribution: unstable Urgency: medium Maintainer: Debian QA Group <packages@qa.debian.org> Changed-By: Boyuan Yang <byang@debian.org> Closes: 959141 966843 Changes: apngopt (1.2-3) unstable; urgency=medium . * QA upload. * debian/patches/0001-use-autotools.patch: Use autotools as package buildsystem. + Fixes FTCBFS. (Closes: #966843) * Refresh packaging: + Bump Standards-Version to 4.6.0. + Bump debhelper compat to v13. + Update Vcs-* fields with git packaging repo on Salsa GitLab. * debian/rules: Refresh instruction. * debian/patches/0002-strcpy-avoid-stack-buffer-overflow.patch: Add patch to avoid stack buffer overflow with long filename. (Closes: #959141) Checksums-Sha1: fbc2ec2381dc391fab59ac13d82abd46bfbd14ff 1809 apngopt_1.2-3.dsc c4de00b48457667816f6734b5fe60801bf61899b 12054 apngopt_1.2.orig.tar.gz 17691193c820635cd2fc51df00d1c6887660e6f6 7152 apngopt_1.2-3.debian.tar.xz 7a5df69fd7f76ac0fe2f529dac328e6aabae783b 5941 apngopt_1.2-3_amd64.buildinfo Checksums-Sha256: 52d79e6405f59b429f6e95153a89f9ace6e02284521ebe5758f0825cfb89e0da 1809 apngopt_1.2-3.dsc 10921fe9370af697144c1e229191176689d4a8bf4e63c12a255e522d30aa8564 12054 apngopt_1.2.orig.tar.gz 11d8f1b6252cb8086c3621383542b6697228f2bf7496f9876188406ad0342b71 7152 apngopt_1.2-3.debian.tar.xz 0b03152653d639d028020cb1049108a3f6c99c851dffa4928d416ffb6f2700b6 5941 apngopt_1.2-3_amd64.buildinfo Files: 07290504b006ad531f7a4047161c8b00 1809 graphics optional apngopt_1.2-3.dsc be61f07e3163f3391e9b00f120e0a1e2 12054 graphics optional apngopt_1.2.orig.tar.gz f9e9f45f11eb4044b9c8243186abf555 7152 graphics optional apngopt_1.2-3.debian.tar.xz 7d753905c026b294f22056a210dbe494 5941 graphics optional apngopt_1.2-3_amd64.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmFKcx8ACgkQwpPntGGC Ws6p0hAAnaZ1wW63kHMNdhUswb6U4+CZR84tESdlBk9orMAta+c9Bz9C23rTDzPl QtFZZtMvbpkjm5BrV2pIGVtuEA139MCXPwHaER/ra+KayHARnrwD1FTWGv1oXE5G wi1iz3W6Vx5wSAp+sZcLvSdIA32W0Dt+1tMArdkZpj2G+5blx5b5x8T3Lu2VjtKf YLzW6fa0KPaBFZRrrxRbrUiy8VxRXvM4HcirLhlWbbaxopXjzsUgNjXdad65uuCI ooD69SKPg3pkZi5NO7POyrL66AVkgaZkIN9LtI/kimG+LgT9oa430jYdyuhs3bGQ WhIyaz5oyyQUU0e1VOpKDJj5wZIrIg0FjYogrNec3S0zHlC3ZTL10dzaltb4vOEQ o5pXyMxa1P8s35Ebx0Mr8wRat7zJ1l2fzIUg9dHA8LI/ZuJHvxBXXxlnCQTZemXr qE0T5zMjaeE+yzBMrdL6iasRtI5gSm0wkOJ/BlFK0PeUhLmu9aZlAVZp2IKku5zf dDOtwQSfRGNRO5SqL+7K7BIsE9fnsWffvckvBV/SVI3nw28CavcPfKjk5iqTPRz4 G1qPjXRDg7FExmGA9ktYzVSCs7Tg0QY6QM7zS3n3mwRn+Tq5YRWSLOrsTDV61aw1 QMA6vjA58C0n2vFmBcU2YoQlblCKHUkmbenzyTH0i+CBQ0TgoUs= =Mt56 -----END PGP SIGNATURE-----
--- End Message ---