[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#959141: marked as done (apngopt 1.2-2 stack buffer overflow)

Your message dated Wed, 22 Sep 2021 00:48:24 +0000
with message-id <E1mSqQy-0001I6-Uf@fasolo.debian.org>
and subject line Bug#959141: fixed in apngopt 1.2-3
has caused the Debian Bug report #959141,
regarding apngopt 1.2-2 stack buffer overflow
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
959141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=959141
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: apngopt
Version: 1.2-2

apngopt crashes with stack buffer overflow when calling with command line argument longer than 247 bytes.

Steps to replicate:
```
wget http://deb.debian.org/debian/pool/main/a/apngopt/apngopt_1.2.orig.tar.gz
tar -xf apngopt_1.2.orig.tar.gz
cd apngopt-1.2.orig
make
./apngopt `python -c "print('a'*256)"`
```

Output:
```
APNG Optimizer 1.2

*** buffer overflow detected ***: ./apngopt terminated
[1]    5965 abort      ./apngopt `python -c "print('a'*256)"`
```

Bug is caused by copying command line argument into a 256-byte buffer using strcpy on line 2372:
```
2363  szIn = argv[1];
2364
2365  if (argc > 2)
2366  {
2367    strncpy(szOut, argv[2], 255);
2368    szOut[255] = '\0';
2369  }
2370  else
2371  {
2372    strcpy(szOut, szIn);
2373    if ((szExt = strrchr(szOut, '.')) != NULL) *szExt = 0;
2374    strcat(szOut, ".opt.png");
2375  }
```

Suggested fix: use strncpy or verify szIn length before copying.

Proposed patch:
```
2372c2372
<     strcpy(szOut, szIn);
---
>     strncpy(szOut, szIn, 247);
```

Best regards,

--
David Petek

--- End Message ---
--- Begin Message --- 
Source: apngopt
Source-Version: 1.2-3
Done: Boyuan Yang <byang@debian.org>

We believe that the bug you reported is fixed in the latest version of
apngopt, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 959141@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Boyuan Yang <byang@debian.org> (supplier of updated apngopt package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 21 Sep 2021 20:04:05 -0400
Source: apngopt
Architecture: source
Version: 1.2-3
Distribution: unstable
Urgency: medium
Maintainer: Debian QA Group <packages@qa.debian.org>
Changed-By: Boyuan Yang <byang@debian.org>
Closes: 959141 966843
Changes:
 apngopt (1.2-3) unstable; urgency=medium
 .
   * QA upload.
   * debian/patches/0001-use-autotools.patch: Use autotools as
     package buildsystem.
     + Fixes FTCBFS. (Closes: #966843)
   * Refresh packaging:
     + Bump Standards-Version to 4.6.0.
     + Bump debhelper compat to v13.
     + Update Vcs-* fields with git packaging repo on Salsa GitLab.
   * debian/rules: Refresh instruction.
   * debian/patches/0002-strcpy-avoid-stack-buffer-overflow.patch:
     Add patch to avoid stack buffer overflow with long filename.
     (Closes: #959141)
Checksums-Sha1:
 fbc2ec2381dc391fab59ac13d82abd46bfbd14ff 1809 apngopt_1.2-3.dsc
 c4de00b48457667816f6734b5fe60801bf61899b 12054 apngopt_1.2.orig.tar.gz
 17691193c820635cd2fc51df00d1c6887660e6f6 7152 apngopt_1.2-3.debian.tar.xz
 7a5df69fd7f76ac0fe2f529dac328e6aabae783b 5941 apngopt_1.2-3_amd64.buildinfo
Checksums-Sha256:
 52d79e6405f59b429f6e95153a89f9ace6e02284521ebe5758f0825cfb89e0da 1809 apngopt_1.2-3.dsc
 10921fe9370af697144c1e229191176689d4a8bf4e63c12a255e522d30aa8564 12054 apngopt_1.2.orig.tar.gz
 11d8f1b6252cb8086c3621383542b6697228f2bf7496f9876188406ad0342b71 7152 apngopt_1.2-3.debian.tar.xz
 0b03152653d639d028020cb1049108a3f6c99c851dffa4928d416ffb6f2700b6 5941 apngopt_1.2-3_amd64.buildinfo
Files:
 07290504b006ad531f7a4047161c8b00 1809 graphics optional apngopt_1.2-3.dsc
 be61f07e3163f3391e9b00f120e0a1e2 12054 graphics optional apngopt_1.2.orig.tar.gz
 f9e9f45f11eb4044b9c8243186abf555 7152 graphics optional apngopt_1.2-3.debian.tar.xz
 7d753905c026b294f22056a210dbe494 5941 graphics optional apngopt_1.2-3_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEfncpR22H1vEdkazLwpPntGGCWs4FAmFKcx8ACgkQwpPntGGC
Ws6p0hAAnaZ1wW63kHMNdhUswb6U4+CZR84tESdlBk9orMAta+c9Bz9C23rTDzPl
QtFZZtMvbpkjm5BrV2pIGVtuEA139MCXPwHaER/ra+KayHARnrwD1FTWGv1oXE5G
wi1iz3W6Vx5wSAp+sZcLvSdIA32W0Dt+1tMArdkZpj2G+5blx5b5x8T3Lu2VjtKf
YLzW6fa0KPaBFZRrrxRbrUiy8VxRXvM4HcirLhlWbbaxopXjzsUgNjXdad65uuCI
ooD69SKPg3pkZi5NO7POyrL66AVkgaZkIN9LtI/kimG+LgT9oa430jYdyuhs3bGQ
WhIyaz5oyyQUU0e1VOpKDJj5wZIrIg0FjYogrNec3S0zHlC3ZTL10dzaltb4vOEQ
o5pXyMxa1P8s35Ebx0Mr8wRat7zJ1l2fzIUg9dHA8LI/ZuJHvxBXXxlnCQTZemXr
qE0T5zMjaeE+yzBMrdL6iasRtI5gSm0wkOJ/BlFK0PeUhLmu9aZlAVZp2IKku5zf
dDOtwQSfRGNRO5SqL+7K7BIsE9fnsWffvckvBV/SVI3nw28CavcPfKjk5iqTPRz4
G1qPjXRDg7FExmGA9ktYzVSCs7Tg0QY6QM7zS3n3mwRn+Tq5YRWSLOrsTDV61aw1
QMA6vjA58C0n2vFmBcU2YoQlblCKHUkmbenzyTH0i+CBQ0TgoUs=
=Mt56
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: