Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 308025 (CVE-2009-4274) - <media-libs/netpbm-10.49.00: code execution (CVE-2009-4274)
Summary: <media-libs/netpbm-10.49.00: code execution (CVE-2009-4274)
Status: RESOLVED FIXED
Alias: CVE-2009-4274
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-03-06 14:53 UTC by Stefan Behte (RETIRED)
Modified: 2013-11-13 11:39 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:53:55 UTC
CVE-2009-4274 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4274):
  Stack-based buffer overflow in converter/ppm/xpmtoppm.c in netpbm
  before 10.47.07 allows context-dependent attackers to cause a denial
  of service (application crash) or possibly execute arbitrary code via
  an XPM image file that contains a crafted header field associated
  with a large color index value.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-03-06 14:55:24 UTC
The newest ebuild in tree is still vulnerable, CVE versioning is wrong:

http://netpbm.svn.sourceforge.net/viewvc/netpbm/stable/converter/ppm/xpmtoppm.c?view=patch&r1=995&r2=1076&pathrev=1076

Please provide an patched ebuild or bump to a newer version.
Comment 2 SpanKY gentoo-dev 2010-03-06 22:18:34 UTC
netpbm-10.49.00 now in the tree
Comment 3 Naohiro Aota gentoo-dev 2010-03-17 15:06:41 UTC
Cannot build netpbm-10.49.00 on Gentoo/FreeBSD because of using undefined signal SIGPWR.

Upstream trunk already fix this problem. Here is a patch. 
http://netpbm.svn.sourceforge.net/viewvc/netpbm/trunk/lib/libsystem.c?r1=1129&r2=1149&view=patch

I've confirmed that appling this patch make it possible to emerge netpbm-10.49.00 on Gentoo/FreeBSD.
Comment 4 SpanKY gentoo-dev 2010-03-17 23:12:20 UTC
new issues -> new bugs
Comment 5 SpanKY gentoo-dev 2010-09-18 13:42:24 UTC
10.49.00 is stable now ...
Comment 6 Stefan Behte (RETIRED) gentoo-dev Security 2010-11-21 17:47:54 UTC
GLSA request filed.
Comment 7 Toralf Förster gentoo-dev 2011-01-19 16:23:05 UTC
From Bryan Henderson <bryanh@giraffe-data.com> I got an update related to version 10.49 (segault in libc) :

Thanks for the report.  There was a bug with that symptom fixed in
Release 10.50 (March 2010), and I can't reproduce the problem in current
code.

v 10.51-r1 emerged here at an almost stable 32bit x86 Gentoo w/o problems.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2013-11-13 11:39:20 UTC
This issue was resolved and addressed in
 GLSA 201311-08 at http://security.gentoo.org/glsa/glsa-201311-08.xml
by GLSA coordinator Sean Amoss (ackle).