Thomas Biege from suse reports: -------------------------------------------------------------------- tiff2pdf.c:3660: char buffer[5]; ... sprintf(buffer, "\\%.3o", pdfstr[i]); pdfstr[i] is signed char, therefore would write \37777777741 ------------------------------------------------------------------- Questionable whether that's exploitable, but definitely a bug.
nerdboy, this issue is confidential, please comment on this bug and attach a patch to this bug if appropriate, please do not commit anything to portage yet. (I guess sprintf => snprintf will do it)
Created attachment 88391 [details, diff] patch for tiff2pdf buffer overflow Here's a patch for the cited sprintf condition; it works on 3.7.4 and 3.8.2 (and I'd still like to stablize everyone on 3.8.2 or better).
Comment on attachment 88391 [details, diff] patch for tiff2pdf buffer overflow This is fixed upstream, but the patch I have is about 50k uncompressed. Let me know if you want it attached.
I'd also like to commit both fixes, along with a JBIG update for Hylafax...
This is public now so please go ahead and commit the fixed ebuild.
Lets handle the rest on bug #135881 instead of having two bugs for the same package. *** This bug has been marked as a duplicate of 135881 ***