From ${URL} : There is a stack-based buffer overflow in autotrace 0.31.1 in Fedora[1]. In input-bmp.c, the input_bmp_reader() function creates a buffer on the stack: 91 unsigned char buffer[64]; Later on 169 else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */ 170 { 171 if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4)) We control Bitmap_File_Head.biSize. A value of 0 meets the <=64 requirements, and 0 - 4 should result in almost 4294967295 bytes being read into the buffer. I am told: "" The same code is in Gimp, it was introduced in commit d9c6f88141aecf956c5d721168f795de0e3027b8 and accidentally fixed in 57f805a159874107c6c98065f9aa648c3634b8fd: https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7 https://git.gnome.org/browse/gimp/commit/?h=57f805a159874107c6c98 Similar code can also be found in sam2p. "" On Fedora 18, the issue was caught by FORTIFY_SOURCE. Murray. [1] http://koji.fedoraproject.org/koji/buildinfo?buildID=340458 @maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
CVE-2013-1953 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1953): Integer underflow in the input_bmp_reader function in input-bmp.c in AutoTrace 0.31.1 allows context-dependent attackers to cause have an unspecified impact via a small value in the biSize field in the header of a BMP file, which triggers a buffer overflow.
Upstream Patch: https://github.com/PhantomX/slackbuilds/blob/master/autotrace/patches/autotrace-0.31.1-CVE-2013-1953.patch and Redhat's: https://bugzilla.redhat.com/attachment.cgi?id=766451 . Please patch and request stabilization in this bug when ready.
test <br /> comment.
Patch added and package revbumped: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6d1c95e6a0a3ea6ae4d8b397845120e23e0f67b Minor patch so calling for stabilization: @arches, please stabilize: =media-gfx/autotrace-0.31.1-r7
amd64 stable
x86 stable
Stable for HPPA.
Stable for PPC64.
Stable on alpha.
ppc stable
sparc stable
ia64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one.
(In reply to Agostino Sarubbo from comment #12) > Maintainer(s), please cleanup. > Security, please add it to the existing request, or file a new one. done.
No PoC on ACE or privilege escalation. Lowering severity. Tree is clean. GLSA Vote: No