* Camlimages integer overflows with PNG images
@ 2009-07-03 11:38 Richard Jones
[not found] ` <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>
0 siblings, 1 reply; 6+ messages in thread
From: Richard Jones @ 2009-07-03 11:38 UTC (permalink / raw)
To: caml-list
Can the maintainer(s) of camlimages contact me as soon as possible
(pref on IRC #ocaml on FreeNode), because of:
http://www.ocert.org/advisories/ocert-2009-009.html
Rich.
--
Richard Jones
Red Hat
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images
[not found] ` <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>
@ 2009-07-03 17:28 ` Richard Jones
2009-07-03 17:36 ` Anil Madhavapeddy
0 siblings, 1 reply; 6+ messages in thread
From: Richard Jones @ 2009-07-03 17:28 UTC (permalink / raw)
To: Anil Madhavapeddy; +Cc: caml-list
On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
> Do you have a patch for this at all? I need to stick it into OpenBSD
> fairly urgently as we're in release lock.
Yes, I worked up a patch here:
https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
Not entirely sure if it is correct and complete though, so if you have
any suggested changes, please share them.
Rich.
--
Richard Jones
Red Hat
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images
2009-07-03 17:28 ` [Caml-list] " Richard Jones
@ 2009-07-03 17:36 ` Anil Madhavapeddy
2009-07-03 18:35 ` Richard Jones
0 siblings, 1 reply; 6+ messages in thread
From: Anil Madhavapeddy @ 2009-07-03 17:36 UTC (permalink / raw)
To: Richard Jones; +Cc: caml-list
On 3 Jul 2009, at 18:28, Richard Jones wrote:
> On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
>> Do you have a patch for this at all? I need to stick it into OpenBSD
>> fairly urgently as we're in release lock.
>
> Yes, I worked up a patch here:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
>
> Not entirely sure if it is correct and complete though, so if you have
> any suggested changes, please share them.
Should width and height be clamped further to 31-/63- bits in addition
to the multiplication check? It's stored in an OCaml int later on,
and it's pretty unlikely anyone would be working with images that size.
-anil
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images
2009-07-03 17:36 ` Anil Madhavapeddy
@ 2009-07-03 18:35 ` Richard Jones
2009-07-04 1:56 ` Jun Furuse
0 siblings, 1 reply; 6+ messages in thread
From: Richard Jones @ 2009-07-03 18:35 UTC (permalink / raw)
To: Anil Madhavapeddy; +Cc: caml-list
On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote:
> On 3 Jul 2009, at 18:28, Richard Jones wrote:
>
> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
> >>Do you have a patch for this at all? I need to stick it into OpenBSD
> >>fairly urgently as we're in release lock.
> >
> >Yes, I worked up a patch here:
> >
> > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
> >
> >Not entirely sure if it is correct and complete though, so if you have
> >any suggested changes, please share them.
>
> Should width and height be clamped further to 31-/63- bits in addition
> to the multiplication check? It's stored in an OCaml int later on,
> and it's pretty unlikely anyone would be working with images that size.
I don't know, but it sounds like it might be a good idea. I'm open to
patches or exploit/testing code for this issue. But at the moment my
primary concern is to get the upstream developers to take a look at
the issue and deliver a proper, comprehensive patch.
And to fix up the immediate security hole for the major distros. At
the time of writing, Fedora is going with the patch in comment 11.
Rich.
--
Richard Jones
Red Hat
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images
2009-07-03 18:35 ` Richard Jones
@ 2009-07-04 1:56 ` Jun Furuse
2009-10-16 16:01 ` Richard Jones
0 siblings, 1 reply; 6+ messages in thread
From: Jun Furuse @ 2009-07-04 1:56 UTC (permalink / raw)
To: Richard Jones; +Cc: Anil Madhavapeddy, caml-list
Coincidentally I am working on png reading code of camlimages again this week.
I will check the patch and incorporate it to the CVS version soon.
=
j
On Sat, Jul 4, 2009 at 3:35 AM, Richard Jones<rich@annexia.org> wrote:
> On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote:
>> On 3 Jul 2009, at 18:28, Richard Jones wrote:
>>
>> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote:
>> >>Do you have a patch for this at all? I need to stick it into OpenBSD
>> >>fairly urgently as we're in release lock.
>> >
>> >Yes, I worked up a patch here:
>> >
>> > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11
>> >
>> >Not entirely sure if it is correct and complete though, so if you have
>> >any suggested changes, please share them.
>>
>> Should width and height be clamped further to 31-/63- bits in addition
>> to the multiplication check? It's stored in an OCaml int later on,
>> and it's pretty unlikely anyone would be working with images that size.
>
> I don't know, but it sounds like it might be a good idea. I'm open to
> patches or exploit/testing code for this issue. But at the moment my
> primary concern is to get the upstream developers to take a look at
> the issue and deliver a proper, comprehensive patch.
>
> And to fix up the immediate security hole for the major distros. At
> the time of writing, Fedora is going with the patch in comment 11.
>
> Rich.
>
> --
> Richard Jones
> Red Hat
>
> _______________________________________________
> Caml-list mailing list. Subscription management:
> http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list
> Archives: http://caml.inria.fr
> Beginner's list: http://groups.yahoo.com/group/ocaml_beginners
> Bug reports: http://caml.inria.fr/bin/caml-bugs
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images
2009-07-04 1:56 ` Jun Furuse
@ 2009-10-16 16:01 ` Richard Jones
0 siblings, 0 replies; 6+ messages in thread
From: Richard Jones @ 2009-10-16 16:01 UTC (permalink / raw)
To: Jun Furuse; +Cc: caml-list, Anil Madhavapeddy
On Sat, Jul 04, 2009 at 10:56:50AM +0900, Jun Furuse wrote:
> Coincidentally I am working on png reading code of camlimages again this week.
> I will check the patch and incorporate it to the CVS version soon.
I'm not sure if we can get to the CVS version of camlimages?
Anyhow, after a series of problems I'm intending to drop camlimages
from Fedora ... unless you can assure me that an upstream release
which comprehensively fixes the problems is going to appear soon.
Rich.
--
Richard Jones
Red Hat
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-10-16 16:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-07-03 11:38 Camlimages integer overflows with PNG images Richard Jones
[not found] ` <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>
2009-07-03 17:28 ` [Caml-list] " Richard Jones
2009-07-03 17:36 ` Anil Madhavapeddy
2009-07-03 18:35 ` Richard Jones
2009-07-04 1:56 ` Jun Furuse
2009-10-16 16:01 ` Richard Jones
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).