* Camlimages integer overflows with PNG images
@ 2009-07-03 11:38 Richard Jones
[not found] ` <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>
0 siblings, 1 reply; 6+ messages in thread
From: Richard Jones @ 2009-07-03 11:38 UTC (permalink / raw)
To: caml-list
Can the maintainer(s) of camlimages contact me as soon as possible
(pref on IRC #ocaml on FreeNode), because of:
http://www.ocert.org/advisories/ocert-2009-009.html
Rich.
--
Richard Jones
Red Hat
^ permalink raw reply [flat|nested] 6+ messages in thread[parent not found: <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>]
* Re: [Caml-list] Camlimages integer overflows with PNG images [not found] ` <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org> @ 2009-07-03 17:28 ` Richard Jones 2009-07-03 17:36 ` Anil Madhavapeddy 0 siblings, 1 reply; 6+ messages in thread From: Richard Jones @ 2009-07-03 17:28 UTC (permalink / raw) To: Anil Madhavapeddy; +Cc: caml-list On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: > Do you have a patch for this at all? I need to stick it into OpenBSD > fairly urgently as we're in release lock. Yes, I worked up a patch here: https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 Not entirely sure if it is correct and complete though, so if you have any suggested changes, please share them. Rich. -- Richard Jones Red Hat ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images 2009-07-03 17:28 ` [Caml-list] " Richard Jones @ 2009-07-03 17:36 ` Anil Madhavapeddy 2009-07-03 18:35 ` Richard Jones 0 siblings, 1 reply; 6+ messages in thread From: Anil Madhavapeddy @ 2009-07-03 17:36 UTC (permalink / raw) To: Richard Jones; +Cc: caml-list On 3 Jul 2009, at 18:28, Richard Jones wrote: > On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: >> Do you have a patch for this at all? I need to stick it into OpenBSD >> fairly urgently as we're in release lock. > > Yes, I worked up a patch here: > > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 > > Not entirely sure if it is correct and complete though, so if you have > any suggested changes, please share them. Should width and height be clamped further to 31-/63- bits in addition to the multiplication check? It's stored in an OCaml int later on, and it's pretty unlikely anyone would be working with images that size. -anil ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images 2009-07-03 17:36 ` Anil Madhavapeddy @ 2009-07-03 18:35 ` Richard Jones 2009-07-04 1:56 ` Jun Furuse 0 siblings, 1 reply; 6+ messages in thread From: Richard Jones @ 2009-07-03 18:35 UTC (permalink / raw) To: Anil Madhavapeddy; +Cc: caml-list On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote: > On 3 Jul 2009, at 18:28, Richard Jones wrote: > > >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: > >>Do you have a patch for this at all? I need to stick it into OpenBSD > >>fairly urgently as we're in release lock. > > > >Yes, I worked up a patch here: > > > > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 > > > >Not entirely sure if it is correct and complete though, so if you have > >any suggested changes, please share them. > > Should width and height be clamped further to 31-/63- bits in addition > to the multiplication check? It's stored in an OCaml int later on, > and it's pretty unlikely anyone would be working with images that size. I don't know, but it sounds like it might be a good idea. I'm open to patches or exploit/testing code for this issue. But at the moment my primary concern is to get the upstream developers to take a look at the issue and deliver a proper, comprehensive patch. And to fix up the immediate security hole for the major distros. At the time of writing, Fedora is going with the patch in comment 11. Rich. -- Richard Jones Red Hat ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images 2009-07-03 18:35 ` Richard Jones @ 2009-07-04 1:56 ` Jun Furuse 2009-10-16 16:01 ` Richard Jones 0 siblings, 1 reply; 6+ messages in thread From: Jun Furuse @ 2009-07-04 1:56 UTC (permalink / raw) To: Richard Jones; +Cc: Anil Madhavapeddy, caml-list Coincidentally I am working on png reading code of camlimages again this week. I will check the patch and incorporate it to the CVS version soon. = j On Sat, Jul 4, 2009 at 3:35 AM, Richard Jones<rich@annexia.org> wrote: > On Fri, Jul 03, 2009 at 06:36:32PM +0100, Anil Madhavapeddy wrote: >> On 3 Jul 2009, at 18:28, Richard Jones wrote: >> >> >On Fri, Jul 03, 2009 at 06:19:49PM +0100, Anil Madhavapeddy wrote: >> >>Do you have a patch for this at all? I need to stick it into OpenBSD >> >>fairly urgently as we're in release lock. >> > >> >Yes, I worked up a patch here: >> > >> > https://bugzilla.redhat.com/show_bug.cgi?id=509531#c11 >> > >> >Not entirely sure if it is correct and complete though, so if you have >> >any suggested changes, please share them. >> >> Should width and height be clamped further to 31-/63- bits in addition >> to the multiplication check? It's stored in an OCaml int later on, >> and it's pretty unlikely anyone would be working with images that size. > > I don't know, but it sounds like it might be a good idea. I'm open to > patches or exploit/testing code for this issue. But at the moment my > primary concern is to get the upstream developers to take a look at > the issue and deliver a proper, comprehensive patch. > > And to fix up the immediate security hole for the major distros. At > the time of writing, Fedora is going with the patch in comment 11. > > Rich. > > -- > Richard Jones > Red Hat > > _______________________________________________ > Caml-list mailing list. Subscription management: > http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list > Archives: http://caml.inria.fr > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > Bug reports: http://caml.inria.fr/bin/caml-bugs > ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [Caml-list] Camlimages integer overflows with PNG images 2009-07-04 1:56 ` Jun Furuse @ 2009-10-16 16:01 ` Richard Jones 0 siblings, 0 replies; 6+ messages in thread From: Richard Jones @ 2009-10-16 16:01 UTC (permalink / raw) To: Jun Furuse; +Cc: caml-list, Anil Madhavapeddy On Sat, Jul 04, 2009 at 10:56:50AM +0900, Jun Furuse wrote: > Coincidentally I am working on png reading code of camlimages again this week. > I will check the patch and incorporate it to the CVS version soon. I'm not sure if we can get to the CVS version of camlimages? Anyhow, after a series of problems I'm intending to drop camlimages from Fedora ... unless you can assure me that an upstream release which comprehensively fixes the problems is going to appear soon. Rich. -- Richard Jones Red Hat ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2009-10-16 16:01 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2009-07-03 11:38 Camlimages integer overflows with PNG images Richard Jones
[not found] ` <0D39970B-7727-4503-A218-C8CDD3B64F4D@recoil.org>
2009-07-03 17:28 ` [Caml-list] " Richard Jones
2009-07-03 17:36 ` Anil Madhavapeddy
2009-07-03 18:35 ` Richard Jones
2009-07-04 1:56 ` Jun Furuse
2009-10-16 16:01 ` Richard Jones
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox