Bug#533361: Xcftools 1.0.5 fixes #533361 and other bugs
Scripsit Jan Hauke Rahm
> Now, if you would like to do me a big favour, you could send me a patch
> (as small as possible) for the security bug found in 1.0.4.
Here is an absolutely minimal patch that fixes only the security issue.
--
Henning Makholm "It was intended to compile from some approximation to
the M-notation, but the M-notation was never fully defined,
because representing LISP functions by LISP lists became the
dominant programming language when the interpreter later became available."
diff -ur xcftools-1.0.4-orig/flatspec.c xcftools-1.0.4/flatspec.c
--- xcftools-1.0.4-orig/flatspec.c 2006-02-22 01:38:49.000000000 +0100
+++ xcftools-1.0.4/flatspec.c 2009-07-03 22:32:55.000000000 +0200
@@ -210,7 +210,15 @@
}
}
computeDimensions(&spec->dim);
-
+
+ /* We can't handle negative coordinates properly, so abort rather than
+ * crash chaotically. See CVE-2009-217; Debian bug #533361.
+ */
+ if( spec->dim.c.t < 0 || spec->dim.c.l < 0 ) {
+ FatalUnsupportedXCF("This version cannot extract pixels above or to the "
+ "left of the canvas");
+ }
+
/* Turn off layers that we don't hit at all */
for( i=0; i<spec->numLayers; i++ )
if( spec->layers[i].isVisible &&
Reply to: