camlimages: arbitrary code execution [LWN.net]

Package(s):

camlimages

CVE #(s):

CVE-2009-2660

Created:

August 10, 2009

Updated:

June 1, 2010

Description:

From the Debian advisory:

Tielei Wang discovered that CamlImages, an open source image processing library, suffers from several integer overflows which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. This advisory addresses issues with the reading of JPEG and GIF Images, while DSA 1832-1 addressed the issue with PNG images.

Alerts:

Gentoo	201006-02	camlimages	2010-06-01
Debian	DSA-1912-1	camlimages	2009-10-16
Debian	DSA-1857-1	camlimages	2009-08-10
Debian	DSA-1912-2	advi	2009-10-23
Mandriva	MDVSA-2009:286	ocaml-camlimages	2009-10-21

to post comments

camlimages: arbitrary code execution

Posted Aug 13, 2009 5:53 UTC (Thu) by thedevil (guest, #32913) [Link] (2 responses)

Wow. So here we have a documented security event (is it the first
such?) where ocaml's optimization choice to not automatically convert
overflows into exceptions, a la Standard ML, backfired. I wonder if
Xavier Leroy (whom I respect greatly) noticed.

No, it's a traditional C error.

Posted Aug 13, 2009 8:02 UTC (Thu) by xoddam (subscriber, #2322) [Link]

'camlimages' is mostly Caml, but alas the relevant bug (or at least the patch to fix it) is in C language interface code. I'm sure it's possible to write the whole thing in caml but that's not how it was done.

Here's Gentoo's version of the patch, from their bugzilla:

https://bugs.gentoo.org/attachment.cgi?id=199108

camlimages: arbitrary code execution

Posted Aug 13, 2009 19:27 UTC (Thu) by rwmj (subscriber, #5474) [Link]

Yes, the error is in C.

On the other hand, upstream for this project is dead which is making maintenance that much harder.