Image latest fixes a buffer overflow

[robrwo]

See https://metacpan.org/release/TONYC/Imager-1.025/source/Changes

[stigtsp]

Can we verify if this has a security impact somehow? If so, it should have a CVE

[n1vux]

The delightfully complete bug-report indicates that this was over-running a buffer in Malloc heap, not a C buffer on the main stackframes, so any RCE exploitation will be harder than a classic C buffer overrun. (And stomping the malloc block headers gets detected because in the versions repored it wasn't totally optimistically optimi[zs]ed. Mac perl even had a checksum, nice!)

I suppose there might be a FastCGI or similar web-server process somewhere using this module that could be DDOS'd by uploading this image repeatedly, crashing each worker. But that hypothetical DDOS isn't a great basis for a CVE without a demonstration or actual impact?

On Sun, Nov 17, 2024, 12:23 Stig @.***> wrote:

Can we verify if this has a security impact somehow? If so, it should have a CVE

— Reply to this email directly, view it on GitHub https://github.com/briandfoy/cpan-security-advisory/issues/167#issuecomment-2481391730, or unsubscribe https://github.com/notifications/unsubscribe-auth/AABVF6CVV6KASCFRICYNYFT2BDGKFAVCNFSM6AAAAABR6BKDR6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIOBRGM4TCNZTGA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

[robrwo]

I don't think it's a hypothetical security impact. An image file causes it to crash, hence the bug report. Potential for Denial of Service, even if RCEs are difficult. So I think it's better to issue an advisory. I would rather err on the safe side.

[briandfoy]

Added report in fa9491e88cd704179e93aa1adc14efd3e569f3b5 . For the CVE, you'll have to talk to the CPAN Security Group.