[Pkg-phototools-devel] Bug#985249: libpano13-bin: format string bug in panoFileOutputNamesCreate()

[Wooseok Kang]

Package: libpano13-bin
Version: 2.9.20~rc2+dfsg-3
Severity: normal
X-Debbugs-Cc: kangwoosuk1 at gmail.com

Dear Maintainer,

In libpano13, there is a format string vulnerability
that can lead to read and write arbitrary memory values.

The vulnerability starts in panoCroppingMain() in PTcommon.c.
The program get 'outputPrefix' using getopt() at line 1829.

1829 case 'p':
1830     if (strlen(optarg) < MAX_PATH_LENGTH) {
1831         strcpy(outputPrefix, optarg);
1832     } else {
1833         PrintError("Illegal length for output prefix");
1834         return -1;
1835     }
1836     break;

Then 'outputPrefix' is passed to sprintf() in panoFileOutputNamesCreate() without sanitizing.
This causes the format string bug which can crash the program.

1882 if (panoFileOutputNamesCreate(ptrOutputFiles, filesCount, outputPrefix) == 0) {
1883     return -1;
1884 }

2915 sprintf( outputFilename, outputPrefix, i );
(in file.c)

There is a simple example of this vulnerability using tests/simpleTiff16/060520_3398.TIF.

> PTcrop -p "%p.%p.%p.%p" -f ./060520_3398.TIF
PTcrop Version 2.9.20 , by Daniel M German
Output prefix 1 %p.%p.%p.%p
Cropping 1 files
Processing 0 reading ./060520_3398.TIF creating (nil).0x1c.0x78302e296c696e28.tif
TIFFFetchNormalTag: Warning, Incorrect value for "RichTIFFIPTC"; tag ignored.

Thank you.

-- System Information:
Debian Release: bullseye/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 5.4.72-microsoft-standard-WSL2 (SMP w/16 CPU threads)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /bin/dash
Init: unable to detect

Versions of packages libpano13-bin depends on:
ii  libc6        2.31-9
ii  libpano13-3  2.9.20~rc2+dfsg-3

libpano13-bin recommends no packages.

libpano13-bin suggests no packages.

-- no debconf information