top | item 35208162

(no title)

hewtronic | 3 years ago

For a hint at how the bug works, see this https://issuetracker.google.com/issues/180526528 (more details coming soon™)

From https://twitter.com/David3141593/status/1636979466860744704

Also: you [can] do a basic check with tools like exiftool - it will report "Warning: [minor] Trailer data after PNG IEND chunk" on vulnerable images.

From: https://twitter.com/David3141593/status/1636981307891671041

discuss

wffurr|3 years ago

I still can’t believe they changed the meaning of the “w” flag. I had never heard of the “wt” file mode. Does that exist on other POSIX systems?

acdha|3 years ago

That part is amazing: it calls into question the entire Android code review process that nobody thought breaking compatibility wasn’t a problem, much less doing so in a way which looks like one of the most familiar interfaces in the world. It seems unlikely that this isn’t just the first, most visible bug.

hedora|3 years ago

As bad (but on the png side, not the fs library side), if the app crashes mid crop, then this misuse of the posix API means the original image will be corrupted.

They should be doing a “mktemp; write; sync; rename”, which atomically and durably replaces the file in most linux file systems.

There might also be an exploitable race where you overwrite the file in place while it is being parsed, leading to undefined behavior in applications attempting to read the file.

progval|3 years ago

Python already uses the "t" character with a very different meaning: opening in text mode.