Gentoo Bug 208464 - dev-lang/tk, dev-util/sourcenav, dev-util/insight, dev-perl/perl-tk (...): malformed GIF buffer overflow (CVE-2008-0553)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	208464
Alias:
Product:
Component:
Status:	ASSIGNED
Resolution:
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Raphael Marichez <falco@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
tkImgGIF.patch	patch with testcase	patch	Raphael Marichez	2008-02-01 18:00 0000	2.52 KB	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 208464 depends on:	210326		Show dependency tree Show dependency graph
Bug 208464 blocks:			Show dependency tree Show dependency graph

Additional Comments: (this is where you put emerge --info)

Add to CC list

Leave as ASSIGNED
Resolve bug, changing resolution to
Resolve bug, mark it as duplicate of bug #
Reassign bug to
Reassign bug to default assignee of selected component

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2008-02-01 17:58 0000

Hi,

a similar problem to bug 207933 (CVE-2006-4484) has been found in Tk, but it's
not public yet. (it should be public today, but i've seen no public advisory
yet).

Maintainers, please do not commit anything yet, but you might want to test this
patch now, since it'll probably be public in a matter of hours.

--- generic/tkImgGIF.c  11 Sep 2007 18:01:45 -0000      1.24.2.5
+++ generic/tkImgGIF.c  25 Jan 2008 19:23:01 -0000
@@ -826,6 +826,12 @@
                Tcl_PosixError(interp), (char *) NULL);
        return TCL_ERROR;                              
     }
+
+    if (initialCodeSize > MAX_LWZ_BITS) {
+       Tcl_SetResult(interp, "malformed image", TCL_STATIC);
+       return TCL_ERROR;
+    }
+
     if (transparent != -1) {
        cmap[transparent][CM_RED] = 0;
        cmap[transparent][CM_GREEN] = 0;

------- Comment #1 From Raphael Marichez 2008-02-01 18:00:07 0000 -------

Created an attachment (id=142420) [edit]
patch with testcase

------- Comment #2 From MATSUU Takuto 2008-02-04 16:32:10 0000 -------

dev-lang/tk-8.4.15-r2
dev-lang/tk-8.4.17
dev-lang/tk-8.5.0-r2
in cvs.
plz mark stable tk-8.4.15-r2

------- Comment #3 From Raphael Marichez 2008-02-07 17:51:15 0000 -------

Public now, it's SA28784 and CVE-2008-0553

If you know about other packages actually using a vulnerable embedded code,
please let us know.

------- Comment #4 From Steve Arnold 2008-02-10 22:40:06 0000 -------

Sourcenav patched (both versions).

------- Comment #5 From Raphael Marichez 2008-02-11 20:39:35 0000 -------

Hi,

the patch is official in tk 8.5.1, you (maintainers) can include it in your
ebuilds so that i can call arches one time for all these packages, and we can
avoid splitting this bug into several bugs and several glsas.

------- Comment #6 From Robert Buchholz 2008-02-11 23:50:54 0000 -------

A copy of the code is also shipped by:
* sci-astronomy/ds9
* sci-visualization/paraview
* games-util/umodpack
* media-sound/rat
* sys-devel/gcc-nios2
* sys-devel/binutils-nios2

I did not check whether the code is actually used yet, hopefully someone else
can.

------- Comment #7 From Raphael Marichez 2008-02-14 15:55:22 0000 -------

Thanks rbu, i performed further checks. Since there are numerous affected
ebuilds, if maintainers don't manifest in a reasonable time (1 week), i'll add
the patch to the ebuilds myself.

dev-lang/tk compiles the vulnerable code.

dev-util/sourcenav compiles it

dev-util/insight compiles it

dev-perl/perl-tk compiles it


* sci-astronomy/ds9 compiles it

* sci-visualization/paraview only in 2.x . Not in 3.x. Latest version
unaffected --> not a problem, just remove 2.x or patch 2.x

* games-util/umodpack uses it as a dependency but does not ship it

* media-sound/rat only in the latest version (3.x). No stable ebuild affected.
Not sure it actually uses the code. We'll suppose so. 3.x has to be patched.

* sys-devel/gcc-nios2 didn't try to compile, but code is here

* sys-devel/binutils-nios2 didn't try to compile, but code is here

------- Comment #8 From Raphael Marichez 2008-02-14 16:13:59 0000 -------

I would also like to know whether an attacker can control the GIF images that
would be opened by the Tk component of the applications. If the attacker cannot
entice a user to open a specially crafted GIF image with the Tk library, there
is no vulnerability in your package. I don't know the mentioned package enough
to say, so i need maintainers' help.

------- Comment #9 From Sébastien Fabbro 2008-02-14 23:33:59 0000 -------

> * sci-astronomy/ds9 compiles it

fixed.

------- Comment #10 From Markus Dittrich 2008-02-15 11:16:05 0000 -------

> * sci-visualization/paraview only in 2.x

Fixed in portage cvs via patch.

Thanks,
Markus

------- Comment #11 From Sune Kloppenborg Jeppesen 2008-02-26 20:46:50 0000 -------

Any news on this one?

------- Comment #12 From Olivier Crete 2008-03-08 16:31:20 0000 -------

very very late...
dev-util/insight-6.7.1-r1 has the patch

------- Comment #13 From Pierre-Yves Rofes 2008-05-07 22:55:54 0000 -------

falco, any news here?

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 208464

dev-lang/tk, dev-util/sourcenav, dev-util/insight, dev-perl/perl-tk (...): malformed GIF buffer overflow (CVE-2008-0553)

Last modified: 2008-05-07 22:55:54 0000