Original PoC (http://en.securitylab.ru/poc/extra/382563.php) # [*] Autore: ANTHRAX666 <anthrax.the.666@gmail.com> # [+] StackBased OverFlow In set_page_size() # [/] EIPregister Is Raped By Us So Not Just Krash On milw0rm ($URL) # htmldoc 1.8.27.1 (.html) Universal Stack Overflow Exploit # By ksa04 # j-7[at]hotmail[dot]com
In util.cxx: 420 set_page_size(const char *size) /* I - Page size string */ .. 424 char units[255]; /* Units string */ .. 487 else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
Created attachment 198347 [details, diff] htmldoc-set_page_size.patch Quick patch that should fix this issue. Comments?
From Secunia (http://secunia.com/advisories/35780/): Description: ANTHRAX666 has discovered a vulnerability in HTMLDOC, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unsafe call to "sscanf()" in the "set_page_size()" function in htmldoc/util.cxx. This can be exploited to cause a stack-based buffer overflow when an HTML document containing e.g. a specially crafted "MEDIA SIZE" comment is being processed. The vulnerability is confirmed in version 1.8.27. Other versions may also be affected.
2 symbols are enough. units may contain values: "mm", "cm", "in" (any other value == "px") - else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2) + else if (sscanf(size, "%fx%f%2s", &width, &length, units) >= 2)
Mh, true. I have included this question in the upstream bug report. Filed upstream as: http://www.htmldoc.org/str.php?L214
nion of Debian found two more insecure calls: htmllib.cxx: 2142 if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2) ps-pdf.cxx: 12515 if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2) I tried to reproduce it and was able to cause a buffer overflow by supplying a crafted AFM font file with an overly long glyph name.
Created attachment 199846 [details, diff] Updated patch
Upstream won't include the fix until 1.9 is released, so Carlo, please apply the patch.
Arches, please test and mark stable: =app-text/htmldoc-1.8.27-r1 Target keywords : "alpha amd64 ia64 ppc sparc x86"
x86 stable
ppc stable
alpha/ia64/sparc stable
23 Aug 2009; Alex Legler <a3li@gentoo.org> htmldoc-1.8.27-r1.ebuild: amd64 stable, security bug 278186. GLSA draft filed.
CVE-2009-3050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3050): Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries.
GLSA 200909-12
