208464 CVE-2008-0553 2008-02-01 17:58 0000 dev-lang/tk, dev-util/sourcenav, dev-util/insight, dev-perl/perl-tk (...): malformed GIF buffer overflow (CVE-2008-0553) 2009-09-28 19:42:50 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux ASSIGNED http://secunia.com/advisories/28784/ B2 [ebuild] P2 normal --- 210326 271789 1 falco@gentoo.org security@gentoo.org dev-tools@gentoo.org matsuu@gentoo.org mcummings@gentoo.org nerdboy@gentoo.org sci@gentoo.org tcltk@gentoo.org tester@gentoo.org toolchain@gentoo.org falco@gentoo.org 2008-02-01 17:58:47 0000 Hi, a similar problem to bug 207933 (CVE-2006-4484) has been found in Tk, but it's not public yet. (it should be public today, but i've seen no public advisory yet). Maintainers, please do not commit anything yet, but you might want to test this patch now, since it'll probably be public in a matter of hours. --- generic/tkImgGIF.c 11 Sep 2007 18:01:45 -0000 1.24.2.5 +++ generic/tkImgGIF.c 25 Jan 2008 19:23:01 -0000 @@ -826,6 +826,12 @@ Tcl_PosixError(interp), (char *) NULL); return TCL_ERROR; } + + if (initialCodeSize > MAX_LWZ_BITS) { + Tcl_SetResult(interp, "malformed image", TCL_STATIC); + return TCL_ERROR; + } + if (transparent != -1) { cmap[transparent][CM_RED] = 0; cmap[transparent][CM_GREEN] = 0; falco@gentoo.org 2008-02-01 18:00:07 0000 Created an attachment (id=142420) patch with testcase matsuu@gentoo.org 2008-02-04 16:32:10 0000 dev-lang/tk-8.4.15-r2 dev-lang/tk-8.4.17 dev-lang/tk-8.5.0-r2 in cvs. plz mark stable tk-8.4.15-r2 falco@gentoo.org 2008-02-07 17:51:15 0000 Public now, it's SA28784 and CVE-2008-0553 If you know about other packages actually using a vulnerable embedded code, please let us know. nerdboy@gentoo.org 2008-02-10 22:40:06 0000 Sourcenav patched (both versions). falco@gentoo.org 2008-02-11 20:39:35 0000 Hi, the patch is official in tk 8.5.1, you (maintainers) can include it in your ebuilds so that i can call arches one time for all these packages, and we can avoid splitting this bug into several bugs and several glsas. rbu@gentoo.org 2008-02-11 23:50:54 0000 A copy of the code is also shipped by: * sci-astronomy/ds9 * sci-visualization/paraview * games-util/umodpack * media-sound/rat * sys-devel/gcc-nios2 * sys-devel/binutils-nios2 I did not check whether the code is actually used yet, hopefully someone else can. falco@gentoo.org 2008-02-14 15:55:22 0000 Thanks rbu, i performed further checks. Since there are numerous affected ebuilds, if maintainers don't manifest in a reasonable time (1 week), i'll add the patch to the ebuilds myself. dev-lang/tk compiles the vulnerable code. dev-util/sourcenav compiles it dev-util/insight compiles it dev-perl/perl-tk compiles it * sci-astronomy/ds9 compiles it * sci-visualization/paraview only in 2.x . Not in 3.x. Latest version unaffected --> not a problem, just remove 2.x or patch 2.x * games-util/umodpack uses it as a dependency but does not ship it * media-sound/rat only in the latest version (3.x). No stable ebuild affected. Not sure it actually uses the code. We'll suppose so. 3.x has to be patched. * sys-devel/gcc-nios2 didn't try to compile, but code is here * sys-devel/binutils-nios2 didn't try to compile, but code is here falco@gentoo.org 2008-02-14 16:13:59 0000 I would also like to know whether an attacker can control the GIF images that would be opened by the Tk component of the applications. If the attacker cannot entice a user to open a specially crafted GIF image with the Tk library, there is no vulnerability in your package. I don't know the mentioned package enough to say, so i need maintainers' help. bicatali@gentoo.org 2008-02-14 23:33:59 0000 > * sci-astronomy/ds9 compiles it fixed. markusle@gentoo.org 2008-02-15 11:16:05 0000 > * sci-visualization/paraview only in 2.x Fixed in portage cvs via patch. Thanks, Markus jaervosz@gentoo.org 2008-02-26 20:46:50 0000 Any news on this one? tester@gentoo.org 2008-03-08 16:31:20 0000 very very late... dev-util/insight-6.7.1-r1 has the patch py@gentoo.org 2008-05-07 22:55:54 0000 falco, any news here? r.klonowski@10g.pl 2009-02-14 23:16:55 0000 Is it fixed yet? ssuominen@gentoo.org 2009-05-12 06:07:52 0000 + 12 May 2009; Samuli Suominen <ssuominen@gentoo.org> package.mask: + Mask media-sound/rat for removal wrt security #208464, CVE-2008-0553. a3li@gentoo.org 2009-05-29 17:10:32 0000 +*perl-tk-804.028-r2 (29 May 2009) + + 29 May 2009; Alex Legler <a3li@gentoo.org> +perl-tk-804.028-r2.ebuild, + +files/perl-tk-CVE-2008-0553.patch: + Non-maintainer commit: Revbump to fix the CVE-2008-0553 security issue, + bug 208464. Asked for stabilization in bug 271789 a3li@gentoo.org 2009-06-11 18:22:40 0000 perl-tk done, vulnerable ebuild removed. 142420 2008-02-01 18:00 0000 patch with testcase tkImgGIF.patch text/plain SW5kZXg6IGdlbmVyaWMvdGtJbWdHSUYuYwo9PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09ClJDUyBmaWxlOiAvY3Zzcm9vdC90 a3Rvb2xraXQvdGsvZ2VuZXJpYy90a0ltZ0dJRi5jLHYKcmV0cmlldmluZyByZXZpc2lvbiAxLjI0 LjIuNQpkaWZmIC11IC1yMS4yNC4yLjUgdGtJbWdHSUYuYwotLS0gZ2VuZXJpYy90a0ltZ0dJRi5j CTExIFNlcCAyMDA3IDE4OjAxOjQ1IC0wMDAwCTEuMjQuMi41CisrKyBnZW5lcmljL3RrSW1nR0lG LmMJMjUgSmFuIDIwMDggMTk6MjM6MDEgLTAwMDAKQEAgLTgyNiw2ICs4MjYsMTIgQEAKIAkJVGNs X1Bvc2l4RXJyb3IoaW50ZXJwKSwgKGNoYXIgKikgTlVMTCk7CiAJcmV0dXJuIFRDTF9FUlJPUjsK ICAgICB9CisKKyAgICBpZiAoaW5pdGlhbENvZGVTaXplID4gTUFYX0xXWl9CSVRTKSB7CisJVGNs X1NldFJlc3VsdChpbnRlcnAsICJtYWxmb3JtZWQgaW1hZ2UiLCBUQ0xfU1RBVElDKTsKKwlyZXR1 cm4gVENMX0VSUk9SOworICAgIH0KKwogICAgIGlmICh0cmFuc3BhcmVudCAhPSAtMSkgewogCWNt YXBbdHJhbnNwYXJlbnRdW0NNX1JFRF0gPSAwOwogCWNtYXBbdHJhbnNwYXJlbnRdW0NNX0dSRUVO XSA9IDA7CkluZGV4OiB0ZXN0cy9pbWdQaG90by50ZXN0Cj09PT09PT09PT09PT09PT09PT09PT09 PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0KUkNTIGZpbGU6IC9j dnNyb290L3RrdG9vbGtpdC90ay90ZXN0cy9pbWdQaG90by50ZXN0LHYKcmV0cmlldmluZyByZXZp c2lvbiAxLjE1LjIuNQpkaWZmIC11IC1yMS4xNS4yLjUgaW1nUGhvdG8udGVzdAotLS0gdGVzdHMv aW1nUGhvdG8udGVzdAkxMSBTZXAgMjAwNyAxODowMTo0NiAtMDAwMAkxLjE1LjIuNQorKysgdGVz dHMvaW1nUGhvdG8udGVzdAkyNSBKYW4gMjAwOCAxOToyMzowMSAtMDAwMApAQCAtNjgxLDYgKzY4 MSwzNSBAQAogICAgIGltYWdlIGRlbGV0ZSAkaQogfQogCit0ZXN0IGltZ1Bob3RvLTE0LjQge0dJ RiBidWZmZXIgb3ZlcmZsb3d9IC1zZXR1cCB7CisgICAgc2V0IGkgW2ltYWdlIGNyZWF0ZSBwaG90 b10KK30gLWJvZHkgeworICAgICMgVGhpcyBjcmFzaGVzIFRrIHVwIHRvIDguNC4xNyBhbmQgOC41 LjAKKyAgICAkaSBjb25maWd1cmUgLWRhdGEgeworCVIwbEdPRGxoQ2dBS0FQY0FBQUFBQUlBQUFB Q0FBSUNBQUFBQWdJQUFnQUNBZ0lDQWdNREF3UDhBQUFELworCUFQLy9BQUFBLy84QS93RC8vLy8v L3dBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQorCUFBQUFBQUFBQUFBQUFB QUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQQorCUFBQUFNd0FB WmdBQW1RQUF6QUFBL3dBekFBQXpNd0F6WmdBem1RQXp6QUF6L3dCbUFBQm1Nd0JtWmdCbQorCW1R Qm16QUJtL3dDWkFBQ1pNd0NaWmdDWm1RQ1p6QUNaL3dETUFBRE1Nd0RNWmdETW1RRE16QURNL3dE LworCUFBRC9Nd0QvWmdEL21RRC96QUQvL3pNQUFETUFNek1BWmpNQW1UTUF6RE1BL3pNekFETXpN ek16WmpNegorCW1UTXp6RE16L3pObUFETm1Nek5tWmpObW1UTm16RE5tL3pPWkFET1pNek9aWmpP Wm1UT1p6RE9aL3pQTQorCUFEUE1NelBNWmpQTW1UUE16RFBNL3pQL0FEUC9NelAvWmpQL21UUC96 RFAvLzJZQUFHWUFNMllBWm1ZQQorCW1XWUF6R1lBLzJZekFHWXpNMll6Wm1Zem1XWXp6R1l6LzJa bUFHWm1NMlptWm1abW1XWm16R1ptLzJhWgorCUFHYVpNMmFaWm1hWm1XYVp6R2FaLzJiTUFHYk1N MmJNWm1iTW1XYk16R2JNLzJiL0FHYi9NMmIvWm1iLworCW1XYi96R2IvLzVrQUFKa0FNNWtBWnBr QW1aa0F6SmtBLzVrekFKa3pNNWt6WnBrem1aa3p6Smt6LzVsbQorCUFKbG1NNWxtWnBsbW1abG16 SmxtLzVtWkFKbVpNNW1aWnBtWm1abVp6Sm1aLzVuTUFKbk1NNW5NWnBuTQorCW1abk16Sm5NLzVu L0FKbi9NNW4vWnBuL21abi96Sm4vLzh3QUFNd0FNOHdBWnN3QW1jd0F6TXdBLzh3egorCUFNd3pN OHd6WnN3em1jd3p6TXd6Lzh4bUFNeG1NOHhtWnN4bW1jeG16TXhtLzh5WkFNeVpNOHlaWnN5Wgor CW1jeVp6TXlaLzh6TUFNek1NOHpNWnN6TW1jek16TXpNLzh6L0FNei9NOHovWnN6L21jei96TXov Ly84QQorCUFQOEFNLzhBWnY4QW1mOEF6UDhBLy84ekFQOHpNLzh6WnY4em1mOHp6UDh6Ly85bUFQ OW1NLzltWnY5bQorCW1mOW16UDltLy8rWkFQK1pNLytaWnYrWm1mK1p6UCtaLy8vTUFQL01NLy9N WnYvTW1mL016UC9NLy8vLworCUFQLy9NLy8vWnYvL21mLy96UC8vL3lINUJBRUFBQkFBTEFBQUFB QUtBQW9BQUJVU0FBRC9IRWl3b01HRAorCUNCTXFYTWl3WWNLQUFEcz0KKyAgICB9IAorfSAtY2xl YW51cCB7CisgICAgaW1hZ2UgZGVsZXRlICRpCit9IC1yZXR1cm5Db2RlcyBlcnJvciAtcmVzdWx0 IHttYWxmb3JtZWQgaW1hZ2V9CisKIHRlc3QgaW1nUGhvdG8tMTUuMSB7cGhvdG8gaW1hZ2VzIGNh biBmYWlsIHRvIGFsbG9jYXRlIG1lbW9yeSBncmFjZWZ1bGx5fSBcCiAJe25vblBvcnRhYmxlfSB7 CiAgICAgIyBUaGlzIGlzIG5vdCBwb3J0YWJsZSB0byB2ZXJ5IGxhcmdlIG1hY2hpbmVzIHdpdGgg bW9yZSBhcm91bmQK