62487 2004-09-01 03:01 0000 media-libs/imlib-1.9.14: BMP Decoding Buffer Overflow May Let Remote Users Execute Arbitrary Code 2004-10-16 23:08:16 0000 1 1 1 Unclassified Gentoo Linux Security unspecified All All RESOLVED FIXED http://securitytracker.com/id?1011104 A2 [glsa] P2 major --- 1 vorlon@gentoo.org security@gentoo.org gnome@gentoo.org vorlon@gentoo.org 2004-09-01 03:01:38 0000 Bug at http://bugzilla.gnome.org/show_bug.cgi?id=151034 From http://securitytracker.com/id?1011104 imlib BMP Decoding Buffer Overflow May Let Remote Users Execute Arbitrary Code SecurityTracker Alert ID: 1011104 SecurityTracker URL: http://securitytracker.com/id?1011104 CVE Reference: CAN-2004-0817 (Links to External Site) Date: Aug 31 2004 Impact: Denial of service via network, Execution of arbitrary code via network, User access via network Fix Available: Yes Exploit Included: Yes Vendor Confirmed: Yes Version(s): 1.9.14 Description: A vulnerability was reported in imlib in the processing of BMP images. A remote user can cause imlib to crash or potentially execute arbitrary code. The vendor reported that a remote user can create a specially crafted BMP image file containing runlength-encoded images that, when decoded by the target user, will cause imblib to crash. Marcus Meissner discovered this vulnerability. A demonstration exploit image from Chris Evans is available at: http://bugzilla.gnome.org/attachment.cgi?id=30933&action=view Impact: A remote user can create a BMP file that, when decoded by the target user, will cause imlib to crash. It may also be possible to cause arbitrary code to be executed. The specific impact depends on the application using imlib. Solution: A patch is available at: http://bugzilla.gnome.org/attachment.cgi?id=30934&action=view __________________ Note: There was also a vulnerability in imlib2 http://securitytracker.com/id?1011105 This has been fixed by bumping the ebuild today: *imlib2-1.1.2 (31 Aug 2004) 31 Aug 2004; Mike Frysinger <vapier@gentoo.org> -files/1.1.0-gcc-3.4.patch, -imlib2-1.1.0.ebuild, -imlib2-1.1.1.ebuild, +imlib2-1.1.2.ebuild: Version bump + stable for security. koon@gentoo.org 2004-09-01 08:55:32 0000 We've two affected packages : media-libs/imlib and media-libs/imlib2. media-libs/imlib is still at unpatched 1.9.14 level, we need an ebuild bump. media-libs/imlib2 is ready for GLSA with version 1.1.2. No maintainer. vapier, you bumped imlib2, could you do the same for imlib ? vapier@gentoo.org 2004-09-01 10:15:14 0000 gnome maintains imlib-1.x koon@gentoo.org 2004-09-06 06:44:56 0000 *bump* Gnome team, please apply fix to imlib... foser@gentoo.org 2004-09-06 06:52:48 0000 there's no metadata, gnome does not maintain this, it just happens to be somewhere in our chain of (gnome1) deps & we're very short on time. The patch looks fine to me, apply & test & go ahead afa the gnome team ic. vorlon@gentoo.org 2004-09-06 07:26:54 0000 Created an attachment (id=39049) Patch from meissner@suse.de Patch taken from http://bugzilla.gnome.org/attachment.cgi?id=30934&action=view (Bug: http://bugzilla.gnome.org/show_bug.cgi?id=151034) There is also a second patch available there by Dimitry V. Levin, but he states: "Here is a patch I'm going to use for updates. While I'm not sure that result image will be correct, this patch addresses all potential heap corruption problems found in loader_bmp() so far, and allows to load as much bmp data as possible." vorlon@gentoo.org 2004-09-06 07:30:13 0000 Created an attachment (id=39050) simple patch to the ebuild to include the bmp patch seems to apply and compile cleanly chriswhite@gentoo.org 2004-09-06 09:47:25 0000 Something seems wrong here. I tried with xzgv ( which depends on imlib ) and tried the exploit, which gave the correct effect ( xzgv took the big one ). However, after applying the patch, re-emerging imlib, and even re-emerging xzgv, it still bites the big one while loading the exploit file. I did an strace to make sure, and sure enough it bites the big one shortly after accessing imlib. I think we should probably upstream this, and I'll attach the relevant strace output for upstream to look at. chriswhite@gentoo.org 2004-09-06 09:48:50 0000 Created an attachment (id=39067) imlib strace output jaervosz@gentoo.org 2004-09-06 10:21:20 0000 Reported upstream, resetting status whiteboard. chriswhite@gentoo.org 2004-09-06 11:26:29 0000 Version to use is imlib-1.9.14-r2 ppc sparc amd64: Mark stable alpha hppa ia64 mips ppc64: Mark stable for benifit of the GLSA x86 was marked by me. Test Case: The problem was with imlib based programs crashing when opening an exploitable BMP file. This was the steps taken to test for this exploit: 1) A program that utilized imlib was established (xzgv) 2) I opened this bmp: http://dev.gentoo.org/~chriswhite/example.bmp which crashed the program as expected. 3) Re-emerged imlib-1.9.14-r2, compiled fine 4) opened the example.bmp file again with xzgv and no crash occured. 5) Opened this bmp: http://dev.gentoo.org/~chriswhite/Dexter3.bmp and the image loaded fine. 6) Also tested on some .jpg's and .png's as well. The only problem being that xzgv is only x86 marked. The 2 options would be: a) march xzgv on your arch and use that b) use any other imlib based program you feel comfortable with (not imlib2 though). Good luck and let us know of any conflicts that may occur. gustavoz@gentoo.org 2004-09-06 12:01:33 0000 sparc stable. vapier@gentoo.org 2004-09-07 17:18:05 0000 marked stable for ppc/hppa/amd64/ia64 kloeri@gentoo.org 2004-09-07 18:41:44 0000 Stable on alpha. koon@gentoo.org 2004-09-08 02:11:30 0000 GLSA 200409-12 mips, ppc64 : mark stable to benefit from GLSA tgall@gentoo.org 2004-10-09 12:33:07 0000 Thanks, stable on ppc64 hardave@gentoo.org 2004-10-16 23:08:16 0000 Stable on mips. 39049 2004-09-06 07:26 0000 Patch from meissner@suse.de imlib-CAN-2004-0817.patch text/plain LS0tIGltbGliLTEuOS4xNC9nZGtfaW1saWIvaW8tYm1wLmMuZml4CTIwMDQtMDgtMjUgMTU6MzM6 MDguMDAwMDAwMDAwICswMjAwCisrKyBpbWxpYi0xLjkuMTQvZ2RrX2ltbGliL2lvLWJtcC5jCTIw MDQtMDgtMjUgMTU6MzQ6MjAuMDE5MzMzOTI3ICswMjAwCkBAIC00MiwxMiArNDIsMTIgQEAKICAg ZnJlYWQoZGJ1ZiwgNCwgMiwgZmlsZSk7CiAgICp3ID0gKGludClkYnVmWzBdOwogICAqaCA9IChp bnQpZGJ1ZlsxXTsKLSAgaWYgKCp3ID4gMzI3NjcpCisgIGlmICgoKncgPCAwKSB8fCAoKncgPiAz Mjc2NykpCiAgICAgewogICAgICAgZnByaW50ZihzdGRlcnIsICJJTUxJQiBFUlJPUjogSW1hZ2Ug d2lkdGggPiAzMjc2NyBwaXhlbHMgZm9yIGZpbGVcbiIpOwogICAgICAgcmV0dXJuIE5VTEw7CiAg ICAgfQotICBpZiAoKmggPiAzMjc2NykKKyAgaWYgKCgqaCA+IDMyNzY3KSB8fCAoKmggPCAwKSkK ICAgICB7CiAgICAgICBmcHJpbnRmKHN0ZGVyciwgIklNTElCIEVSUk9SOiBJbWFnZSBoZWlnaHQg PiAzMjc2NyBwaXhlbHMgZm9yIGZpbGVcbiIpOwogICAgICAgcmV0dXJuIE5VTEw7CkBAIC03Miw2 ICs3MiwxMCBAQAogICBuY29sb3JzID0gKGludClkYnVmWzBdOwogICBpZiAobmNvbG9ycyA9PSAw KQogICAgIG5jb2xvcnMgPSAxIDw8IGJwcDsKKworICBpZiAoKG5jb2xvcnMgPiAoMSA8PCBicHAp KSB8fCAobmNvbG9ycyA8IDApKQorICAgIG5jb2xvcnMgPSAxIDw8IGJwcDsKKwogICAvKiBzb21l IG1vcmUgc2FuaXR5IGNoZWNrcyAqLwogICBpZiAoKChjb21wID09IEJJX1JMRTQpICYmIChicHAg IT0gNCkpIHx8ICgoY29tcCA9PSBCSV9STEU4KSAmJiAoYnBwICE9IDgpKSB8fCAoKGNvbXAgPT0g QklfQklURklFTERTKSAmJiAoYnBwICE9IDE2ICYmIGJwcCAhPSAzMikpKQogICAgIHsK 39050 2004-09-06 07:30 0000 simple patch to the ebuild to include the bmp patch imlib.diff text/plain LS0tIC91c3IvcG9ydGFnZS9tZWRpYS1saWJzL2ltbGliL2ltbGliLTEuOS4xNC1yMS5lYnVpbGQJ MjAwNC0wOC0yNiAxNTo0MTowMC4wMDAwMDAwMDAgKzAyMDAKKysrIC91c3IvbG9jYWwvcG9ydGFn ZS9tZWRpYS1saWJzL2ltbGliL2ltbGliLTEuOS4xNC1yMi5lYnVpbGQJMjAwNC0wOS0wNiAxNjox MTo0OS41NTMwMzIyMTYgKzAyMDAKQEAgLTIsNyArMiw3IEBACiAjIERpc3RyaWJ1dGVkIHVuZGVy IHRoZSB0ZXJtcyBvZiB0aGUgR05VIEdlbmVyYWwgUHVibGljIExpY2Vuc2UgdjIKICMgJEhlYWRl cjogL3Zhci9jdnNyb290L2dlbnRvby14ODYvbWVkaWEtbGlicy9pbWxpYi9pbWxpYi0xLjkuMTQt cjEuZWJ1aWxkLHYgMS4yOSAyMDA0LzA4LzI2IDEzOjIwOjA1IGhhbm5vIEV4cCAkCiAKLWluaGVy aXQgZ25vbWUub3JnIGxpYnRvb2wKK2luaGVyaXQgZXV0aWxzIGdub21lLm9yZyBsaWJ0b29sCiAK IERFU0NSSVBUSU9OPSJnZW5lcmFsIGltYWdlIGxvYWRpbmcgYW5kIHJlbmRlcmluZyBsaWJyYXJ5 IgogSE9NRVBBR0U9Imh0dHA6Ly9kZXZlbG9wZXIuZ25vbWUub3JnL2FyY2gvaW1hZ2luZy9pbWxp Yi5odG1sIgpAQCAtMjAsNiArMjAsNyBAQAogCiBzcmNfdW5wYWNrKCkgewogCXVucGFjayAke0F9 CisJZXBhdGNoICR7RklMRVNESVJ9L2ltbGliLUNBTi0yMDA0LTA4MTcucGF0Y2gKIAkjIGZpeCBj b25maWcgc2NyaXB0ICAgYnVnIDM0MjUKIAljZCAke1N9CiAJbXYgaW1saWItY29uZmlnLmluIGlt bGliLWNvbmZpZy5pbi5iYWQK 39067 2004-09-06 09:48 0000 imlib strace output imlib.out text/plain cG9sbChbe2ZkPTMsIGV2ZW50cz1QT0xMSU59LCB7ZmQ9NCwgZXZlbnRzPVBPTExJTn1dLCAyLCAw KSA9IDAKZ2V0dGltZW9mZGF5KHsxMDk0NDczMjk4LCA5NjE2MDJ9LCBOVUxMKSA9IDAKd3JpdGUo MywgIkZcMlw1XDBiXDBcMzQwXDJcMjRcMFwzNDBcMlwwXDBcMFwwXDE2XDBcMjE3XDBCXDBcN1ww YiIuLi4sIDI2NCkgPSAyNjQKaW9jdGwoMywgRklPTlJFQUQsIFswXSkgICAgICAgICAgICAgICAg ID0gMApwb2xsKFt7ZmQ9MywgZXZlbnRzPVBPTExJTiwgcmV2ZW50cz1QT0xMSU59LCB7ZmQ9NCwg ZXZlbnRzPVBPTExJTn1dLCAyLCAtMSkgPSAxCmdldHRpbWVvZmRheSh7MTA5NDQ3MzI5OSwgOTIw MzgxfSwgTlVMTCkgPSAwCmlvY3RsKDMsIEZJT05SRUFELCBbMzJdKSAgICAgICAgICAgICAgICA9 IDAKcmVhZCgzLCAiXDRcMVwzNDJcMjNcMzE1YlwyMDRcMjR9XDBcMFwwJlwwXDM0MFwyXDBcMFww XDBcMjA3XDBcMzY2Ii4uLiwgMzIpID0gMzIKd3JpdGUoMywgIlwzMlwwXDZcMCZcMFwzNDBcMlwy MTBcMVwxXDFcMFwwXDBcMFwwXDBcMFwwXDMxNWJcMjA0XDI0Ii4uLiwgMjQpID0gMjQKcmVhZCgz LCAiXDFcMFwzNDNcMjNcMFwwXDBcMChcMjRcMFwwXDMwM1wxNzdcMTZcMTBcMjEwflwyMDZcMTBc MzAiLi4uLCAzMikgPSAzMgpnZXR0aW1lb2ZkYXkoezEwOTQ0NzMzMDAsIDc2ODE0fSwgTlVMTCkg PSAwCndyaXRlKDMsICJDXDBcN1wwJlwwXDM0MFwyLFwwXDM0MFwyXDBcMFxcXDM2MFwyNjBcMD1c MFwwXDBcMjIyXDIiLi4uLCAyOCkgPSAyOAppb2N0bCgzLCBGSU9OUkVBRCwgWzBdKSAgICAgICAg ICAgICAgICAgPSAwCnBvbGwoW3tmZD0zLCBldmVudHM9UE9MTElOLCByZXZlbnRzPVBPTExJTn0s IHtmZD00LCBldmVudHM9UE9MTElOfV0sIDIsIC0xKSA9IDEKZ2V0dGltZW9mZGF5KHsxMDk0NDcz MzAwLCAxMTc3MDd9LCBOVUxMKSA9IDAKaW9jdGwoMywgRklPTlJFQUQsIFszMl0pICAgICAgICAg ICAgICAgID0gMApyZWFkKDMsICJcNVwxXDM0M1wyM21jXDIwNFwyNH1cMFwwXDAmXDBcMzQwXDJc MFwwXDBcMFwyMDdcMFwzNjYiLi4uLCAzMikgPSAzMgpvcGVuKCJleGFtcGxlLmJtcCIsIE9fUkRP TkxZKSAgICAgICAgICAgPSA2CmNsb3NlKDYpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg ICA9IDAKZ2V0dGltZW9mZGF5KHsxMDk0NDczMzAwLCAxMjgzNzV9LCBOVUxMKSA9IDAKd3JpdGUo MywgIlwzM1wwXDJcMFwwXDBcMFwwRlwwXDVcMCZcMFwzNDBcMlxyXDBcMzQwXDJcMFwwXDIyMVwy XDI2MSIuLi4sIDI0NCkgPSAyNDQKaW9jdGwoMywgRklPTlJFQUQsIFswXSkgICAgICAgICAgICAg ICAgID0gMApnZXR0aW1lb2ZkYXkoezEwOTQ0NzMzMDAsIDEzOTQ3Nn0sIE5VTEwpID0gMAppb2N0 bCgzLCBGSU9OUkVBRCwgWzBdKSAgICAgICAgICAgICAgICAgPSAwCnBvbGwoW3tmZD0zLCBldmVu dHM9UE9MTElOfSwge2ZkPTQsIGV2ZW50cz1QT0xMSU59XSwgMiwgMCkgPSAwCmdldHRpbWVvZmRh eSh7MTA5NDQ3MzMwMCwgMTQ5NTI1fSwgTlVMTCkgPSAwCmlvY3RsKDMsIEZJT05SRUFELCBbMF0p ICAgICAgICAgICAgICAgICA9IDAKcG9sbChbe2ZkPTMsIGV2ZW50cz1QT0xMSU59LCB7ZmQ9NCwg ZXZlbnRzPVBPTExJTn1dLCAyLCAwKSA9IDAKb3BlbigiZXhhbXBsZS5ibXAiLCBPX1JET05MWSkg ICAgICAgICAgID0gNgpmc3RhdDY0KDYsIHtzdF9tb2RlPVNfSUZSRUd8MDY0NCwgc3Rfc2l6ZT0z MTI2LCAuLi59KSA9IDAKb2xkX21tYXAoTlVMTCwgNDA5NiwgUFJPVF9SRUFEfFBST1RfV1JJVEUs IE1BUF9QUklWQVRFfE1BUF9BTk9OWU1PVVMsIC0xLCAwKSA9IDB4NDA5NGEwMDAKcmVhZCg2LCAi Qk02XGZcMFwwXDBcMFwwXDA6XDBcMFwwKFwwXDBcMFwxXDBcMFwwXDFcMFwwXDBcMVwwXDEwIi4u LiwgNDA5NikgPSAzMTI2CmNsb3NlKDYpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9 IDAKbXVubWFwKDB4NDA5NGEwMDAsIDQwOTYpICAgICAgICAgICAgICAgID0gMApvcGVuKCJleGFt cGxlLmJtcCIsIE9fUkRPTkxZKSAgICAgICAgICAgPSA2CmZzdGF0NjQoNiwge3N0X21vZGU9U19J RlJFR3wwNjQ0LCBzdF9zaXplPTMxMjYsIC4uLn0pID0gMApvbGRfbW1hcChOVUxMLCA0MDk2LCBQ Uk9UX1JFQUR8UFJPVF9XUklURSwgTUFQX1BSSVZBVEV8TUFQX0FOT05ZTU9VUywgLTEsIDApID0g MHg0MDk0YTAwMApyZWFkKDYsICJCTTZcZlwwXDBcMFwwXDBcMDpcMFwwXDAoXDBcMFwwXDFcMFww XDBcMVwwXDBcMFwxXDBcMTAiLi4uLCA0MDk2KSA9IDMxMjYKX2xsc2Vlayg2LCAwLCBbMF0sIFNF RUtfU0VUKSAgICAgICAgICAgID0gMApyZWFkKDYsICJCTTZcZlwwXDBcMFwwXDBcMDpcMFwwXDAo XDBcMFwwXDFcMFwwXDBcMVwwXDBcMFwxXDBcMTAiLi4uLCA0MDk2KSA9IDMxMjYKX2xsc2Vlayg2 LCAzMTI2LCBbMzEyNl0sIFNFRUtfU0VUKSAgICAgID0gMApfbGxzZWVrKDYsIDMxMjYsIFszMTI2 XSwgU0VFS19TRVQpICAgICAgPSAwCl9sbHNlZWsoNiwgMzEyNiwgWzMxMjZdLCBTRUVLX1NFVCkg ICAgICA9IDAKX2xsc2Vlayg2LCAzMTI2LCBbMzEyNl0sIFNFRUtfU0VUKSAgICAgID0gMApfbGxz ZWVrKDYsIDMxMjYsIFszMTI2XSwgU0VFS19TRVQpICAgICAgPSAwCl9sbHNlZWsoNiwgMzEyNiwg WzMxMjZdLCBTRUVLX1NFVCkgICAgICA9IDAKX2xsc2Vlayg2LCAzMTI2LCBbMzEyNl0sIFNFRUtf U0VUKSAgICAgID0gMApvcGVuKCIvdXNyL2xpYi9saWJpbWxpYi1ibXAuc28iLCBPX1JET05MWSkg PSA3CnJlYWQoNywgIlwxNzdFTEZcMVwxXDFcMFwwXDBcMFwwXDBcMFwwXDBcM1wwXDNcMFwxXDBc MFwwXDI0MFw3XDAiLi4uLCA1MTIpID0gNTEyCmZzdGF0NjQoNywge3N0X21vZGU9U19JRlJFR3ww NzU1LCBzdF9zaXplPTExNTg0LCAuLi59KSA9IDAKb2xkX21tYXAoTlVMTCwgMTEwNDAsIFBST1Rf UkVBRHxQUk9UX0VYRUMsIE1BUF9QUklWQVRFfE1BUF9ERU5ZV1JJVEUsIDcsIDApID0gMHg0MDk0 YjAwMApvbGRfbW1hcCgweDQwOTRkMDAwLCA0MDk2LCBQUk9UX1JFQUR8UFJPVF9XUklURSwgTUFQ X1BSSVZBVEV8TUFQX0ZJWEVEfE1BUF9ERU5ZV1JJVEUsIDcsIDB4MTAwMCkgPSAweDQwOTRkMDAw CmNsb3NlKDcpICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA9IDAKX2xsc2Vlayg2LCAz MTI2LCBbMzEyNl0sIFNFRUtfU0VUKSAgICAgID0gMAotLS0gU0lHU0VHViAoU2VnbWVudGF0aW9u IGZhdWx0KSBAIDAgKDApIC0tLQorKysga2lsbGVkIGJ5IFNJR1NFR1YgKysrCg==