78118 2005-01-15 11:08 0000 x11-libs/xview CAN-2005-0076: Potentional arbitrary code execution 2005-06-28 02:27:50 0000 1 Unclassified Gentoo Security Vulnerabilities unspecified All All RESOLVED FIXED B? [noglsa] jaervosz P2 trivial --- 1 jaervosz@gentoo.org security@gentoo.org humpback@gentoo.org jaervosz@gentoo.org 2005-01-15 11:08:43 0000 Erik Sj jaervosz@gentoo.org 2005-01-15 11:08:43 0000 Erik Sjölund discovered that programs linked against xview are vulnerable to a number of buffer overflows in the XView library. When the overflow is triggered in a program which is installed setuser root a malicious user could perhaps execute arbitrary code as privileged user. These commands will create a segmentation fault: $ ln -s /usr/X11R6/bin/xvmount /tmp/`perl -e 'print "A" x 200'` $ /tmp/`perl -e 'print "A" x 200'` -Wt The overflowed variable seems to be sufficiently far away from the stack frame, but I'm not totally sure that it is impossible to overwrite it as well. I'm attaching a proposed patch. Please let me know if you need coordination for this bug. This package is probably part of most other distributions as well. jaervosz@gentoo.org 2005-01-15 11:10:31 0000 Created an attachment (id=48564) CAN-2005-0076.patch solar@gentoo.org 2005-01-15 11:33:01 0000 My system lacks the /usr/X11R6/bin/xvmount but does have xview so I'm not sure if we are effected or not. Do you have the util? solar@gentoo.org 2005-01-15 11:48:27 0000 n/m found it but it fails to even compile for me in the first place so can't test. pkg does not seem to be owned by any official herd or have a clear maintainer listed in a metadata.xml. The last ebuild seems to be initially provided by genstef. adding to CC: genstef please test but do not put this patch into CVS until a disclosure date is reached genstef@gentoo.org 2005-01-15 12:14:44 0000 I think we will just update the debin patch here as soon as they commit it, I suppose they also know about it? I think I am not the best man for testing it, I do not even use xview, so i remove myself from CC: I tagree that we should not disclose the details of this bug for now. koon@gentoo.org 2005-01-16 11:34:00 0000 Not sure we should accept this one. If we don't have xvmount, or any other SUID root linked to xview, then we should drop this as INVALID. koon@gentoo.org 2005-01-17 05:38:29 0000 We don't have xvmount (or I can't find it). Depending on xview we just have : media-sound/workman app-editors/jove (if USE=X) None of this is SUID root or SUID whatever. Closing this bug as INVALID, even if it should still be fixed when the Debian patch will be updated. Please reopen if you disagree. lewk@gentoo.org 2005-02-10 08:11:38 0000 *** Bug 81505 has been marked as a duplicate of this bug. *** vorlon@gentoo.org 2005-02-14 01:15:16 0000 (re)opening since debian issued http://www.debian.org/security/2005/dsa-672 so a new patchset is available now Guess we should apply that, eventhough we are not directly affected humpback@gentoo.org 2005-02-16 15:16:53 0000 I actualy use xview all the time, i would not like to see this dead. I've been watching the debian patch and the it seems that most of it is about Alpha compatibility, so if i'm to try and solve this do you guys think we should use the debian patch or just the one here? humpback@gentoo.org 2005-02-16 15:39:09 0000 Created an attachment (id=51380) xview-3.2-r1.ebuild.patch Well after looking at the ebuild it seems we already use the debian patches :) So here goes a patch to our ebuild, it simply changes the patchset. It builds ok and works on x86. koon@gentoo.org 2005-02-17 01:21:12 0000 Humpback: please commit your fix incvs, as it seems you're the only one to use xview anyway :) humpback@gentoo.org 2005-02-17 08:36:07 0000 -r3 is in portage marked x86, there was a problem with -r2 that it would not build with recent versions of xorg. Credits must go to seemant for finding the new home for the package. koon@gentoo.org 2005-02-17 08:46:38 0000 alpha, hppa: please test and mark stable. Will be closed without a GLSA since we don't ship SUID xview-powered apps. kloeri@gentoo.org 2005-02-19 10:28:04 0000 Alpha needs som PIC love before it can be marked stable. Here's the part of emerge log with the errors, just in case anybody else wants to take a poke at this bug :) a - wmgr_menu.o a - wmgr_decor.o make[4]: Leaving directory `/var/tmp/portage/xview-3.2-r3/work/xview-3.2p1.4-18c/lib/libxview/wmgr' rm -f libxview.so.3.2.4~ (cd ./xshared; alpha-unknown-linux-gnu-gcc -shared -Wl,-soname -Wl,`basename libxview.so.3.2.4 | sed 's/\(\.[0-9]\).*$/\1/'` -o libxview.so.3.2.4~ ?*.o -L/usr/X11R6/lib -lXext -lX11 -lutil -L../../libolgx -lolgx -lc) /usr/lib/gcc-lib/alpha-unknown-linux-gnu/3.3.2/../../../../alpha-unknown-linux-gnu/bin/ld: csr_change.o: gp-relative relocation against dynamic symbol ttysw_gray17_pr /usr/lib/gcc-lib/alpha-unknown-linux-gnu/3.3.2/../../../../alpha-unknown-linux-gnu/bin/ld: csr_change.o: gp-relative relocation against dynamic symbol ttysw_gray17_pr collect2: ld returned 1 exit status make[3]: *** [libxview.so.3.2.4] Error 1 make[3]: Leaving directory `/var/tmp/portage/xview-3.2-r3/work/xview-3.2p1.4-18c/lib/libxview' make[2]: *** [all] Error 1 make[2]: Leaving directory `/var/tmp/portage/xview-3.2-r3/work/xview-3.2p1.4-18c/lib' make[1]: *** [all] Error 1 make[1]: Leaving directory `/var/tmp/portage/xview-3.2-r3/work/xview-3.2p1.4-18c' make: *** [World] Error 2 vorlon@gentoo.org 2005-02-23 12:20:55 0000 any progress on alpha yet? koon@gentoo.org 2005-03-02 07:06:40 0000 Contacted kloeri -- he will try to get this one done soon. jaervosz@gentoo.org 2005-03-10 02:34:45 0000 kloeri any news on this one yet? kloeri@gentoo.org 2005-04-01 06:33:12 0000 Finally gave in and -alpha'ed the xview ebuilds. koon@gentoo.org 2005-04-01 07:47:21 0000 yeepee. hansmi@gentoo.org 2005-06-27 14:16:06 0000 GMsoft and KillerFox haven't been able to get xview working on hppa. I propose that we'll remove the hppa keyword from all ebuilds until it works again. koon@gentoo.org 2005-06-28 01:08:37 0000 No problem for me. hansmi@gentoo.org 2005-06-28 02:27:50 0000 Removed from hppa. 48564 2005-01-15 11:10 0000 CAN-2005-0076.patch CAN-2005-0076.patch text/plain LS0tIGxpYi9saWJ4dmlldy9iYXNlL3h2X3BhcnNlLmN+CTIwMDUtMDEtMTUgMTc6MTE6NTQuMDAw MDAwMDAwICswMTAwCisrKyBsaWIvbGlieHZpZXcvYmFzZS94dl9wYXJzZS5jCTIwMDUtMDEtMTUg MTc6MjA6MjMuMDAwMDAwMDAwICswMTAwCkBAIC0zMTIsNyArMzEyLDcgQEAgeHZfcGFyc2Vfb25l KGFwcF9uYW1lLCBhcmdjLCBhcmd2KQogICAgIGlmIChhcmdjIDw9IHNsb3QtPm51bV9hcmdzKSB7 CiAJY2hhciAgICAgICAgICAgIGR1bW15WzEyOF07CiAKLQkodm9pZCkgc3ByaW50ZihkdW1teSwg CisJKHZvaWQpIHNucHJpbnRmKGR1bW15LCBzaXplb2YoZHVtbXkpLAogCQkJWFZfTVNHKCIlczog bWlzc2luZyBhcmd1bWVudCBhZnRlciAlcyIpLCAKIAkJCWFwcF9uYW1lLAogCQkgICAgICAgYXJn dlswXSk7CkBAIC0zOTIsNyArMzkyLDcgQEAgeHZfcGFyc2Vfb25lKGFwcF9uYW1lLCBhcmdjLCBh cmd2KQogCWlmIChkZWZhdWx0c19sb29rdXAoYXJndlsxXSwga25vd25fc2NhbGVzKSA9PSAtMSkg ewogCQljaGFyIGR1bW15WzEwMjRdOwogCQkKLQkJKHZvaWQpIHNwcmludGYoZHVtbXksIAorCQko dm9pZCkgc25wcmludGYoZHVtbXksIHNpemVvZihkdW1teSksCiAJCQlYVl9NU0coIiVzOiB1bmtu b3duIHNjYWxlIFwiJXNcIiB1c2VkIHdpdGggJXMgb3B0aW9uIiksCiAJCQkgICAgICAgYXBwX25h bWUsIGFyZ3ZbMV0sIGFyZ3ZbMF0pOwogCQl4dl9lcnJvcihYVl9OVUxMLApAQCAtNjExLDcgKzYx MSw3IEBAIE5lZ0FyZzoKICAgICB7CiAJY2hhciAgICAgICAgICAgIGR1bW15WzEyOF07CiAKLQko dm9pZCkgc3ByaW50ZihkdW1teSwgCisJKHZvaWQpIHNucHJpbnRmKGR1bW15LCBzaXplb2YoZHVt bXkpLAogCQlYVl9NU0coIiVzOiBjYW4ndCBoYXZlIG5lZ2F0aXZlIGFyZ3VtZW50ICVzIGFmdGVy ICVzIiksCiAJCSAgICAgICBhcHBfbmFtZSwgYXJndltiYWRfYXJnXSwgYXJndlswXSk7CiAJeHZf ZXJyb3IoWFZfTlVMTCwK 51380 2005-02-16 15:39 0000 xview-3.2-r1.ebuild.patch patch text/plain LS0tIHh2aWV3LTMuMi1yMi5lYnVpbGQJMjAwNS0wMi0xNiAyMzoyNjowOC40NTgxMTIyMjQgKzAw MDAKKysrIC91c3IvcG9ydGFnZS94MTEtbGlicy94dmlldy94dmlldy0zLjItcjEuZWJ1aWxkCTIw MDUtMDEtMTYgMTU6NDQ6NTkuMDAwMDAwMDAwICswMDAwCkBAIC0xMyw3ICsxMyw3IEBACiAjICAq IHh2aWV3IGlzIGEgY29udHJpYnV0aW9uIG1hZGUgdG8gU3VuIE1pY3Jvc3lzdGVtcyAoPykgdG8g dGhlIFggY29tbXVuaXR5LCBidXQKICMgICAgZml4ZXMgZm9yIGl0IGRvbid0IGFwcGVhciB0byBi ZSBhcm91bmQgb3RoZXIgdGhhbiBpbiB0aGUgb3RoZXIgZnJlZSBkaXN0cmlidXRpb25zLgogIyAg KiBJdCBkb2VzIGxpdHRsZSBoYXJtLCBvbmx5IHNvbWUgZGVmYXVsdHMgYXJlIGNoYW5nZWQgd2hp Y2ggd2UgY2FuIHJlZGVmaW5lIGFueXdheQotU1JDX1BBVENIPSIke01ZX1BOLy0vX30tMTZ3b29k eTIuZGlmZiIKK1NSQ19QQVRDSD0iJHtNWV9QTi8tL199LTE4LmRpZmYiCiAKICMgV2UgdXNlIHRo ZSB4dmlldyB0YXJiYWxsIGF2YWlsYWJsZSBmcm9tIHRoZSBYIG9yZ2FuaXphdGlvbiwgYnV0IHhm cmVlODYgYXBwZWFycwogIyB0byBiZSB1cCBhbmQgYXZhaWxhYmxlIG1vcmUgb2Z0ZW4gc28gd2Ug dXNlIHRoYXQgKGl0J3MgdGhlaXIgcHJpbWFyeSBtaXJyb3IpLgo=