Summary: | media-gfx/xloadimage, media-gfx/xli: buffer overflow (CVE-2001-0775) | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Thierry Carrez (RETIRED) <koon> | ||||||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||||||
Status: | RESOLVED FIXED | ||||||||||||
Severity: | normal | CC: | desktop-misc | ||||||||||
Priority: | High | ||||||||||||
Version: | unspecified | ||||||||||||
Hardware: | All | ||||||||||||
OS: | Linux | ||||||||||||
Whiteboard: | C2 [glsa] | ||||||||||||
Package list: | Runtime testing required: | --- | |||||||||||
Attachments: |
|
Description
Thierry Carrez (RETIRED)
2005-10-07 02:58:16 UTC
> zoom.c, zoom() writes an arbitrarily large buffer into a 8192 bytes sized buffer buf[]. confirmed, just needs s/sprintf/snprintf/ > reduce.c, reduce() writes an arbitrarily large buffer into a 8192 bytes sized buffer buf[]. confirmed, same again. > rotate.c, rotate() writes an arbitrarily large buffer into a 8192 bytes sized buffer buf[]. yup. note that these attacks requires the user to process (ie zoom, reduce) the image with xloadimage, just viewing it is not enough. desktop-misc: please patch This is CAN-2005-3178 According to DSA 859-1 media-gfx/xli is affected, too. xli does not support niff iages, however the same code is in there and is exploitable via xpm images. the fix is the same, -sprintf +snprintf Patchers/desktop please apply patch. Created attachment 70925 [details, diff]
xli.patch
Patch for xli from solar.
Patches additional problems of format string bug in debug macro, unchecked
pathname length in path.c, and an unchecked strcat in zoom.c (forgotten in the
Debian patch ?).
Created attachment 70928 [details, diff]
security-sprintf.patch
Patch for xloadimage from Debian.
This patch is sufficient to patch what this vulnerability is about. However,
there are some other things:
- path overflow in config.c (same as xli's path.c)
- format string in debug macro in rle.c (same as xli's rlelib.c)
Setting to Auditing, as some more work is definitely needed on those packages. Created attachment 71064 [details, diff]
xli-gentoo.patch
Fixes prototype in xli.h with FindImage()
Package built with -fbounds-checking and passes local regression testing.
ok, patch for xli is ready, some more work needed on the xloadimage patch. Created attachment 71196 [details, diff]
xloadimage-gentoo.patch
Here's my patch for xloadimage (= patch from Debian + adaptation of solar's
patch)
Compiles ok and seems to work.
desktop-misc: please patch. xli-1.17.0-r2 in portage thx to Taviso. nelchael said he will handle xloadimage, let's wait for that before calling the arch testers. xloadimage-4.1-r4 in CVS. Thx Nelchael, arch testers please test and mark stable... Target KEYWORDS: xli-1.17.0-r2 "alpha amd64 arm hppa ia64 ~mips ppc ppc-macos ppc64 sparc x86" xloadimage-4.1-r4 "alpha amd64 arm hppa ia64 mips ppc ppc64 ppc-macos sparc x86" xli-1.17.0-r2 and xloadimage-4.1-r4 stable on ppc-macos Stable on alpha. sparc stable. Marked both stable. thanks amd64 happy x86 done Stable on ppc and hppa. Stable on ia64. GLSA 200510-26 mips don't forget to mark stable to benifit from the GLSA. Stable on mips. CVE-2001-0775 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2001-0775): Buffer overflow in xloadimage 4.1 (aka xli 1.16 and 1.17) in Linux allows remote attacker to execute arbitrary code via a FACES format image containing a long (1) Firstname or (2) Lastname field. |