Bug 208464 - dev-lang/tk, dev-util/sourcenav, dev-util/insight, dev-perl/perl-tk (...): malformed GIF buffer overflow (CVE-2008-0553)
|
Bug#:
208464
(CVE-2008-0553)
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: ASSIGNED
|
Severity: normal
|
Priority: P2
|
|
Resolution:
|
Assigned To: security@gentoo.org
|
Reported By: falco@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://secunia.com/advisories/28784/
|
|
Summary: dev-lang/tk, dev-util/sourcenav, dev-util/insight, dev-perl/perl-tk (...): malformed GIF buffer overflow (CVE-2008-0553)
|
|
Keywords:
|
|
Status Whiteboard: B2 [ebuild]
|
|
Opened: 2008-02-01 17:58 0000
|
Hi,
a similar problem to bug 207933 (CVE-2006-4484) has been found in Tk, but it's
not public yet. (it should be public today, but i've seen no public advisory
yet).
Maintainers, please do not commit anything yet, but you might want to test this
patch now, since it'll probably be public in a matter of hours.
--- generic/tkImgGIF.c 11 Sep 2007 18:01:45 -0000 1.24.2.5
+++ generic/tkImgGIF.c 25 Jan 2008 19:23:01 -0000
@@ -826,6 +826,12 @@
Tcl_PosixError(interp), (char *) NULL);
return TCL_ERROR;
}
+
+ if (initialCodeSize > MAX_LWZ_BITS) {
+ Tcl_SetResult(interp, "malformed image", TCL_STATIC);
+ return TCL_ERROR;
+ }
+
if (transparent != -1) {
cmap[transparent][CM_RED] = 0;
cmap[transparent][CM_GREEN] = 0;
dev-lang/tk-8.4.15-r2
dev-lang/tk-8.4.17
dev-lang/tk-8.5.0-r2
in cvs.
plz mark stable tk-8.4.15-r2
Public now, it's SA28784 and CVE-2008-0553
If you know about other packages actually using a vulnerable embedded code,
please let us know.
Sourcenav patched (both versions).
Hi,
the patch is official in tk 8.5.1, you (maintainers) can include it in your
ebuilds so that i can call arches one time for all these packages, and we can
avoid splitting this bug into several bugs and several glsas.
A copy of the code is also shipped by:
* sci-astronomy/ds9
* sci-visualization/paraview
* games-util/umodpack
* media-sound/rat
* sys-devel/gcc-nios2
* sys-devel/binutils-nios2
I did not check whether the code is actually used yet, hopefully someone else
can.
Thanks rbu, i performed further checks. Since there are numerous affected
ebuilds, if maintainers don't manifest in a reasonable time (1 week), i'll add
the patch to the ebuilds myself.
dev-lang/tk compiles the vulnerable code.
dev-util/sourcenav compiles it
dev-util/insight compiles it
dev-perl/perl-tk compiles it
* sci-astronomy/ds9 compiles it
* sci-visualization/paraview only in 2.x . Not in 3.x. Latest version
unaffected --> not a problem, just remove 2.x or patch 2.x
* games-util/umodpack uses it as a dependency but does not ship it
* media-sound/rat only in the latest version (3.x). No stable ebuild affected.
Not sure it actually uses the code. We'll suppose so. 3.x has to be patched.
* sys-devel/gcc-nios2 didn't try to compile, but code is here
* sys-devel/binutils-nios2 didn't try to compile, but code is here
I would also like to know whether an attacker can control the GIF images that
would be opened by the Tk component of the applications. If the attacker cannot
entice a user to open a specially crafted GIF image with the Tk library, there
is no vulnerability in your package. I don't know the mentioned package enough
to say, so i need maintainers' help.
> * sci-astronomy/ds9 compiles it
fixed.
> * sci-visualization/paraview only in 2.x
Fixed in portage cvs via patch.
Thanks,
Markus
very very late...
dev-util/insight-6.7.1-r1 has the patch
+ 12 May 2009; Samuli Suominen <ssuominen@gentoo.org> package.mask:
+ Mask media-sound/rat for removal wrt security #208464, CVE-2008-0553.
+*perl-tk-804.028-r2 (29 May 2009)
+
+ 29 May 2009; Alex Legler <a3li@gentoo.org> +perl-tk-804.028-r2.ebuild,
+ +files/perl-tk-CVE-2008-0553.patch:
+ Non-maintainer commit: Revbump to fix the CVE-2008-0553 security issue,
+ bug 208464.
Asked for stabilization in bug 271789
perl-tk done, vulnerable ebuild removed.
