Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug
Bug#: 154645
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Gentoo TreeCleaner Project <treecleaner@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Lubomir Rintel <lkundrak@v3.sk>
Add CC:
CC:
Remove selected CCs
URL:
Summary:
Status Whiteboard:
Keywords:
Flags: Requestee:
 
 
  ()

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 154645 depends on: Show dependency tree
Bug 154645 blocks:

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2006-11-10 01:58 0000 
+++ This bug was initially created as a clone of Bug #154573 +++

The package mgv 3.1.5 also seem to contain the vulnerable code, although I
didn't have a closer look at it.

==========

GNU gv Stack Overflow Vulnerability


//----- Advisory


Program          : GNU gv
Homepage         : http://www.gnu.org/software/gv/
Tested version   : 3.6.2
Found by         : r.lifchitz at sysdream dot com
This advisory    : r.lifchitz at sysdream dot com
Discovery date   : 2006/11/06
Vendor notified  : 2006/11/09


//----- Application description


gv is a comfortable viewer of PostScript and PDF files for the X
Window System. It uses the ghostscript PostScript interpreter
and is based on the classic X front-end for gs, ghostview, which
it has replaced now.


//----- Description of vulnerability


The 'gv' viewer is prone to a remote stack overflow
vulnerability. This issue exists because the application fails
to perform proper boundary checks before copying user-supplied
data into process buffers. A remote attacker may execute arbitrary
code in the context of a user running the application. As a result,
the attacker can gain unauthorized access to the vulnerable computer.

This issue is present itself in the 'ps_gettext()' function residing
in the 'ps.c' file.

Long comments in some specific headers (such as '%%DocumentMedia:')
of PS files are unconditionally copied into 'text', a 257 character
buffer on the stack.

This issue is reported to affect gv 3.6.2, but earlier versions are
likely prone to this vulnerability as well. Applications using embedded
gv code may also be vulnerable.


//----- Proof Of Concept

[...]

/----- Solution


No known solution. You have to wait for a vendor upgrade and
be careful with unknown PS files.


//----- Impact


Successful exploitation leads to remote code execution.


//----- Credits


Renaud Lifchitz
r.lifchitz at sysdream dot com
http://www.sysdream.com/

------- Comment #1 From Stefan Schweizer 2006-11-18 02:18:26 0000 ------- 
This can be treecleaned. Upstream is dead, no release in 8 years.

------- Comment #2 From Sune Kloppenborg Jeppesen 2006-11-20 22:06:15 0000 ------- 
Security let's start by masking it and let treecleaners do their job. Any
comments?

------- Comment #3 From Sune Kloppenborg Jeppesen 2006-11-27 00:22:52 0000 ------- 
No objections, would somebody with the magick powers please do the trick?

------- Comment #4 From Stefan Cornelius (RETIRED) 2007-03-07 13:59:01 0000 ------- 
masked. do we really need a maskglsa here?

------- Comment #5 From Raphael Marichez 2007-03-09 22:29:21 0000 ------- 
The policy says "yes"... i would say "yes" too... (it's about an overflow so
it's rather severe)

------- Comment #6 From Matt Drew 2007-03-14 01:58:15 0000 ------- 
I agree with both masking and GLSA'ing - if there's anyone still using it, they
need to know.

------- Comment #7 From Sune Kloppenborg Jeppesen 2007-03-14 07:32:38 0000 ------- 
Though this bug is rather old. I've called for a maskglsa now with 2 YES votes.

------- Comment #8 From Raúl Porcel 2007-03-26 11:46:28 0000 ------- 
Okay, our turn.

Treecleaners, please vote.

++

------- Comment #9 From Jakub Moc (RETIRED) 2007-04-09 17:52:51 0000 ------- 
++

------- Comment #10 From Christian Heim (RETIRED) 2007-04-09 17:54:00 0000 ------- 
Upstream is dead, wasn't able to find another source for this package. Voting
yes for that.

------- Comment #11 From Raphael Marichez 2007-04-09 18:58:45 0000 ------- 
Just FWI it was (masking) GLSA 200703-24

------- Comment #12 From Raúl Porcel 2007-04-09 20:08:34 0000 ------- 
# Raúl Porcel <armin76@gentoo.org> (09 Apr 2007)
# Pending removal 09 Jun 2007, for treecleaners
# app-admin/cpu -> bug 173064
# app-admin/quickswitch -> bug 134335
# app-misc/jive -> bug 142838
# app-text/mgv -> bug 154645
# net-misc/dhcp-agent -> bug 168565
# x11-plugins/wmmail -> bug 73987
app-admin/cpu
app-admin/quickswitch
app-misc/jive
app-text/mgv
net-misc/dhcp-agent
x11-plugins/wmmail

------- Comment #13 From Raúl Porcel 2007-06-07 21:32:41 0000 ------- 
Removed
Bug List: (This bug is not in your last search results)   Show last search results      Search page      Enter new bug