Gentoo Bug 278186 - <app-text/htmldoc-1.8.27-r1 Multiple insecure calls to sscanf() (CVE-2009-3050)

First Last Prev Next No search results available Search page Enter new bug

Bug#:	278186
Alias:
Product:
Component:
Status:	RESOLVED
Resolution:	FIXED
Assigned To:	Gentoo Security <security@gentoo.org>

Hardware:
OS:
Version:
Priority:
Severity:

Reporter:	Alex Legler <a3li@gentoo.org>
Add CC:
CC:	Remove selected CCs

URL:
Summary:
Status Whiteboard:
Keywords:

Flags:			Requestee:
	Pending
	Approved
	Assigned_To		()

Filename	Description	Type	Creator	Created	Size	Actions
htmldoc-set_page_size.patch	htmldoc-set_page_size.patch	patch	Alex Legler	2009-07-17 18:19 0000	425 bytes	Details \| Diff
htmldoc-sscanf-overflows.patch	Updated patch	patch	Alex Legler	2009-08-01 20:38 0000	1.29 KB	Details \| Diff
Create a New Attachment (proposed patch, testcase, etc.)						View All

Bug 278186 depends on:			Show dependency tree
Bug 278186 blocks:			Show dependency tree

Additional Comments: (this is where you put emerge --info)

Add to CC list

Not eligible to see or edit group visibility for this bug.

Leave as RESOLVED FIXED
Reopen bug
Mark bug as VERIFIED
Mark bug as CLOSED

View Bug Activity | Format For Printing | XML | Clone This Bug

Description:

Opened: 2009-07-17 17:50 0000

Original PoC (http://en.securitylab.ru/poc/extra/382563.php)
# [*] Autore: ANTHRAX666 <anthrax.the.666@gmail.com>
# [+] StackBased OverFlow In set_page_size()
# [/] EIPregister Is Raped By Us So Not Just Krash

On milw0rm ($URL)
# htmldoc 1.8.27.1 (.html) Universal Stack Overflow Exploit
# By ksa04
# j-7[at]hotmail[dot]com

------- Comment #1 From Alex Legler 2009-07-17 17:54:35 0000 -------

In util.cxx:

420 set_page_size(const char *size) /* I - Page size string */
..
424   char  units[255];             /* Units string */
..
487   else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)

------- Comment #2 From Alex Legler 2009-07-17 18:19:54 0000 -------

Created an attachment (id=198347) [details]
htmldoc-set_page_size.patch

Quick patch that should fix this issue. Comments?

------- Comment #3 From Alex Legler 2009-07-17 19:09:06 0000 -------

From Secunia (http://secunia.com/advisories/35780/):

Description:
ANTHRAX666 has discovered a vulnerability in HTMLDOC, which can be exploited by
malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unsafe call to "sscanf()" in the
"set_page_size()" function in htmldoc/util.cxx. This can be exploited to cause
a stack-based buffer overflow when an HTML document containing e.g. a specially
crafted "MEDIA SIZE" comment is being processed.

The vulnerability is confirmed in version 1.8.27. Other versions may also be
affected.

------- Comment #4 From Vladimir Lettiev 2009-07-18 13:22:43 0000 -------

2 symbols are enough. units may contain values: "mm", "cm", "in" (any other
value == "px")

-  else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
+  else if (sscanf(size, "%fx%f%2s", &width, &length, units) >= 2)

------- Comment #5 From Alex Legler 2009-07-20 20:38:14 0000 -------

Mh, true. I have included this question in the upstream bug report.

Filed upstream as: http://www.htmldoc.org/str.php?L214

------- Comment #6 From Alex Legler 2009-07-26 07:26:48 0000 -------

nion of Debian found two more insecure calls:

htmllib.cxx:
2142   if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)

ps-pdf.cxx:
12515  if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)

I tried to reproduce it and was able to cause a buffer overflow by supplying a
crafted AFM font file with an overly long glyph name.

------- Comment #7 From Alex Legler 2009-08-01 20:38:12 0000 -------

Created an attachment (id=199846) [details]
Updated patch

------- Comment #8 From Alex Legler 2009-08-14 08:42:28 0000 -------

Upstream won't include the fix until 1.9 is released, so Carlo, please apply
the patch.

------- Comment #9 From Alex Legler 2009-08-16 18:22:24 0000 -------

Arches, please test and mark stable:
=app-text/htmldoc-1.8.27-r1
Target keywords : "alpha amd64 ia64 ppc sparc x86"

------- Comment #10 From Christian Faulhammer 2009-08-17 17:41:25 0000 -------

x86 stable

------- Comment #11 From nixnut 2009-08-23 09:31:10 0000 -------

ppc stable

------- Comment #12 From Raúl Porcel 2009-08-25 13:49:06 0000 -------

alpha/ia64/sparc stable

------- Comment #13 From Alex Legler 2009-08-26 23:44:37 0000 -------

23 Aug 2009; Alex Legler <a3li@gentoo.org> htmldoc-1.8.27-r1.ebuild:
amd64 stable, security bug 278186.

GLSA draft filed.

------- Comment #14 From Alex Legler 2009-09-06 09:43:54 0000 -------

CVE-2009-3050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3050):
  Buffer overflow in the set_page_size function in util.cxx in HTMLDOC
  1.8.27 and earlier allows context-dependent attackers to execute
  arbitrary code via a long MEDIA SIZE comment.  NOTE: it was later
  reported that there were additional vectors in htmllib.cxx and
  ps-pdf.cxx using an AFM font file with a long glyph name, but these
  vectors do not cross privilege boundaries.

------- Comment #15 From Alex Legler 2009-09-12 16:31:54 0000 -------

GLSA 200909-12

First Last Prev Next No search results available Search page Enter new bug

Bugzilla Bug 278186

<app-text/htmldoc-1.8.27-r1 Multiple insecure calls to sscanf() (CVE-2009-3050)

Last modified: 2009-09-12 16:31:54 0000