Bugzilla Bug 74694

The following advisory from securesoftware@list.cr.yp.to is for vilistextum
2.6.6, but I could get app-text/vilistextum-2.6.2 to SegFault with an adapted
exploit (the buffer is 300000 chars in 2.6.2, not 32768 as in 2.6.6), so it's
probably also vulnerable.

Date: 15 Dec 2004 08:16:58 -0000
From: "D. J. Bernstein" <djb@cr.yp.to>
Subject: [remote] [control] vilistextum 2.6.6 get_attr overflows temp buffer
To: securesoftware@list.cr.yp.to, bhaak@gmx.net
X-HELOcheck: OK: FQDN
Mailing-List: contact securesoftware-help@list.cr.yp.to; run by ezmlm
Mail-Followup-To: securesoftware@list.cr.yp.to, bhaak@gmx.net
Automatic-Legal-Notices: See http://cr.yp.to/mailcopyright.html.

[-- Attachment #1 [details] --]
[-- Type: text/plain, Encoding: 7bit, Size: 1.4K --]

Ariel Berkman, a student in my Fall 2004 UNIX Security Holes course, has
discovered a remotely exploitable security hole in vilistextum, an
HTML-to-text converter. I'm publishing this notice, but all the
discovery credits should be assigned to Berkman.

You are at risk if you take a web page (or any other source that could
be controlled by an attacker) and feed it through vilistextum. (The
vilistextum documentation does not tell users to avoid taking input from
the network.) Whoever provides that web page then has complete control
over your account: he can read and modify your files, watch the programs
you're running, etc.

Proof of concept: On an x86 computer running FreeBSD 4.10, type

   wget
http://umn.dl.sourceforge.net/sourceforge/vilistextum/vilistextum-2.6.6.tar.gz
   gunzip < vilistextum-2.6.6.tar.gz | tar -xf -
   cd vilistextum-2.6.6
   ./configure
   gmake

to download and compile the vilistextum program, version 2.6.6
(current). Then save the file 12.html attached to this message, and type

   src/vilistextum 12.html 12.txt

with the unauthorized result that a file named x is removed from the
current directory. (I tested this with a 540-byte environment, as
reported by printenv | wc -c.)

Here's the bug: In html.c, get_attr() reads any amount of data into a
32768-byte temp[] array.

---D. J. Bernstein, Associate Professor, Department of Mathematics,
Statistics, and Computer Science, University of Illinois at Chicago

Created an attachment (id=46170) [details]
Original file 12.html from advisory

Created an attachment (id=46171) [details]
Modified exploit that works with 2.6.2

shell-tools pls verify/advise

__

http://securitytracker.com/alerts/2004/Dec/1012558.html

Well, unless I am doing something wrong (pretty hard when there's directions),
I cannot reproduce this with either 2.6.2 nor 2.6.6 with the respective
attached HTML.

I was, however, able to get 2.6.2 to segfault, but of course after recompiling
with debugging flags, it doesn't segfault *sigh*.

I even tried reducing my env size to 540 with the same results.

vilistextum 2.6.7 is out :
http://bhaak.dyndns.org/vilistextum/changes.html

shell-tools, please bump ebuild to that version.

I was actually working on getting a working 2.6.6 ebuild last night, but found
out some interesting stuff.  As of 2.6.4 (iirc), multibyte support *requires*
libiconv which is pmask'd since some time in '03.

why does it require libiconv ?  iconv is part of glibc now

iirc libiconv was a fork from glibc's iconv.  As to why it requires it, I
haven't a clue.  The README explicitly states it as a requirement, and
configure fails w/o it.  

I tried to see if it would build w/o it but it failed on a missing header,
localcharset.h which is needed for locale_charset().

Forgot to add, I also noticed that gettext provides a localcharset.h with that
same function.  I tried to get it work last night, but I know nothing about
gettext. I was able to get it to build using it w/o any warnings/errors but it
fails every time with "setlocale failed with: yes"...  I didnt think it would
work because gettext != iconv, but its the only thing that provides
localcharset.h on my box.

======================================================
Candidate: CAN-2004-1299
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1299
Reference: MISC:http://tigger.uic.edu/~jlongs2/holes/vilistextum.txt

Buffer overflow in the get_attr function in html.c for vilistextum
2.6.6 allows remote attackers to execute arbitrary code via a crafted
web page.
======================================================

Created an attachment (id=46682) [details]
Patch against 2.6.7 which enables use of glibc iconv

Hi, i'm the author of vilistextum.

I've attached a patch that removes the requirement for libiconv and a few off-by-one errors.

I choose to *require* libiconv because it is the most portable iconv implementation. Although iconv(),iconv_open and iconv_close are standard, there are no canonical *names* for the encoding. And on Solaris, last time I looked, it couldn't convert from utf-8 to utf-8, because of the brain damaged way it implemented iconv.

Now I have looked at glibc iconv and it seems to at least have a reasonable way of defining encodings and aliases. The patch changes to configure.in to fall back to standard iconv when it can't find libiconv. The need for localcharset.h has been completely removed.

Aaron, I think you've made a mistake when running configure.
When vilistextum fails with "setlocale failed with: yes" that means you must have run it with "--with-unicode-locale=yes". You shouldn't use this option unless "configure --enable-multibyte" fails to automatically detect an utf-8 encoding and tells you to use it. 

For example "configure --enable-multibyte --with-unicode-locale=de_DE.utf8".

I'm sorry I have no gentoo installation so I can't supply the ebuild myself.

> I've attached a patch that removes the requirement for libiconv and a few off-by-one errors.

Patric, I cannot fit enough "thank you"'s in this text box.  Getting 2.6.7 in
the tree is my top priority this morning.

> When vilistextum fails with "setlocale failed with: yes" that means you must have run it with "--with-unicode-locale=yes".

doh ;p

> I'm sorry I have no gentoo installation so I can't supply the ebuild myself.

Don't be.  I already have the one I wrote for 2.6.6 (that of course didn't
build ;p), that also includes support for kaptain (via USE=kde).

Once again, thanks.

Ok, well this one has me quite confused...

FEATURES=maketest emerge vilistextum

causes two of the tests to fail because of vilistextum segfaulting.

#0  0xb7f12ee0 in _IO_sputbackwc (fp=0x814ef10, c=32) at wgenops.c:608
#1  0xb7f11ade in ungetwc (c=32, fp=0x814ef10) at ioungetwc.c:44
#2  0x080509ea in putback_char ()
#3  0x0804e445 in html_tag ()
#4  0x0804932b in html ()
#5  0x08050ce8 in main ()

both core's show the same stack trace.

When doing it manually (exactly as the ebuild would) it passes all 4 tests every time.  I also tried merging it w/o FEATURES=maketest and then editing the test scripts to run the one just installed; this also passed all tests.

anyone got any ideas?

Strange, no clue.

I've just committed 2.6.7 to the tree; it is currently package.mask'd until we
can figure out why it is failing half its tests because of segfaults (when it
works fine when run manually).

x86, sparc: please test and see if you reproduce the Aaron's problem... If you
do, any hint ? If not, please mark stable.

Created an attachment (id=47351) [details]
enables use of glibc iconv and --disable-multibyte

On a fresh installation of gentoo on AMD Athlon I can't reproduce the two
segfaults. It compiles without an error.

But 
USE="-unicode -kde" emerge vilistextum
fails because the configure script doesn't understand --disable-multibyte.

The patch fixes this, but you'll have to change the ebuild to apply the patch
unconditionally.

Patric,

Ok, changed ebuild to apply patch regardless of USE flags.

That patch works with USE=-unicode but no longer the other way around.  USE=unicode produces the same original error I had with localcharset.h missing... Looking at the patch it looks like some stuff was reverted that the other patch fixed.

Also when testing, you did test with FEATURES=maketest, no?  I've patched vilistextum to only run the tests when that is set (removed it from the all target). Just wanted to be sure as you didnt explicitlu say so.

Created an attachment (id=47389) [details]
enables use of glibc iconv and --disable-multibyte again

I made a mistake, I forgot to add the recursive option to the diff command.

The changes in the src directory weren't recorded. This patch has been better
tested.

Ok, I've updated the patch in portage and now apply it regarless of whether
unicode USE flag is enabled.  Still get the segfaults during the tests though,
but I realized it only happens when USE=unicode.  All 4 tests complete
successfully when USE=-unicode.

Meant to also ask, can some other folks test it and see if they get segfaults
with:

USE=unicode FEATURES=maketest emerge =app-text/vilistextum-2.6.7 (assuming
you've unmasked it)

If noone else can reproduce it, then I'll unmask it.

Tests pass on sparc with unicode & -unicode.
However USE="kde" doesn't work since kde-misc/kaptain-0.71 doesn't build.
From what i've seen it doesn't like our current stable qt-3.3.3.
Revbumping to kaptain-0.72 solved that problem, but is yet to be included in portage (basically copy over the 0.71 ebuild and exclude the assert patch which was fixed upstream).
KDE team: i think we'll need kde-misc/kaptain-0.72 included quickly.

Would it be possible to just disable the kde support to be able to mark it
stable now? There is no stable version of kaptain on any arch. Apart fromt hat,
I haven't tested the kde stuff since I dont even have qt here... but the rest
seems to work ok.

Ok, well it looks like I'm the only one getting those segfaults, so I won't
worry about that.

I'm with Oliver on disabling kde support until a version of kaptain is stable. 
I didn't even realize there wasn't a stable version available, or I would've
left it out in the first place.

I'll get on this ASAP so we can finally close this bug.

Stable on x86 and unmasked.  No other archs were previously stable.

Ready for GLSA

Eek! Careful grasshoper! sparc WAS stable before you retired the old ones...

Now it's sparc stable, and ready for GLSA.
Please *PLEASE* next time double check before retiring or going happy about it.
To get this out quick i had to break other stuff i was testing on sparc FYI, which are GLSA-related too (and one of those really long compile ones).

I apologize but for what its worth I did cvs up and check.

GLSA 200501-10