Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 154573 - app-text/gv: Stack Overflow Vulnerability (CVE-2006-5864)
Summary: app-text/gv: Stack Overflow Vulnerability (CVE-2006-5864)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa] jaervosz
Keywords:
Depends on:
Blocks:
 
Reported: 2006-11-09 08:09 UTC by Matthias Geerdsen (RETIRED)
Modified: 2007-03-25 10:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
gv-overflow.patch (gv-overflow.patch,661 bytes, patch)
2006-11-13 02:08 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
gv-CVE-2006-5864-better.patch (gv-CVE-2006-5864-better.patch,699 bytes, patch)
2006-12-01 01:41 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-09 08:09:08 UTC
GNU gv Stack Overflow Vulnerability


//----- Advisory


Program          : GNU gv
Homepage         : http://www.gnu.org/software/gv/
Tested version   : 3.6.2
Found by         : r.lifchitz at sysdream dot com
This advisory    : r.lifchitz at sysdream dot com
Discovery date   : 2006/11/06
Vendor notified  : 2006/11/09


//----- Application description


gv is a comfortable viewer of PostScript and PDF files for the X
Window System. It uses the ghostscript PostScript interpreter
and is based on the classic X front-end for gs, ghostview, which
it has replaced now.


//----- Description of vulnerability


The 'gv' viewer is prone to a remote stack overflow
vulnerability. This issue exists because the application fails
to perform proper boundary checks before copying user-supplied
data into process buffers. A remote attacker may execute arbitrary
code in the context of a user running the application. As a result,
the attacker can gain unauthorized access to the vulnerable computer.

This issue is present itself in the 'ps_gettext()' function residing
in the 'ps.c' file.

Long comments in some specific headers (such as '%%DocumentMedia:')
of PS files are unconditionally copied into 'text', a 257 character
buffer on the stack.

This issue is reported to affect gv 3.6.2, but earlier versions are
likely prone to this vulnerability as well. Applications using embedded
gv code may also be vulnerable.


//----- Proof Of Concept

[...]

/----- Solution


No known solution. You have to wait for a vendor upgrade and
be careful with unknown PS files.


//----- Impact


Successful exploitation leads to remote code execution.


//----- Credits


Renaud Lifchitz
r.lifchitz at sysdream dot com
http://www.sysdream.com/
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-11-10 05:04:56 UTC
SA22787
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-13 02:08:23 UTC
Created attachment 101813 [details, diff]
gv-overflow.patch

Patch from Werner Fink.
Comment 3 Stefan Schweizer (RETIRED) gentoo-dev 2006-11-18 02:20:49 UTC
fixed in 3.6.2-r1
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-18 04:46:40 UTC
Thx Stefan.

Arhces please test and mark stable. Target keywords are:

gv-3.6.2-r1.ebuild:KEYWORDS="alpha amd64 ~mips ppc ~ppc-macos ppc64 sparc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2006-11-18 10:30:48 UTC
x86 is the safest arch in the whole wide world.
Comment 6 Tobias Scherbaum (RETIRED) gentoo-dev 2006-11-18 13:36:35 UTC
ppc stable
Comment 7 Jason Wever (RETIRED) gentoo-dev 2006-11-19 13:47:37 UTC
SPARC stable
Comment 8 Brent Baude (RETIRED) gentoo-dev 2006-11-19 18:25:14 UTC
marked ppc64 stable
Comment 9 postmodern 2006-11-19 18:43:05 UTC
Works fine so far on amd64, worthy of the amd64 keyword.

Gentoo Base System version 1.12.6
Portage 2.1.1-r2 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r4, 2.6.17-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.17-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3400+
Last Sync: Sun, 19 Nov 2006 23:30:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: [Not Present]
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.60
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-pipe -O3 -march=k8"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-pipe -O3 -march=k8"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage-etest"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="amd64 X berkdb bitmap-fonts cli cracklib crypt cups debug dlloader dri elibc_glibc fortran gdbm gpm iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts udev unicode userland_GNU video_cards_nvidia video_cards_vesa vorbis xorg zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 10 Simon Stelling (RETIRED) gentoo-dev 2006-11-20 13:43:54 UTC
amd64 stable
Comment 11 Bryan Østergaard (RETIRED) gentoo-dev 2006-11-24 12:14:59 UTC
Stable on Alpha.
Comment 12 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 12:18:32 UTC
Thx Kloeri.

This one is ready for GLSA.
Comment 13 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-24 12:29:01 UTC
GLSA 200611-20
Comment 14 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-01 01:39:47 UTC
Seems like some distros are experiencing problems with the patch on x86_64 systems. I'll attach a better one.
Comment 15 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-01 01:41:05 UTC
Created attachment 103114 [details, diff]
gv-CVE-2006-5864-better.patch

Proposed patch from SUSE.
Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-12-11 08:21:44 UTC
Printing please check the new patch and report back.
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-25 10:58:11 UTC
No comments -> no problems? Closing for now. Feel free to reopen if you disagree.