oCert #2009-008 Dillo integer overflow Dillo, an open source graphical web browser, suffers from an integer overflow which may lead to a potentially exploitable heap overflow and result in arbitrary code execution. The vulnerability is triggered by HTML pages with embedded PNG images, the Png_datainfo_callback function does not properly validate the width and height of the image. Specific PNG images with large width and height can be crafted to trigger the vulnerability. Affected version: Dillo <= 2.1 Fixed version: Dillo >= 2.1.1 Credit: vulnerability report and PoC code received from Tielei Wang <wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS. CVE: CVE-2009-2294
I've committed 2.1.1. Does this vulnerability apply to dillo-0.8.6? Because that's a completely different codebase (gtk1 as opposed to fltk2). If it does, I'd be happy to get rid of it. :-)
From dillos homepage: 03-Jul-2009 Dillo-2.1.1 has been released to provide a security fix for malicious images. A few small improvements in CSS, key bindings, etc., found their way in as well. Thanks go to oCERT for bringing the matter to our attention. Also: http://hg.dillo.org/dillo/file/tip/ChangeLog I sent a mail and asked. There is no
Jorge's answer: 0.8.6 is abandoned, and frankly I believe it to have a few*10 more security issues! :) We had to rewrite a lot of the code and fixed lots of bugs along the way. Distro's should be packing the last dillo version. I say it in the same spirit that the kernel developers. Note: yes the bug is there, but patching it and releasing a security fix would be a false sense of protection. -------------------- Ben, please remove the older versions.
Arches, please test and mark stable: =www-client/dillo-2.1.1 Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
As dillo-2 depends on fltk:2, I have added a stable request for fltk:2 as a dependency to this bug. I also pinged MIPS team to keyword fltk:2/dillo-2 (bug 253083). I will mask <=dillo-2.1 now and remove those versions once 2.1.1 is stable.
CVE-2009-2294 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2294): Integer overflow in the Png_datainfo_callback function in Dillo 2.1 and earlier allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a PNG image with crafted (1) width or (2) height values.
removing arches until bug 276695 is resolved.
Masking dillo breaks the stable tree which is never allowed. I commented out the line in package.mask for now. Please fix up the keywords before uncommenting the mask.
As Mr. Bones pointed out, no need to mask stable. Removing it after we have a new stable is sufficient and appreciated. Aches, =www-client/dillo-2.1.1 should be good now.
Sparc stable. I'm curious, though, why dillo-2* requires that fltk be built with USE=-cairo.
(In reply to comment #10) > I'm curious, though, why dillo-2* requires that fltk be built > with USE=-cairo. Because upstream says so.
x86 stable
amd64 stable
Stable on alpha.
Stable for HPPA.
arm stable
Marked stable on ppc: =x11-libs/fltk-2.0_pre6786 =www-client/dillo-2.1.1
Stable on all arches now (apart from ppc64 which hasn't actually keyworded dillo-2.x at all). So security can proceed with GLSA.
Is the ppc64 team in agreement with dropping the stable keywords on their architecture?
~ppc64 done
GLSA 200908-10