** Please note that this issue is confidential and no information should be disclosed until it is made public, see "Whiteboard" for a date ** A heap-based buffer overflow was found in the way newt used to process content, to be rendered in text dialog box. Local attacker could issue a specially-crafted text dialog box rendering request (direct or via custom application), leading to denial of service (application crash) or, potentially, to execution of arbitrary code with the privileges of the user running the application. Description of problem: ------------------------ The function doReflow in textbox.c allocates buffer that might not be large enough to hold the reflowed text: 157 static void doReflow(const char * text, char ** resultPtr, int width, 158 int * badness, int * heightPtr) { 167 if (resultPtr) { 168 /* XXX I think this will work */ 169 result = malloc(strlen(text) + (strlen(text) / width) + 2); 170 *result = '\0'; 171 } The problem is that in the length calculation it's assumed that when splitting long lines they will be width long but they are actually width - 1 long. The fix is to use following length calculation: - result = malloc(strlen(text) + (strlen(text) / width) + 2); + result = malloc(strlen(text) + (strlen(text) / (width - 1)) + 2); Affected versions: ------------------ Issue was tested and confirmed in newt-0.51.5, newt-0.51.6, newt-0.52.2 and newt-0.52.10 versions of newt. CVE identifier: ---------------- CVE-2009-2905 has been assigned for this issue. Credit: ------- Miroslav Lichvar <mlichvar () redhat ! com> Coordinated release date: ------------------------- Thursday, 2009-09-24 12:00 UTC Please let us know, if this doesn't correspond to your needs for some reason.
Created attachment 204853 [details, diff] newt-CVE-2009-2905.patch Upstream patch
Due to the limited exploitability of the issue and the short timeframe, I suggest not participating in coordinated disclosure. Let's fix this in the tree on Sept. 24 and wait until then.
This is now public (c.f. https://bugzilla.redhat.com/show_bug.cgi?id=523955)
CVE-2009-2905 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2905): Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and 0.52.2 allows local users to cause a denial of service (application crash) or possibly execute arbitrary code via a request to display a crafted text dialog box.
Arches, please test and mark stable: =dev-libs/newt-0.52.10-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
*** Bug 281402 has been marked as a duplicate of this bug. ***
amd64/arm/x86 stable
Stable on alpha.
Stable for HPPA.
ia64/sparc stable
ppc64 done
ppc stable Bug ready to be fixed by security team.
Request filed.
Please remove vulnerable ebuilds. I still see newt-0.52.2.ebuild and newt-0.52.10.ebuild. GLSA draft filed.
GLSA 201006-14