Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 395553 (CVE-2011-4620) - <media-libs/plib-1.8.5-r1: "ulSetError()" Buffer Overflow Vulnerability (CVE-2011-4620)
Summary: <media-libs/plib-1.8.5-r1: "ulSetError()" Buffer Overflow Vulnerability (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2011-4620
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/47297/
Whiteboard: B2 [glsa cve]
Keywords:
: 576016 (view as bug list)
Depends on:
Blocks:
 
Reported: 2011-12-21 16:09 UTC by Agostino Sarubbo
Modified: 2016-06-27 00:01 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Patch from debian (plib-1.8.5-CVE-2011-4620.patch,489 bytes, patch)
2016-01-23 17:11 UTC, Felix Janda
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-12-21 16:09:30 UTC
From secunia security advisory at $URL:

Description:
The vulnerability is caused due to a boundary error within the "ulSetError()" function (src/util/ulError.cxx) when creating the error message, which can be exploited to overflow a static buffer.

Successful exploitation allows the execution of arbitrary code but requires that the attacker can e.g. control the content of an overly long error message passed to the "ulSetError()" function.

The vulnerability is confirmed in version 1.8.5. Other versions may also be affected.


Solution:
unpatched
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2012-02-21 01:23:37 UTC
CVE-2011-4620 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4620):
  Buffer overflow in the ulSetError function in util/ulError.cxx in PLIB
  1.8.5, as used in TORCS 1.3.1 and other products, allows user-assisted
  remote attackers to execute arbitrary code via vectors involving a long
  error message, as demonstrated by a crafted acc file for TORCS. NOTE: some
  of these details are obtained from third party information.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-16 17:51:23 UTC
@games: openSUSE has a patch [1] for this and bug 440762 we may be able to use since upstream has not updated.

[1] https://build.opensuse.org/request/show/144547
Comment 3 Mr. Bones. (RETIRED) gentoo-dev 2012-12-16 23:21:25 UTC
that patch looks terrible.  vsnprintf null-terminates.
Comment 4 Felix Janda 2016-01-23 17:11:28 UTC
Created attachment 423696 [details, diff]
Patch from debian

Extracted from the patch at https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=654785
Comment 5 Aaron Bauman (RETIRED) gentoo-dev 2016-03-02 10:18:35 UTC
Package revbumped per [0].

Arch teams, please test and mark stable:
=media-libs/plib-1.8.5-r1

Targeted stable KEYWORDS : alpha amd64 hppa ppc sparc x86


[0]: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2c3350ada353ca2c523210909a4fea07fcc5a10
Comment 6 Agostino Sarubbo gentoo-dev 2016-03-02 14:23:12 UTC
amd64 stable
Comment 7 Aaron Bauman (RETIRED) gentoo-dev 2016-03-05 02:55:45 UTC
@arches, still pending stabilization on: alpha, hppa, ppc, sparc, and x86.

@games, once stable please remove vulnerable version 1.8.5.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-09 04:23:48 UTC
*** Bug 576016 has been marked as a duplicate of this bug. ***
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2016-03-09 04:26:16 UTC
Stable for HPPA.
Comment 10 Tobias Klausmann (RETIRED) gentoo-dev 2016-03-14 18:43:25 UTC
Stable on alpha.
Comment 11 Agostino Sarubbo gentoo-dev 2016-03-15 16:40:23 UTC
x86 stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-03-16 12:04:16 UTC
ppc stable
Comment 13 Agostino Sarubbo gentoo-dev 2016-03-19 11:36:45 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-03-19 12:47:21 UTC
New GLSA opened.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2016-06-27 00:01:34 UTC
This issue was resolved and addressed in
 GLSA 201606-16 at https://security.gentoo.org/glsa/201606-16
by GLSA coordinator Aaron Bauman (b-man).