Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 88742 - media-gfx/xv: new jumbo patches include security fixes
Summary: media-gfx/xv: new jumbo patches include security fixes
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.sonic.net/~roelofs/greg_xv...
Whiteboard: B2 [glsa]
Keywords:
: 86894 (view as bug list)
Depends on:
Blocks:
 
Reported: 2005-04-11 09:13 UTC by Thierry Carrez (RETIRED)
Modified: 2020-04-06 20:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
quick patch for some issues (xv-various-sec.diff,12.69 KB, patch)
2005-04-11 15:37 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
patch cleaned up by werner fink of suse. (xv-3.10a-yaos.diff,15.08 KB, patch)
2005-04-13 06:32 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Thierry Carrez (RETIRED) gentoo-dev 2005-04-11 09:13:54 UTC
A new XV Jumbo-patches version has been released that fixes security issues:

20050410:
 - fix for YCbCr oversaturated-green bug(s) in TIFF decoder (GRR)
 - provisional fix for contiguous tiled TIFFs with bottom-* orientation (GRR)
 - fixes for gcc 3.3 -Wall warnings (GRR)
 - fix for incorrect 16/24-bit display of xwd dumps (SJT)
 - *SECURITY* fix for multiple input-validation bugs (OpenBSD/SuSE, Gentoo, GRR)
   (this also completes the partial mktemp() security fix listed above)
 - fix for (probable) 24-bit endianness bug in fixpix code (GRR)

We should include those fixes in our XV patches...
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-04-11 09:15:01 UTC
*** Bug 86894 has been marked as a duplicate of this bug. ***
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2005-04-11 09:15:39 UTC
Good luck, Tavis :)
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-11 15:30:11 UTC
...
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-11 15:36:36 UTC
Additional issues discovered while merging Greg's patches:

xvpds.c: at least a few dozen obviously exploitable overflows in the processing
    and manipulation of pds comments (starting around line ~400, you can't
    miss them, sscanf(), strcat() (line ~452, a few more starting ~650), etc)
xvpds.c: format string issues, via SetISTR() (around line ~665)
xvtiff.c: format string issue parsing errors returned from tiff
xvps.c: insufficient shell metacharacter protection from malformed filenames
    (if invoking xv via mailcap, pluggerrc, etc).
xv.c: ditto
xvdir.c: uses system ("rm -rf %s") without quoting.

My confidence in the code is fairly low, these issues were easy to spot, and spending lots of time fixing proprietary software for free isnt much fun (no matter how much i'm fond of the package).

There's probably more, a patch is attached for the things I could see, should we consider masking it? 
Comment 5 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-11 15:37:30 UTC
Created attachment 56036 [details, diff]
quick patch for some issues
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-13 06:32:24 UTC
Created attachment 56161 [details, diff]
patch cleaned up by werner fink of suse.
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-15 04:51:32 UTC
xv-3.10a-r11 has been committed.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-04-15 05:13:20 UTC
Arches, please test and mark stable (if stable)
Comment 9 Jan Brinkmann (RETIRED) gentoo-dev 2005-04-15 06:26:35 UTC
stable on amd64
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2005-04-15 06:58:26 UTC
sparc done.
Comment 11 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-04-15 13:12:35 UTC
Stable on ppc.
Comment 12 Markus Rothe (RETIRED) gentoo-dev 2005-04-16 00:35:14 UTC
stable on ppc64
Comment 13 Greg Roelofs 2005-04-17 10:01:10 UTC
Er...judging by the massive spike in bandwidth on my site on 2005-04-15 
(virtually all of which was via the same version of wget (1.9.1) and with
no referrer), I'm guessing y'all might be "emerging" directly off of the
bzip2 archive there.  That's OK--it probably should have occurred to me
that this might happen--but insofar as it's about to start costing me
actual money, it will break as soon as freshmeat updates their links.
The new location is on SourceForge, and the links are already updated
on the URL listed above, so feel free to change yours accordingly at
any time.

(And if it wasn't you, then somebody else is going to be in for a surprise
this fine Sunday morning. ;-) )

Thanks, 
  Greg

P.S.  http://pobox.com/~newt/greg_xv.html is a safer long-term URL.
Comment 14 Tavis Ormandy (RETIRED) gentoo-dev 2005-04-17 10:27:33 UTC
Greg: Apologies, fetching from the upstream distribution site is only supposed to be a last resort, we have a mirroring system that should automatically fetch the tarball and prevent that from happening, apparently there was a lag before that kicked in and caused a bandwidth spike for you.

I've manually moved it onto our mirror system, so that should stop very soon, very sorry about that :)
Comment 15 Greg Roelofs 2005-04-17 11:39:28 UTC
Not a problem, Tavis, but thanks for the quick response anyway!
Comment 16 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-18 14:39:14 UTC
Stable on alpha.
Comment 17 Bryan Østergaard (RETIRED) gentoo-dev 2005-04-18 17:17:15 UTC
Stable on ia64."
Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-04-18 22:14:00 UTC
GLSA 200504-17

hppa, mips, ppc-macos please remember to mark stable to benifit from GLSA.
Comment 19 Lina Pezzella (RETIRED) gentoo-dev 2005-04-19 07:48:04 UTC
ppc-macos would love to mark it stable, but that would be assuming it works first, which it does not.
We're working on it.
Comment 20 Lina Pezzella (RETIRED) gentoo-dev 2005-05-28 09:21:29 UTC
Marked stable. Sorry about the delay - our strategic lead had indicated that he would take care of this.
Comment 21 René Nussbaumer (RETIRED) gentoo-dev 2005-05-31 13:16:48 UTC
Stable on hppa
Comment 22 Fabian Groffen gentoo-dev 2006-05-23 11:18:37 UTC
marked xv-3.10a-r12 ppc-macos stable