Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 110557

Summary: app-doc/{chmlib|kchmviewer} exploitable buffer overflow
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: carlo, ruza, svyatogor
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0536.html
Whiteboard: B2 [glsa] DerCorny
Package list:
Runtime testing required: ---
Attachments:
Description Flags
Ebuild for =app-doc/chmlib-0.36
none
chmlib-0.37.4.ebuild none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-26 09:00:07 UTC
Advisory: chmlib exploitable buffer overflow  
  
Product: chmlib  
 Affected Version: <=0.36  
 Immune Version: >0.36  
 OS: Tested on linux 2.4 probably other OS affected as well  
 Date: 26.10.2005  
 Author: Sven Tantau - http://www.sven-tantau.de/  
 Vendor-URL: http://morte.jedrea.com/%7Ejedwin/projects/chmlib/  
 Vendor-Status: informed, vendor released a fixed version  
 Advisory-URL:  
 http://www.sven-tantau.de/public_files/chmlib/chmlib_20051126.txt  
  
Product  
 =======  
 >> From chmlib/README  
  
chmlib is a small library designed for accessing MS ITSS files. The  
 ITSS file  
 format is used for Microsoft Html Help files (.chm), which have been the  
 predominant medium for software documentation from Microsoft during the past  
 several years, having superceded the previously used .hlp file format.  
  
...  
  
You can download the source code releases from  
  
  http://morte.jedrea.com/%7Ejedwin/projects/chmlib/  
  
Details  
 =======  
  
0. chm_lib.c: _chm_decompress_block(struct chmFile *h, UInt64 block,  
 UChar **ubuffer)  
 1. see cmpLen and cbuffer declaration  
 2. call to _chm_get_cmpblock_bounds(h, block, &cmpStart, &cmpLen) to  
 set cmpLen  
 3. cmpLen is used to offset write operations in cbuffer  
 (_chm_fetch_bytes(h, cbuffer, cmpStart, cmpLen))  
 4. if cmpLen > h->reset_table.block_len + 6144 the buffer overflows  
 5. as we can supply the fd data, exploitation is possible and an  
 attacker can execute arbitrary code.  
 (I am not going to release an exploit for this vulnerability to the public.)  
  
/* decompress the block. must have lzx_mutex. */  
 static Int64 _chm_decompress_block(struct chmFile *h,  
                                    UInt64 block,  
                                    UChar **ubuffer)  
 {  
 ...  
     UChar cbuffer[h->reset_table.block_len + 6144]; /* compressed  
 buffer */  
     Int64 cmpLen; /* compressed  
 len */  
  
...  
 ...  
 ...  
 ...  
  
    if (! _chm_get_cmpblock_bounds(h, block, &cmpStart, &cmpLen) ||  
         _chm_fetch_bytes(h, cbuffer, cmpStart, cmpLen) != cmpLen ||  
         LZXdecompress(h->lzx_state, cbuffer, lbuffer, (int)cmpLen,  
                       (int)h->reset_table.block_len) != DECR_OK)  
     {  
 ...  
  
-----------------------------  
  
/* get the bounds of a compressed block. return 0 on failure */  
 static int _chm_get_cmpblock_bounds(struct chmFile *h,  
                              UInt64 block,  
                              UInt64 *start,  
                              Int64 *len)  
 {  
     UChar buffer[8], *dummy;  
     unsigned int remain;  
  
    /* for all but the last block, use the reset table */  
     if (block < h->reset_table.block_count-1)  
     {  
  
        ...  
         ...  
  
        /* unpack the end address */  
         dummy = buffer;  
         remain = 8;  
         if (_chm_fetch_bytes(h, buffer,  
                          (UInt64)h->data_offset  
                                 + (UInt64)h->rt_unit.start  
                                 + (UInt64)h->reset_table.table_offset  
                                 + (UInt64)block*8 + 8,  
                          remain) != remain ||  
             !_unmarshal_int64(&dummy, &remain, len))  
             return 0;  
     }  
  
    /* for the last block, use the span in addition to the reset table */  
     else  
     {  
        ...  
     }  
  
    /* compute the length and absolute start address */  
     *len -= *start;  
     *start += h->data_offset + h->cn_unit.start;  
  
    return 1;  
 }  
  
--------------  
 /*  
  * dest(len) is read out of the fd  
 */  
 static int _unmarshal_int64(unsigned char **pData,  
                             unsigned int *pLenRemain,  
                             Int64 *dest)  
 {  
     Int64 temp;  
     int i;  
     if (8 > *pLenRemain)  
         return 0;  
     temp=0;  
     for(i=8; i>0; i--)  
     {  
         temp <<= 8;  
         temp |= (*pData)[i-1];  
     }  
     *dest = temp;  
     *pData += 8;  
     *pLenRemain -= 8;  
     return 1;  
 }  
  
---------------  
  
/* utility function to handle differences between {pread,read}(64)? */  
 static Int64 _chm_fetch_bytes(struct chmFile *h,  
                               UChar *buf,  
                               UInt64 os,  
                               Int64 len)  
 {  
     Int64 readLen=0, oldOs=0;  
     if (h->fd == CHM_NULL_FD)  
         return readLen;  
  
    CHM_ACQUIRE_LOCK(h->mutex);  
 ...  
     readLen = pread(h->fd, buf, (long)len, (unsigned int)os);  
 ...  
     CHM_RELEASE_LOCK(h->mutex);  
     return readLen;  
 }  
  
Solution  
 ========  
  
Update!  
 chmlib maintainer Jed Wing released a new version 0.37  
 You can download the source code releases from:  
 http://morte.jedrea.com/%7Ejedwin/projects/chmlib/  
  
No need for my quick and dirty patch.  
  
History  
 =======  
  
2005-10-24 issue found by Sven Tantau  
 2005-10-25 contacted chmlib maintainer  
 2005-10-25 quick reaction with confirmation  
 2005-10-26 new release of chmlib and public disclosure  
  
--  
 Sven Tantau
Comment 1 Stefan Cornelius (RETIRED) gentoo-dev 2005-10-26 09:28:43 UTC
svyatogor, please provide a fixed ebuild
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2005-10-30 08:52:17 UTC
fyi: app-doc/kchmplayer includes a copy of chmlib. Unstable and fixed with
v.1.1. Does the security team keep a list of applications including third party
libs?
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-10-30 09:05:32 UTC
Thx carlo, I guess you mean kchmviewer and we don't keep a list of .... apps 
that include other apps (at least not yet). 
 
kchmplayer all fixed now. 
Comment 4 Carsten Lohrke (RETIRED) gentoo-dev 2005-10-31 13:04:10 UTC
*** Bug 111052 has been marked as a duplicate of this bug. ***
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-11-06 10:45:24 UTC
Sent an email to the maintainer, hope he will pick it up.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-11-06 11:52:54 UTC
Sergey is on it.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2005-11-08 00:48:09 UTC
In fact there are three buffer overflows :

CVE-2005-2659 (fixed in >=0.36)
    Palasik Sandor discoverd a buffer overflow in the LZX
    decompression method.

CVE-2005-2930 (fixed in >=0.36)
    A buffer overflow has been discovered that could lead to the
    execution of arbitrary code.

CVE-2005-3318 (fixed in >=0.37)
    Sven Tantau discoverd a buffer overflow that could lead to the
    execution of arbitrary code.

Ccing carlo so that he checks that kchmviewer-1.1 fixes all of them.
Comment 8 Carsten Lohrke (RETIRED) gentoo-dev 2005-11-08 05:51:18 UTC
(In reply to comment #3)
> kchmplayer all fixed now. 

Sorry for the confusing misnaming. :)


(In reply to comment #7)
> Ccing carlo so that he checks that kchmviewer-1.1 fixes all of them.

kchmviewer-1.1 includes chmlib-0.37 and is marked testing anyways, so it's all fine.
Comment 9 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-11 01:07:02 UTC
Sergey any news on this one? 
Comment 10 Vic Fryzel (shellsage) (RETIRED) gentoo-dev 2005-11-15 20:00:12 UTC
Created attachment 72982 [details]
Ebuild for =app-doc/chmlib-0.36

Sending ebuild per jaervosz's request.

I'd have sent an ebuild for app-doc/chmlib-0.37 too, but 0.37 does not `make
install` on amd64, I received the following build error during the install
phase:

>>> Install chmlib-0.37 into /var/tmp/portage/chmlib-0.37/image/ category
app-doc
chmod a+r src/libchm.la
mkdir -p /usr
install -m0755 src/libchm.la /var/tmp/portage/chmlib-0.37/image//usr/lib64/
install -m0644 ./src/chm_lib.h /var/tmp/portage/chmlib-0.37/image//usr/include/

install -m0755 src/.libs/libchm.so.0.0.0
/var/tmp/portage/chmlib-0.37/image//usr/lib64/
ln -s /var/tmp/portage/chmlib-0.37/image//usr/lib64/libchm.so.0.0.0
/var/tmp/portage/chmlib-0.37/image//usr/lib64/libchm.so
ln -s /var/tmp/portage/chmlib-0.37/image//usr/lib64/libchm.so.0.0.0
/var/tmp/portage/chmlib-0.37/image//usr/lib64/libchm.so.0
x86_64-pc-linux-gnu-gcc -o extract_chmLib src/extract_chmLib.c -I/usr/include
-L/usr/lib64 -lchm -march=k8 -O3 -pipe -DCHM_MT -DCHM_USE_PREAD -DCHM_USE_IO64
-DDMALLOC_DISABLE
/usr/lib/gcc/x86_64-pc-linux-gnu/3.4.4/../../../../x86_64-pc-linux-gnu/bin/ld:
cannot find -lchm
collect2: ld returned 1 exit status
make: *** [extract_chmLib] Error 1

!!! ERROR: app-doc/chmlib-0.37 failed.
!!! Function src_install, Line 54, Exitcode 2
!!! (no error message)
!!! If you need support, post the topmost build error, NOT this status message.



localhost chmlib # emerge --info
Portage 2.0.53_rc7 (default-linux/amd64/2005.0, gcc-3.4.4, glibc-2.3.5-r3,
2.6.14-gentoo x86_64)
=================================================================
System uname: 2.6.14-gentoo x86_64 AMD Opteron(tm) Processor 242
Gentoo Base System version 1.12.0_pre10
dev-lang/python:     2.3.5, 2.4.2
sys-apps/sandbox:    1.2.13
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r1
sys-devel/binutils:  2.16.1
sys-devel/libtool:   1.5.20-r1
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64 ~amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O3 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3.2/share/config
/usr/kde/3.3/env /usr/kde/3.3/share/config /usr/kde/3.3/shutdown
/usr/kde/3.4/env /usr/kde/3.4/share/config /usr/kde/3.4/shutdown
/usr/kde/3/share/config /usr/lib/X11/xkb /usr/share/config /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=k8 -O3 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig distlocks sandbox sfperms strict"
GENTOO_MIRRORS="ftp://ftp.gtlib.cc.gatech.edu/pub/gentoo"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="X alsa amd64 apache2 apm arts audiofile avi bitmap-fonts bonobo bzip2 cgi
cli crypt cups curl cvs dba dvdr dvdread eds emboss encode esd ethereal exif
expat fam ffmpeg flac foomaticdb fortran ftp gcj gd gdbm gif glut gnome gpm
gstreamer gtk gtk2 gtkhtml idn imagemagick imlib ipv6 java jpeg junit kde lcms
libg++ libwww lirc lzw lzw-tiff mad mhash mikmod mng mod_php motif mozsvg mp3
mpeg mysql ncurses nls nptl ogg oggvorbis opengl pam pcre pdflib perl php png
postgres python qt quicktime readline real sdl session slang socket sockets
spell ssl tcltk tcpd tiff truetype truetype-fonts type1-fonts udev usb
userlocales vcd visualization vorbis xine xinerama xml xml2 xmms xpm xv xvid
zlib userland_GNU kernel_linux elibc_glibc"
Unset:	ASFLAGS, CTARGET, LANG, LC_ALL, LDFLAGS, LINGUAS
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2005-11-19 10:08:17 UTC
solar/vapier/taviso/tigger please advise. 
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-11-25 01:54:49 UTC
Created attachment 73556 [details]
chmlib-0.37.4.ebuild

Ebuild for 0.37.4 version that fixes ebuild design errors (already fixed by
taviso in 0.35-r1) but succeeds in compiling lib + tools.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2005-11-25 02:10:59 UTC
InCVS thx to taviso.
Arches: please test chmlib-0.37.4 and mark stable.
Comment 14 Chris White (RETIRED) gentoo-dev 2005-11-25 12:16:26 UTC
Stable on x86.  For a test case (just in case the other arches need it), I 
download the file:

http://www.pltw.org/OCHM/Digital.chm

into ~/, made the directory ~/digital_out, then ran:

cd ~ ; chmextract Digital.chm digital_out/

and verified the contents of the chm were successfully extracted to digital_out/
Comment 15 Simon Stelling (RETIRED) gentoo-dev 2005-11-26 01:35:04 UTC
amd64 stable
Comment 16 Joe Jezak (RETIRED) gentoo-dev 2005-11-27 11:49:24 UTC
Marked ppc stable.
Comment 17 Thierry Carrez (RETIRED) gentoo-dev 2005-11-28 02:40:12 UTC
GLSA 200511-23