| Summary: | <=media-gfx/zgv-5.8 - arbitrary command execution via suitably-constructed images | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Jakub Moc (RETIRED) <jakub> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | maintainer-needed |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B2 [glsaerrata] DerCorny | ||
| Package list: | Runtime testing required: | --- | |
|
Description
Jakub Moc (RETIRED)
2006-05-29 15:46:34 UTC
Well, seems valid sure enough. Nothing in the Changelog suggests any off-the-trunk fixes, so IMHO we should get the machine rolling. I'd change this to C2 [ebuild] / minor (but there's no maintainer), but, uhm, I can't. no herd, no maintainer. Joy, gonna send a mail to -dev or something like that soon. Also see #127008 as there seems to be a 5.9 patch there. bumped this to 5.9 with the patch frilled mentioned, altough the 5.8 version should be fine. x86 please test (really test, since I commited this mess - and this was my first ebuild commit) and stable, thanks. I think this bug may be the same than CVE-2006-1060 (GLSA-200604-10): "Heap-based buffer overflow in zgv before 5.8 and xzgv before 0.8 might allow user-complicit attackers to execute arbitrary code via a JPEG image with more than 3 output components, such as a CMYK or YCCK color space, which causes less memory to be allocated than required." Since: - there is really no liable description of the vulnerability (and no other source) - the Changelog for zgv 5.8 does not mention any security issue Other viewpoint ? x86 done Hi,
> I think this bug may be the same than CVE-2006-1060 (GLSA-200604-10):
any news on this ?
According to the changelog 5.9 was released on 2005-01-28. So unless the changelog is wrong this is probably not something new. I'd say post maintainer mail to -core and punt the package if noone steps up as upstream appears a bit slow. I had no in depth look, but I assume that we were safe before (last GLSA, so I'm not entirely sure if we need a new GLSA for this at all). At least, we should be safe now, since 5.9 was bumped with a patch included and is stabled. Taviso any comments on this one? It seems questionable wether this really fixes any security issues, therefor I tend to vote for NO GLSA. (In reply to comment #7) > Hi, > > > I think this bug may be the same than CVE-2006-1060 (GLSA-200604-10): Yes, this is the same. However, 200604-10 is wrong. It has >= 5.8 as unaffected while in reality the issue is fixed in 5.9+thisPatch (we never got a 5.8-r1 into the tree). So we need a new GLSA or an errata. (In reply to comment #0) > <snip> > WARNING: There is a known vulnerability in zgv 5.8 (and all previous versions) > such that suitably-constructed images can be made to run arbitrary commands > when viewed with zgv - not as root, but as the user running zgv. This still has > the potential to cause serious trouble, so I strongly recommend that existing > users upgrade to the current version. > </snip> > > Can someone verify this, please? This actually refers to bug #69150 which we fixed a looooong time ago... but the problem with the jpeg mess remains; thanks for uh, getting one of us to notice it :) Thx Tim for clearing this up. I'll issue an errata (and someone ought to find a maintainer for this one). Errata issued to GLSA 200604-10. Hopefully this mess is solved. Thx everyone. |