| Summary: | <dev-lang/tk-8.4.18-r1, <dev-util/sourcenav-5.1.4, <dev-util/insight-6.7.1-r1, <dev-perl/perl-tk-804.028-r2 (...): malformed GIF buffer overflow (CVE-2008-0553) | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Raphael Marichez (Falco) (RETIRED) <falco> | ||||
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
| Status: | RESOLVED FIXED | ||||||
| Severity: | normal | CC: | dev-tools, matsuu, mcummings, nerdboy, sci, tcltk, tester | ||||
| Priority: | High | ||||||
| Version: | unspecified | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| URL: | http://secunia.com/advisories/28784/ | ||||||
| Whiteboard: | B2 [glsa] | ||||||
| Package list: | Runtime testing required: | --- | |||||
| Bug Depends on: | 210326, 271789 | ||||||
| Bug Blocks: | |||||||
| Attachments: |
|
||||||
|
Description
Raphael Marichez (Falco) (RETIRED)
2008-02-01 17:58:47 UTC
Created attachment 142420 [details, diff]
patch with testcase
dev-lang/tk-8.4.15-r2 dev-lang/tk-8.4.17 dev-lang/tk-8.5.0-r2 in cvs. plz mark stable tk-8.4.15-r2 Public now, it's SA28784 and CVE-2008-0553 If you know about other packages actually using a vulnerable embedded code, please let us know. Sourcenav patched (both versions). Hi, the patch is official in tk 8.5.1, you (maintainers) can include it in your ebuilds so that i can call arches one time for all these packages, and we can avoid splitting this bug into several bugs and several glsas. A copy of the code is also shipped by: * sci-astronomy/ds9 * sci-visualization/paraview * games-util/umodpack * media-sound/rat * sys-devel/gcc-nios2 * sys-devel/binutils-nios2 I did not check whether the code is actually used yet, hopefully someone else can. Thanks rbu, i performed further checks. Since there are numerous affected ebuilds, if maintainers don't manifest in a reasonable time (1 week), i'll add the patch to the ebuilds myself. dev-lang/tk compiles the vulnerable code. dev-util/sourcenav compiles it dev-util/insight compiles it dev-perl/perl-tk compiles it * sci-astronomy/ds9 compiles it * sci-visualization/paraview only in 2.x . Not in 3.x. Latest version unaffected --> not a problem, just remove 2.x or patch 2.x * games-util/umodpack uses it as a dependency but does not ship it * media-sound/rat only in the latest version (3.x). No stable ebuild affected. Not sure it actually uses the code. We'll suppose so. 3.x has to be patched. * sys-devel/gcc-nios2 didn't try to compile, but code is here * sys-devel/binutils-nios2 didn't try to compile, but code is here I would also like to know whether an attacker can control the GIF images that would be opened by the Tk component of the applications. If the attacker cannot entice a user to open a specially crafted GIF image with the Tk library, there is no vulnerability in your package. I don't know the mentioned package enough to say, so i need maintainers' help.
> * sci-astronomy/ds9 compiles it
fixed.
> * sci-visualization/paraview only in 2.x
Fixed in portage cvs via patch.
Thanks,
Markus
Any news on this one? very very late... dev-util/insight-6.7.1-r1 has the patch falco, any news here? Is it fixed yet? + 12 May 2009; Samuli Suominen <ssuominen@gentoo.org> package.mask: + Mask media-sound/rat for removal wrt security #208464, CVE-2008-0553. +*perl-tk-804.028-r2 (29 May 2009) + + 29 May 2009; Alex Legler <a3li@gentoo.org> +perl-tk-804.028-r2.ebuild, + +files/perl-tk-CVE-2008-0553.patch: + Non-maintainer commit: Revbump to fix the CVE-2008-0553 security issue, + bug 208464. Asked for stabilization in bug 271789 perl-tk done, vulnerable ebuild removed. If I see it correctly we are done here, right? (In reply to comment #18) > If I see it correctly we are done here, right? Almost. It's GLSA time. * sys-devel/gcc-nios2 * sys-devel/binutils-nios2 These aren't in the tree anymore. Removing toolchain This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle). |
