Bug 220391 (CVE-2008-2080)

Summary:	sci-libs/cdf <3.2.1 Buffer Overflow Vulnerability (CVE-2008-2080)
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	bicatali, sci
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://cdf.gsfc.nasa.gov/CDF32_buffer_overflow.html
Whiteboard:	B2 [glsa]
Package list:		Runtime testing required:	---

Description Robert Buchholz (RETIRED) gentoo-dev

2008-05-05 15:37:16 UTC

Quoting from URL:
The libraries for the scientific data file format, Common Data Format (CDF) version 3.2 and earlier, have the potential for a buffer overflow vulnerability when reading specially-crafted (invalid) CDF files. If successful, this could trigger execution of arbitrary code within the context of the CDF-reading program that could be exploited to compromise a system, or otherwise crash the program. While it's unlikely that you would open CDFs from untrusted sources, we recommend everyone upgrade to the latest CDF libraries on their systems, including the IDL and Matlab plugins. Most worrisome is any service that enables the general public to submit CDF files for processing.

The vulnerability is in the CDF library routines not properly checking the length tags on a CDF file before copying data to a stack buffer. Exploitation requires the user to explicitly open a specially-crafted file. CDF users should not open files from untrusted third parties until the patch is applied (and continue then to exercise normal caution for files from untrusted third parties).

CDF 3.2.1 addresses this vulnerability and introduces further usability fixes. Updates for Perl, IDL, Matlab and Java WebStart are also available. Java WebStart applications that refer to http://sscweb.gsfc.nasa.gov/skteditor/cdf/cdf-latest.jnlp, will automatically be updated to include this fix the next time the application is started while connected to the Internet.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2008-05-05 15:45:58 UTC

ftp://cdaweb.gsfc.nasa.gov/pub/cdf/dist/cdf321/linux/

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-05-05 17:35:27 UTC

restricting bug

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2008-05-06 07:38:58 UTC

This is public now:
http://packetstormsecurity.org/0805-exploits/CORE-2008-0326.txt

Comment 4 Sébastien Fabbro (RETIRED) gentoo-dev

2008-05-06 12:58:22 UTC

Hi,

cdf-3.2.1.ebuild just committed. cdf-3.2 removed, and waiting for fast-track stabilization on 3.2.1 to remove cdf-3.1.

Thanks,

Comment 5 Markus Dittrich (RETIRED) gentoo-dev

2008-05-06 13:33:11 UTC

(In reply to comment #4)
> Hi,
> 
> cdf-3.2.1.ebuild just committed. cdf-3.2 removed, and waiting for fast-track
> stabilization on 3.2.1 to remove cdf-3.1.
> 
> Thanks,
> 

Thanks much Sebastien! I was just in the middle of fixing this myself;)
Why on earth didn't upstream at least rename their tarballs to to 3.2.1
instead of just re-distributing a patched 3.2 version?

Best,
Markus

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-05-06 14:39:39 UTC

Arches, please test and mark stable:
=sci-libs/cdf-3.2.1
Target keywords : "amd64 ppc release x86"

Comment 7 Christian Faulhammer (RETIRED) gentoo-dev

2008-05-06 14:44:27 UTC

*** Bug 220591 has been marked as a duplicate of this bug. ***

Comment 8 Christian Faulhammer (RETIRED) gentoo-dev

2008-05-06 19:59:22 UTC

x86 stable

Comment 9 Markus Meier gentoo-dev

2008-05-07 20:00:18 UTC

did they change the tarballs again?
ftp://cdaweb.gsfc.nasa.gov/pub/cdf/dist/cdf321/unix/ changed date on 2008-05-06 which was yesterday...


# emerge --fetchonly cdf
Calculating dependencies... done!

>>> Emerging (1 of 1) sci-libs/cdf-3.2.1 to /
>>> Downloading 'ftp://cdaweb.gsfc.nasa.gov/pub/cdf/dist/cdf321/unix/cdf32-dist-cdf.tar.gz'
--2008-05-07 21:58:04--  ftp://cdaweb.gsfc.nasa.gov/pub/cdf/dist/cdf321/unix/cdf32-dist-cdf.tar.gz
           => `/usr/portage/distfiles/cdf32-dist-cdf.tar.gz'
Resolving cdaweb.gsfc.nasa.gov... 128.183.191.173
Connecting to cdaweb.gsfc.nasa.gov|128.183.191.173|:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /pub/cdf/dist/cdf321/unix ... done.
==> SIZE cdf32-dist-cdf.tar.gz ... 966514
==> PASV ... done.    ==> RETR cdf32-dist-cdf.tar.gz ... done.
Length: 966514 (944K)

100%[===================================================================================================================>] 966,514      226K/s   in 4.5s    

2008-05-07 21:58:28 (208 KB/s) - `/usr/portage/distfiles/cdf32-dist-cdf.tar.gz' saved [966514]

('Filesize does not match recorded size', 966514L, 966480)
!!! Fetched file: cdf32-dist-cdf.tar.gz VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got:      966514
!!! Expected: 966480
Refetching... File renamed to '/usr/portage/distfiles/cdf32-dist-cdf.tar.gz._checksum_failure_.lJLiKk'

!!! Couldn't download 'cdf32-dist-cdf.tar.gz'. Aborting.

Comment 10 Sébastien Fabbro (RETIRED) gentoo-dev

2008-05-08 10:34:54 UTC

(In reply to comment #9)
> did they change the tarballs again?

Yes they did! I removed the mirror restriction and suggested upstream to fix this.

Comment 11 Sébastien Fabbro (RETIRED) gentoo-dev

2008-05-09 13:22:00 UTC

Please go for stabilization on cdf-3.2.1-r1 I've just committed. 
Upstream finally changed their tar balls, and 3.2.1 had a bad patch.
Re-adding x86.

Thanks.

Comment 12 Markus Meier gentoo-dev

2008-05-09 19:12:41 UTC

amd64/x86 stable

Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev

2008-05-11 12:24:04 UTC

ppc stable

Comment 14 Peter Volkov (RETIRED) gentoo-dev

2008-05-11 17:58:48 UTC

Fixed in release snapshot.

Comment 15 Tobias Heinlein (RETIRED) gentoo-dev

2008-05-11 18:49:12 UTC

GLSA request filed.

Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-05-13 20:45:24 UTC

GLSA 200805-14