Bug 252513

Summary:	x11-misc/xnc bundles a copy of libSDL, libSDL_image, vulnerable to CVE-2007-6697
Product:	Gentoo Security	Reporter:	Diego Elio Pettenò (RETIRED) <flameeyes>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	esigra
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [noglsa]
Package list:		Runtime testing required:	---
Bug Depends on:	276240
Bug Blocks:	251464

Description Diego Elio Pettenò (RETIRED) gentoo-dev

2008-12-25 20:26:24 UTC

Symbol IMG_LoadTIF_RW@@ (32-bit UNIX System V ABI Intel 80386) present 7 times
  /usr/bin/xncsetup
  /usr/bin/ives
  /usr/bin/xncloader
  /usr/bin/xnlaunch
  /usr/lib/libSDL_image-1.2.so.0.1.6
  /usr/bin/xnc
  /usr/bin/xjpegroot

And more.

Might be vulnerable to GLSA 200802-01, considering it hasn't been bumped since 2004, thus escalating to security.

Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev

2008-12-29 00:29:19 UTC

Symbol SDL_WriteBE64@@ (32-bit UNIX System V ABI Intel 80386) present 7 times
  /usr/bin/xncsetup
  /usr/bin/ives
  /usr/bin/xncloader
  /usr/bin/xnlaunch
  libSDL
  /usr/bin/xnc
  /usr/bin/xjpegroot

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2009-08-11 12:47:00 UTC

I could not find the SDL functionality exposed in xnc directly. It seems only x(nc)setup and xjpegroot expose the SDL functionality. I could reproduce the issue in jpegroot:

$ gdb /usr/bin/xjpegroot
GNU gdb 6.8
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu"...
(gdb) run -c CVE-2007-6697.gif
Starting program: /usr/bin/xjpegroot -c CVE-2007-6697.gif
XJPEGroot Version 1.1.6
**********Image Engine**********
*                              *
*Visual:  TrueColor            *
*Depth:   24  (4 bytes/pixel)  *
*RGB:     8:8:8                *
*Colors:  16777216             *
*Images:  GIF,JPEG,PCX         *
*                              *
******** (c) Leo 96-98 *********
Loading image [CVE-2007-6697.gif].....

Program received signal SIGSEGV, Segmentation fault.
LWZReadByte (src=0x24812d0, flag=<value optimized out>, input_code_size=<value optimized out>) at sdl_image/IMG_gif.c:425
425                 table[1][i] = i;
Current language:  auto; currently c
(gdb) bt
#0  LWZReadByte (src=0x24812d0, flag=<value optimized out>, input_code_size=<value optimized out>) at sdl_image/IMG_gif.c:425
#1  0x000000000040c42a in ReadImage (src=0x24812d0, len=10, height=10, cmapSize=256, cmap=0x62ad28, gray=<value optimized out>, interlace=0, ignore=0)
    at sdl_image/IMG_gif.c:523
#2  0x000000000040c9e2 in IMG_LoadGIF_RW (src=0x24812d0) at sdl_image/IMG_gif.c:249
#3  0x000000000040b5cc in im_load_image_through_loader (fname=<value optimized out>, to_pic=0x614400, from_mem_size=<value optimized out>,
    img_loader=0x40c680 <IMG_LoadGIF_RW>) at sdl_image/SDL_to_picinfo.c:137
#4  0x0000000000407b39 in LoadXImage (file=0x7fff9fa9ee55 "CVE-2007-6697.gif", cmptype=<value optimized out>, type=<value optimized out>) at image.cxx:580
#5  0x0000000000405b32 in SetRootWindow (tline=0x7fff9fa9ee55 "CVE-2007-6697.gif", opt=<value optimized out>) at xjpegroot.cxx:77
#6  0x0000000000405d84 in main (argc=3, argv=0x7fff9fa9e618) at xjpegroot.cxx:50

Comment 3 Robert Buchholz (RETIRED) gentoo-dev

2009-08-11 12:54:47 UTC

Oh, I missed ives. It expsoses the functions as well.

Comment 4 Samuli Suominen (RETIRED) gentoo-dev

2009-09-04 08:29:17 UTC

Removed from tree by maintainers.

Comment 5 Alex Legler (RETIRED) archtester

2009-09-04 12:13:27 UTC

GLSA time first, Samuli.

Comment 6 Sergey Popov gentoo-dev

2014-02-28 09:50:40 UTC

Removed from tree long time ago, no GLSA