Summary: | <app-text/htmldoc-1.8.27-r1 Multiple insecure calls to sscanf() (CVE-2009-3050) | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Alex Legler (RETIRED) <a3li> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | normal | CC: | carlo, thecrux | ||||||
Priority: | High | ||||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
URL: | http://www.htmldoc.org/str.php?L214 | ||||||||
Whiteboard: | B2 [glsa] | ||||||||
Package list: | Runtime testing required: | --- | |||||||
Attachments: |
|
Description
Alex Legler (RETIRED)
2009-07-17 17:50:43 UTC
In util.cxx: 420 set_page_size(const char *size) /* I - Page size string */ .. 424 char units[255]; /* Units string */ .. 487 else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2) Created attachment 198347 [details, diff]
htmldoc-set_page_size.patch
Quick patch that should fix this issue. Comments?
From Secunia (http://secunia.com/advisories/35780/): Description: ANTHRAX666 has discovered a vulnerability in HTMLDOC, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an unsafe call to "sscanf()" in the "set_page_size()" function in htmldoc/util.cxx. This can be exploited to cause a stack-based buffer overflow when an HTML document containing e.g. a specially crafted "MEDIA SIZE" comment is being processed. The vulnerability is confirmed in version 1.8.27. Other versions may also be affected. 2 symbols are enough. units may contain values: "mm", "cm", "in" (any other value == "px") - else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2) + else if (sscanf(size, "%fx%f%2s", &width, &length, units) >= 2) Mh, true. I have included this question in the upstream bug report. Filed upstream as: http://www.htmldoc.org/str.php?L214 nion of Debian found two more insecure calls: htmllib.cxx: 2142 if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2) ps-pdf.cxx: 12515 if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2) I tried to reproduce it and was able to cause a buffer overflow by supplying a crafted AFM font file with an overly long glyph name. Created attachment 199846 [details, diff]
Updated patch
Upstream won't include the fix until 1.9 is released, so Carlo, please apply the patch. Arches, please test and mark stable: =app-text/htmldoc-1.8.27-r1 Target keywords : "alpha amd64 ia64 ppc sparc x86" x86 stable ppc stable alpha/ia64/sparc stable 23 Aug 2009; Alex Legler <a3li@gentoo.org> htmldoc-1.8.27-r1.ebuild: amd64 stable, security bug 278186. GLSA draft filed. CVE-2009-3050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3050): Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries. GLSA 200909-12 |