Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 307525

Summary: <media-gfx/splashutils-1.5.4.3-r2: statically links to vulnerable jpeg and freetype
Product: Gentoo Security Reporter: Samuli Suominen (RETIRED) <ssuominen>
Component: AuditingAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: spock
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Samuli Suominen (RETIRED) gentoo-dev 2010-03-02 20:08:30 UTC
jpeg-6b is vuln. to CVE-2006-3005 or GLSA 200606-11. And you should also review the status of other bundled libs, here is a list:

[ .. snip .. ]

V_JPEG="6b"
V_PNG="1.2.18"
V_ZLIB="1.2.3"
V_FT="2.3.5"

ZLIBSRC="libs/zlib-${V_ZLIB}"
LPNGSRC="libs/libpng-${V_PNG}"
JPEGSRC="libs/jpeg-${V_JPEG}"
FT2SRC="libs/freetype-${V_FT}"

SRC_URI="mirror://berlios/fbsplash/${PN}-lite-${PV}.tar.bz2
        mirror://berlios/fbsplash/${GENTOOSPLASH}.tar.bz2
        mirror://gentoo/${MISCSPLASH}.tar.bz2
        mirror://sourceforge/libpng/libpng-${V_PNG}.tar.bz2
        ftp://ftp.uu.net/graphics/jpeg/jpegsrc.v${V_JPEG}.tar.gz
        mirror://sourceforge/freetype/freetype-${V_FT}.tar.bz2
        http://www.gzip.org/zlib/zlib-${V_ZLIB}.tar.bz2"

[ .. snip .. ]
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-02 20:17:04 UTC
spock, can you please check to see if fixing this is possible?
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2010-03-02 20:19:00 UTC
Freetype should be vulnerable to CVE-2009-0946,

Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-02 20:53:33 UTC
The "bundled" libpng version is vulnerable to:
- GLSA 200711-08
- GLSA 200804-15
- GLSA 200903-28
- GLSA 200906-01

>=1.2.37 is not vulnerable.
Comment 4 Michal Januszewski (RETIRED) gentoo-dev 2010-03-02 20:56:35 UTC
All of the above problems should be fixed in 1.5.4.3-r1 which I just pushed to CVS.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-02 21:21:07 UTC
Cool, thanks for the fast fix! However, isn't it possible to make it use the system zlib/jpeg/freetype/libpng rather than download them? Or is the build system too screwed up for that?
Comment 6 Michal Januszewski (RETIRED) gentoo-dev 2010-03-02 21:26:06 UTC
(In reply to comment #5)
> Cool, thanks for the fast fix! However, isn't it possible to make it use the
> system zlib/jpeg/freetype/libpng rather than download them? Or is the build
> system too screwed up for that?

It's not a matter of the build system.  The libraries are downloaded because the kernel helper in splashutils is built against klibc and statically linked with minimal versions of libpng/libjpeg/.. built out of the downloaded sources.  This makes the kernel helper binary small and suitable for inclusion in an initramfs image.

Please note that the "bundled" libraries are only used for the kernel helper, which in turn is only used if the fbcondecor patch is active.  All other splashutils binaries, both the statically and dynamically linked ones, use system libraries only.
 

Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-03 16:36:11 UTC
Okay, I understand that attack vectors are very limited, but a new issue turned up: https://bugs.gentoo.org/show_bug.cgi?id=307637

Please bump the ebuild again to use >=libpng-1.2.43.
Comment 8 Michal Januszewski (RETIRED) gentoo-dev 2010-03-03 20:19:33 UTC
(In reply to comment #7)

> Please bump the ebuild again to use >=libpng-1.2.43.

Done in -r2. 

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-03 20:59:13 UTC
Thanks.

Arches, please test and mark stable:
=media-gfx/splashutils-1.5.4.3-r2
Target keywords : "amd64 ppc x86"
Comment 10 PaweĊ‚ Hajdan, Jr. (RETIRED) gentoo-dev 2010-03-04 08:00:21 UTC
x86 stable
Comment 11 Markus Meier gentoo-dev 2010-03-07 15:38:56 UTC
amd64 stable
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 22:11:15 UTC
Marked ppc stable.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:14:30 UTC
Add to existing GLSA request.
Comment 14 Pacho Ramos gentoo-dev 2013-06-16 17:37:01 UTC
security, ping
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:30:07 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).