| Summary: | <media-gfx/splashutils-1.5.4.3-r2: statically links to vulnerable jpeg and freetype | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Samuli Suominen (RETIRED) <ssuominen> |
| Component: | Auditing | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | spock |
| Priority: | High | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | B2 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
spock, can you please check to see if fixing this is possible? Freetype should be vulnerable to CVE-2009-0946, Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c. The "bundled" libpng version is vulnerable to:
- GLSA 200711-08
- GLSA 200804-15
- GLSA 200903-28
- GLSA 200906-01
>=1.2.37 is not vulnerable.
All of the above problems should be fixed in 1.5.4.3-r1 which I just pushed to CVS. Cool, thanks for the fast fix! However, isn't it possible to make it use the system zlib/jpeg/freetype/libpng rather than download them? Or is the build system too screwed up for that? (In reply to comment #5) > Cool, thanks for the fast fix! However, isn't it possible to make it use the > system zlib/jpeg/freetype/libpng rather than download them? Or is the build > system too screwed up for that? It's not a matter of the build system. The libraries are downloaded because the kernel helper in splashutils is built against klibc and statically linked with minimal versions of libpng/libjpeg/.. built out of the downloaded sources. This makes the kernel helper binary small and suitable for inclusion in an initramfs image. Please note that the "bundled" libraries are only used for the kernel helper, which in turn is only used if the fbcondecor patch is active. All other splashutils binaries, both the statically and dynamically linked ones, use system libraries only. Okay, I understand that attack vectors are very limited, but a new issue turned up: https://bugs.gentoo.org/show_bug.cgi?id=307637 Please bump the ebuild again to use >=libpng-1.2.43. (In reply to comment #7) > Please bump the ebuild again to use >=libpng-1.2.43. Done in -r2. Thanks. Arches, please test and mark stable: =media-gfx/splashutils-1.5.4.3-r2 Target keywords : "amd64 ppc x86" x86 stable amd64 stable Marked ppc stable. Add to existing GLSA request. security, ping This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle). |
jpeg-6b is vuln. to CVE-2006-3005 or GLSA 200606-11. And you should also review the status of other bundled libs, here is a list: [ .. snip .. ] V_JPEG="6b" V_PNG="1.2.18" V_ZLIB="1.2.3" V_FT="2.3.5" ZLIBSRC="libs/zlib-${V_ZLIB}" LPNGSRC="libs/libpng-${V_PNG}" JPEGSRC="libs/jpeg-${V_JPEG}" FT2SRC="libs/freetype-${V_FT}" SRC_URI="mirror://berlios/fbsplash/${PN}-lite-${PV}.tar.bz2 mirror://berlios/fbsplash/${GENTOOSPLASH}.tar.bz2 mirror://gentoo/${MISCSPLASH}.tar.bz2 mirror://sourceforge/libpng/libpng-${V_PNG}.tar.bz2 ftp://ftp.uu.net/graphics/jpeg/jpegsrc.v${V_JPEG}.tar.gz mirror://sourceforge/freetype/freetype-${V_FT}.tar.bz2 http://www.gzip.org/zlib/zlib-${V_ZLIB}.tar.bz2" [ .. snip .. ]