Bug 440762 (CVE-2012-4552)

Summary:

<media-libs/plib-1.8.5-r1: stack-based buffer overflow in the error function in ssg/ssgParser.cxx (CVE-2012-4552)

Product:

Gentoo Security

Reporter:

Agostino Sarubbo <ago>

Component:

Vulnerabilities

Assignee:

Gentoo Security <security>

Status:

RESOLVED FIXED

Severity:

normal

CC:

games

Priority:

Normal

Version:

unspecified

Hardware:

All

OS:

Linux

URL:

http://www.openwall.com/lists/oss-security/2012/10/29/8

Whiteboard:

B2 [glsa+ cve]

Package list:

Runtime testing required:

---

Attachments:

Description	Flags
Patch from debian	none

Description Agostino Sarubbo gentoo-dev

2012-11-01 16:04:13 UTC

From https://bugzilla.redhat.com/show_bug.cgi?id=871187 :

A stack-based buffer overflow flaw was reported [1] in how plib handles errors when loading 3d 
model files as X (Direct X), ASC, ASE, ATG, and OFF.  The description of the flaw follows:

Vulnerability Details: Plib is prone to stack based Buffer overflow in the
error function in ssg/ssgParser.cxx when it loads 3d model files as X
(Direct x), ASC, ASE, ATG, and OFF, if a very long error message is passed
to the function, in line 68:


// Output an error
void _ssgParser::error( const char *format, ... )
{
  char msgbuff[ 255 ];
  va_list argp;

  char* msgptr = msgbuff;
  if (linenum)
  {
    msgptr += sprintf ( msgptr,"%s, line %d: ",
      path, linenum );
  }

  va_start( argp, format );
68        vsprintf( msgptr, format, argp );
  va_end( argp );

  ulSetError ( UL_WARNING, "%s", msgbuff ) ;
}

I'm unsure whether or not this was reported upstream (there is no relevant bugs, and the last 
commit to ssgParser.cxx [2] was five years ago).

[1] http://www.openwall.com/lists/oss-security/2012/10/29/8
[2] http://plib.svn.sourceforge.net/viewvc/plib/trunk/src/ssg/ssgParser.cxx?view=log

Comment 1 GLSAMaker/CVETool Bot gentoo-dev

2012-11-20 00:39:44 UTC

CVE-2012-4552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4552):
  Stack-based buffer overflow in the error function in ssg/ssgParser.cxx in
  PLIB 1.8.5 allows remote attackers to execute arbitrary code via a crafted
  3d model file that triggers a long error message, as demonstrated by a .ase
  file.

Comment 2 Samuel Damashek (RETIRED) gentoo-dev

2013-12-22 21:00:43 UTC

plib is no longer being maintained upstream.

Comment 3 Felix Janda 2016-01-23 17:26:47 UTC

Created attachment 423698 [details, diff]
Patch from debian

Extracted from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694810#10

Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-20 00:08:46 UTC

Update:

There's a public exploit for this vulnerability, the shellcode is for windows but it shouldn't be hard to use it on linux because is a bufferoverflow.

https://www.exploit-db.com/exploits/21831/

Comment 5 Christopher Díaz Riveros (RETIRED) gentoo-dev

2017-07-20 03:26:01 UTC

(In reply to Christopher Díaz from comment #4)
> Update:
> 
> There's a public exploit for this vulnerability, the shellcode is for
> windows but it shouldn't be hard to use it on linux because is a
> bufferoverflow.
> 
> https://www.exploit-db.com/exploits/21831/

There's some extra info to be considered about this bug. 

Those are the packages that depend on this library:

games-action/tuxkart-0.4.0 (>=media-libs/plib-1.8.0)
games-action/tuxkart-0.4.0-r1 (>=media-libs/plib-1.8.0)
games-simulation/crashtest-1.1 (>=media-libs/plib-1.8.4)
games-simulation/crashtest-1.1-r1 (>=media-libs/plib-1.8.4)
games-simulation/crrcsim-0.9.13 (media-libs/plib)
games-simulation/flightgear-2016.4.4 (>=media-libs/plib-1.8.5)
games-simulation/flightgear-2017.1.2 (>=media-libs/plib-1.8.5)
games-simulation/flightgear-2017.1.3 (>=media-libs/plib-1.8.5)
games-simulation/flightgear-2017.2.1 (>=media-libs/plib-1.8.5)
games-simulation/flightgear-9999 (>=media-libs/plib-1.8.5)
games-sports/gracer-0.1.5 (media-libs/plib)
games-sports/gracer-0.1.5-r1 (media-libs/plib)
games-sports/speed-dreams-1.4.0 (>=media-libs/plib-1.8.3)
games-sports/speed-dreams-1.4.0-r1 (>=media-libs/plib-1.8.3)
games-sports/stormbaancoureur-2.1.6 (>=media-libs/plib-1.8.4)
games-sports/stormbaancoureur-2.1.6-r1 (>=media-libs/plib-1.8.4)
games-sports/torcs-1.3.6 (>=media-libs/plib-1.8.5)
games-sports/torcs-1.3.6-r1 (>=media-libs/plib-1.8.5)
games-util/atlas-0.5.1_beta_pre20160907 (media-libs/plib)

And since there is no more maintenance from upstream, and probably no more patches are going to be released, maybe we should consider to apply debian's patch or mask all of them.

Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev

2018-02-23 21:28:15 UTC

This was fixed long time ago via commit https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2c3350ada353ca2c523210909a4fea07fcc5a10 (notice that Michael Sterrett picked the wrong file name "CVE-2011-4552" instead of "CVE-2012-4552").

Fixed version is already stable, repository is clean.

Comment 7 Larry the Git Cow gentoo-dev

2018-02-23 21:52:45 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=539747730dbc4f08b16985be312e13acd20f8f3d

commit 539747730dbc4f08b16985be312e13acd20f8f3d
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2018-02-23 21:45:01 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2018-02-23 21:52:33 +0000

    media-libs/plib: Fix patch naming
    
    It is "CVE-2012-4552", not "CVE-2011-4552".
    
    Bug: https://bugs.gentoo.org/440762
    Package-Manager: Portage-2.3.24, Repoman-2.3.6

 ...lib-1.8.5-CVE-2011-4552.patch => plib-1.8.5-CVE-2012-4552.patch} | 0
 media-libs/plib/plib-1.8.5-r1.ebuild                                | 6 +++---
 2 files changed, 3 insertions(+), 3 deletions(-)}

Comment 8 Aaron Bauman (RETIRED) gentoo-dev

2018-03-25 20:11:37 UTC

GLSA request filed

Comment 9 GLSAMaker/CVETool Bot gentoo-dev

2018-03-26 16:30:29 UTC

This issue was resolved and addressed in
 GLSA 201803-13 at https://security.gentoo.org/glsa/201803-13
by GLSA coordinator Aaron Bauman (b-man).