Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 466078 (CVE-2013-1953)

Summary: <media-gfx/autotrace-0.31.1-r7: stack-based buffer overflow in bmp parser (CVE-2013-1953)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: fonts, graphics+disabled
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2013/04/16/1
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2013-04-16 09:28:00 UTC 
From ${URL} :

There is a stack-based buffer overflow in autotrace 0.31.1 in
Fedora[1]. In input-bmp.c, the input_bmp_reader() function creates a
buffer on the stack:

91   unsigned char buffer[64];

Later on

169   else if (Bitmap_File_Head.biSize <= 64) /* Probably OS/2 2.x */
170     {
171       if (!ReadOK (fd, buffer, Bitmap_File_Head.biSize - 4))

We control Bitmap_File_Head.biSize. A value of 0 meets the <=64
requirements, and 0 - 4 should result in almost 4294967295 bytes being
read into the buffer.

I am told:

""
The same code is in Gimp, it was introduced in commit
d9c6f88141aecf956c5d721168f795de0e3027b8 and accidentally fixed in
57f805a159874107c6c98065f9aa648c3634b8fd:

https://git.gnome.org/browse/gimp/commit/?h=d9c6f88141aecf956c5d7
https://git.gnome.org/browse/gimp/commit/?h=57f805a159874107c6c98

Similar code can also be found in sam2p.
""

On Fedora 18, the issue was caught by FORTIFY_SOURCE.

Murray.

[1] http://koji.fedoraproject.org/koji/buildinfo?buildID=340458



@maintainer(s): after the bump, please say explicitly if the package is ready for the stabilization or not
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-12-12 17:19:11 UTC 
CVE-2013-1953 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1953):
  Integer underflow in the input_bmp_reader function in input-bmp.c in
  AutoTrace 0.31.1 allows context-dependent attackers to cause have an
  unspecified impact via a small value in the biSize field in the header of a
  BMP file, which triggers a buffer overflow.
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2016-03-01 08:42:06 UTC 
Upstream Patch: https://github.com/PhantomX/slackbuilds/blob/master/autotrace/patches/autotrace-0.31.1-CVE-2013-1953.patch and Redhat's: https://bugzilla.redhat.com/attachment.cgi?id=766451 .  Please patch and request stabilization in this bug when ready.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-01 08:45:10 UTC 
test <br /> comment.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2016-07-02 03:09:19 UTC 
Patch added and package revbumped:

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b6d1c95e6a0a3ea6ae4d8b397845120e23e0f67b

Minor patch so calling for stabilization:

@arches, please stabilize:

=media-gfx/autotrace-0.31.1-r7
Comment 5 Agostino Sarubbo gentoo-dev 2016-07-02 12:42:19 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-07-02 12:43:04 UTC 
x86 stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-03 10:02:42 UTC 
Stable for HPPA.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2016-07-03 10:54:50 UTC 
Stable for PPC64.
Comment 9 Tobias Klausmann (RETIRED) gentoo-dev 2016-07-04 11:20:01 UTC 
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 07:54:43 UTC 
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 10:02:55 UTC 
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2016-07-08 12:03:15 UTC 
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 13 Markus Meier gentoo-dev 2016-07-10 09:04:47 UTC 
(In reply to Agostino Sarubbo from comment #12)
> Maintainer(s), please cleanup.
> Security, please add it to the existing request, or file a new one.

done.
Comment 14 Aaron Bauman (RETIRED) gentoo-dev 2016-11-27 10:00:21 UTC 
No PoC on ACE or privilege escalation.  Lowering severity.  Tree is clean.

GLSA Vote: No