Summary: | media-gfx/xzgv Integer overflows | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | normal | CC: | graphics+disabled, lanius, smithj | ||||
Priority: | High | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | All | ||||||
URL: | http://www.idefense.com/application/poi/display?id=160&type=vulnerabilities | ||||||
Whiteboard: | B2 [glsa] koon | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Sune Kloppenborg Jeppesen (RETIRED)
2004-12-11 00:45:18 UTC
Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability iDEFENSE Security Advisory 12.21.04 http://www.idefense.com/application/poi/display?type=vulnerabilities December 21, 2004 I. BACKGROUND xzgv is a picture viewer for X, with a thumbnail-based file selector. It uses GTK+ and Imlib 1.x. Most file formats are supported, and the thumbnails used are compatible with xv, zgv and the Gimp. II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in various vendors' implementations of the read_prf_file method in the xzgv program could allow for arbitrary code execution. The vulnerability specifically exists due to an integer overflow while allocating memory for an image file. The vulnerable code is as follows: xzgv-0.8/src/readprf.c: if((*theimageptr=malloc(width*height*3))==NULL) [...] The values width and height are integers that are ultimately supplied by the image file. With certain values for height and width set in an image file, not enough memory is allocated due to an integer overflow. The underallocated memory is later written to, causing heap corruption and possible arbitrary code execution with the privileges of the user viewing the image file. III. ANALYSIS Exploitation allows attackers to gain the privileges of the user viewing the image file. If a user can be convinced to view a malicious file, this vulnerability can be exploited remotely. IV. DETECTION The following vendors have confirmed the availability of susceptible xzgv packages within their respective operating system distributions: SuSE Debian Gentoo FreeBSD V. WORKAROUND Only accept image files from trusted sources. Use a different image viewer program to view untrusted images. VI. VENDOR RESPONSE Attempts to contact the maintainer of xzgv were unsuccessful. Affected linux vendors were notified via the vendor-sec mailing list. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0994 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/05/2004 Initial vendor notification 12/10/2004 Secondary vendor notification 12/21/2004 Coordinated public disclosure IX. CREDIT Infamous41md is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability iDEFENSE Security Advisory 12.21.04 http://www.idefense.com/application/poi/display?type=vulnerabilities December 21, 2004 I. BACKGROUND xzgv is a picture viewer for X, with a thumbnail-based file selector. It uses GTK+ and Imlib 1.x. Most file formats are supported, and the thumbnails used are compatible with xv, zgv and the Gimp. II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in various vendors' implementations of the read_prf_file method in the xzgv program could allow for arbitrary code execution. The vulnerability specifically exists due to an integer overflow while allocating memory for an image file. The vulnerable code is as follows: xzgv-0.8/src/readprf.c: if((*theimageptr=malloc(width*height*3))==NULL) [...] The values width and height are integers that are ultimately supplied by the image file. With certain values for height and width set in an image file, not enough memory is allocated due to an integer overflow. The underallocated memory is later written to, causing heap corruption and possible arbitrary code execution with the privileges of the user viewing the image file. III. ANALYSIS Exploitation allows attackers to gain the privileges of the user viewing the image file. If a user can be convinced to view a malicious file, this vulnerability can be exploited remotely. IV. DETECTION The following vendors have confirmed the availability of susceptible xzgv packages within their respective operating system distributions: SuSE Debian Gentoo FreeBSD V. WORKAROUND Only accept image files from trusted sources. Use a different image viewer program to view untrusted images. VI. VENDOR RESPONSE Attempts to contact the maintainer of xzgv were unsuccessful. Affected linux vendors were notified via the vendor-sec mailing list. VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the names CAN-2004-0994 to these issues. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/05/2004 Initial vendor notification 12/10/2004 Secondary vendor notification 12/21/2004 Coordinated public disclosure IX. CREDIT Infamous41md is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright © 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. hmm heino@gentoo.org (last security bumper) does not have a Bugzilla account ? Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability iDEFENSE Security Advisory 12.13.04 http://www.idefense.com/application/poi/display?id=160&type=vulnerabilit ies December 13, 2004 I. BACKGROUND xzgv is a picture viewer for X, with a thumbnail-based file selector. It uses GTK+ and Imlib 1.x. Most file formats are supported, and the thumbnails used are compatible with xv, zgv and the Gimp. II. DESCRIPTION Remote exploitation of an integer overflow vulnerability in various vendors' implementations of the read_prf_file method in the xzgv program could allow for arbitrary code execution. The vulnerability specifically exists due to an integer overflow while allocating memory for an image file. The vulnerable code is as follows: xzgv-0.8/src/readprf.c: if((*theimageptr=malloc(width*height*3))==NULL) [...] The values width and height are integers that are ultimately supplied by the image file. With certain values for height and width set in an image file, not enough memory is allocated due to an integer overflow. The underallocated memory is later written to, causing heap corruption and possible arbitrary code execution with the privileges of the user viewing the image file. III. ANALYSIS Exploitation allows attackers to gain the privileges of the user viewing the image file. If a user can be convinced to view a malicious file, this vulnerability can be exploited remotely. IV. DETECTION The following vendors have confirmed the availability of susceptible xzgv packages within their respective operating system distributions: SuSE Debian Gentoo FreeBSD V. WORKAROUND Only accept image files from trusted sources. Use a different image viewer program to view untrusted images. VI. VENDOR RESPONSE The vulnerability has been addressed in the following patch: http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0994 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 11/05/2004 Initial vendor notification 12/10/2004 Secondary vendor notification 12/10/2004 Initial vendor response 12/13/2004 Coordinated public disclosure IX. CREDIT Infamous41md is credited with this discovery. Get paid for vulnerability research http://www.idefense.com/poi/teams/vcp.jsp X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email customerservice@idefense.com for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Heinrich seems like you did the last security bump. This is no-herd and lanius is mia. I propose we mask these packages for now. zgv is already fixed. See bug 69150 and http://www.gentoo.org/security/en/glsa/glsa-200411-12.xml. Only xzgv left to patch. Graphics team, I know this package is theorically no-herd, but would you be so kind as to bump xzgv with the http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff patch ? If you don't see the point of having this package in portage, please tell us so that we mask it for security reasons (prior to complete removal). Call for adopter sent on gentoo-dev. Will be security-masked in 48 hours if nobody steps up. I'm writing an ebuild now. I know NOT an official Gentoo developer, but I saw your call on the gentoo-dev and use the package, and would like to see it remain in portage. Give me a coupla to write it, as I do have other things to be doing ;-) Created attachment 47124 [details]
proposed ebuild to fix security flaw
(of course my last post should have read "I am NOT", but I'm sure you knew
that)
this ebuild applies the patch to fix the security problem associated with this
package. it assumes the patch resides in the files folder of portage, so
whoever comits this will need to remember to do this
We're in a classic deadlock where a user uses a package and is willing to help but no developer accepts the responsability of the package. We'll try to find someone with commit rights to commit on security behalf... but last weeks were unsuccessful. i would like to note that i am applying for an (unrelated) spot on gentoo development, and would be more than happy to maintain this package on the side if/when i become an official developer Bumped and marked x86 stable, and did ~ppc marking while I was there too. sparc still nees to mark 0.8-r1 which is the security revbump. sparc has no stable version, so no need to wait on us. Right, this is ready for GLSA thanks all resolved? Not until the GLSA is out. GLSA 200501-09 |