Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 74069

Summary: media-gfx/xzgv Integer overflows
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: graphics+disabled, lanius, smithj
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://www.idefense.com/application/poi/display?id=160&type=vulnerabilities
Whiteboard: B2 [glsa] koon
Package list:
Runtime testing required: ---
Attachments:
Description Flags
proposed ebuild to fix security flaw none

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-11 00:45:18 UTC
The http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff
patch, made available about six weeks ago, fixes it.

There were also similar vulnerabilities in zgv, fixed by the
http://www.svgalib.org/rus/zgv/zgv-5.8-integer-overflow-fix.diff
patch.
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2004-12-11 02:35:49 UTC
Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability

iDEFENSE Security Advisory 12.21.04
http://www.idefense.com/application/poi/display?type=vulnerabilities
December 21, 2004

I. BACKGROUND

xzgv is a picture viewer for X, with a thumbnail-based file selector. It 
uses GTK+ and Imlib 1.x. Most file formats are supported, and the 
thumbnails used are compatible with xv, zgv and the Gimp. 

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in various 
vendors' implementations of the read_prf_file method in the xzgv program 
could allow for arbitrary code execution. The vulnerability specifically 
exists due to an integer overflow while allocating memory for an image 
file. The vulnerable code is as follows:

xzgv-0.8/src/readprf.c:
if((*theimageptr=malloc(width*height*3))==NULL)
[...]

The values width and height are integers that are ultimately supplied by 
the image file. With certain values for height and width set in an image 
file, not enough memory is allocated due to an integer overflow. The 
underallocated memory is later written to, causing heap corruption and 
possible arbitrary code execution with the privileges of the user 
viewing the image file.

III. ANALYSIS

Exploitation allows attackers to gain the privileges of the user viewing 
the image file. If a user can be convinced to view a malicious file, 
this vulnerability can be exploited remotely.

IV. DETECTION

The following vendors have confirmed the availability of susceptible 
xzgv packages within their respective operating system distributions: 
	SuSE
	Debian
	Gentoo 
	FreeBSD 

V. WORKAROUND

Only accept image files from trusted sources. Use a different image 
viewer program to view untrusted images.

VI. VENDOR RESPONSE

Attempts to contact the maintainer of xzgv were unsuccessful. Affected
linux vendors were notified via the vendor-sec mailing list.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0994 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/05/2004  Initial vendor notification
12/10/2004  Secondary vendor notification
12/21/2004  Coordinated public disclosure

IX. CREDIT

Infamous41md is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright 
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-12-11 02:35:49 UTC
Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability

iDEFENSE Security Advisory 12.21.04
http://www.idefense.com/application/poi/display?type=vulnerabilities
December 21, 2004

I. BACKGROUND

xzgv is a picture viewer for X, with a thumbnail-based file selector. It 
uses GTK+ and Imlib 1.x. Most file formats are supported, and the 
thumbnails used are compatible with xv, zgv and the Gimp. 

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in various 
vendors' implementations of the read_prf_file method in the xzgv program 
could allow for arbitrary code execution. The vulnerability specifically 
exists due to an integer overflow while allocating memory for an image 
file. The vulnerable code is as follows:

xzgv-0.8/src/readprf.c:
if((*theimageptr=malloc(width*height*3))==NULL)
[...]

The values width and height are integers that are ultimately supplied by 
the image file. With certain values for height and width set in an image 
file, not enough memory is allocated due to an integer overflow. The 
underallocated memory is later written to, causing heap corruption and 
possible arbitrary code execution with the privileges of the user 
viewing the image file.

III. ANALYSIS

Exploitation allows attackers to gain the privileges of the user viewing 
the image file. If a user can be convinced to view a malicious file, 
this vulnerability can be exploited remotely.

IV. DETECTION

The following vendors have confirmed the availability of susceptible 
xzgv packages within their respective operating system distributions: 
	SuSE
	Debian
	Gentoo 
	FreeBSD 

V. WORKAROUND

Only accept image files from trusted sources. Use a different image 
viewer program to view untrusted images.

VI. VENDOR RESPONSE

Attempts to contact the maintainer of xzgv were unsuccessful. Affected
linux vendors were notified via the vendor-sec mailing list.

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2004-0994 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/05/2004  Initial vendor notification
12/10/2004  Secondary vendor notification
12/21/2004  Coordinated public disclosure

IX. CREDIT

Infamous41md is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright © 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-12-11 02:39:38 UTC
hmm heino@gentoo.org (last security bumper) does not have a Bugzilla account ?
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-13 13:41:05 UTC
Multiple Vendor xzgv PRF Parsing Integer Overflow Vulnerability

iDEFENSE Security Advisory 12.13.04
http://www.idefense.com/application/poi/display?id=160&type=vulnerabilit
ies
December 13, 2004

I. BACKGROUND

xzgv is a picture viewer for X, with a thumbnail-based file selector. It

uses GTK+ and Imlib 1.x. Most file formats are supported, and the 
thumbnails used are compatible with xv, zgv and the Gimp. 

II. DESCRIPTION

Remote exploitation of an integer overflow vulnerability in various 
vendors' implementations of the read_prf_file method in the xzgv program

could allow for arbitrary code execution. The vulnerability specifically

exists due to an integer overflow while allocating memory for an image 
file. The vulnerable code is as follows:

xzgv-0.8/src/readprf.c:
if((*theimageptr=malloc(width*height*3))==NULL)
[...]

The values width and height are integers that are ultimately supplied by

the image file. With certain values for height and width set in an image

file, not enough memory is allocated due to an integer overflow. The 
underallocated memory is later written to, causing heap corruption and 
possible arbitrary code execution with the privileges of the user 
viewing the image file.

III. ANALYSIS

Exploitation allows attackers to gain the privileges of the user viewing

the image file. If a user can be convinced to view a malicious file, 
this vulnerability can be exploited remotely.

IV. DETECTION

The following vendors have confirmed the availability of susceptible 
xzgv packages within their respective operating system distributions: 
        SuSE
        Debian
        Gentoo 
        FreeBSD 

V. WORKAROUND

Only accept image files from trusted sources. Use a different image 
viewer program to view untrusted images.

VI. VENDOR RESPONSE

The vulnerability has been addressed in the following patch:

http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0994 to this issue. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

11/05/2004  Initial vendor notification
12/10/2004  Secondary vendor notification
12/10/2004  Initial vendor response
12/13/2004  Coordinated public disclosure

IX. CREDIT

Infamous41md is credited with this discovery.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

X. LEGAL NOTICES

Copyright (c) 2004 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-13 13:43:55 UTC
Heinrich seems like you did the last security bump.
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-12-14 08:18:08 UTC
This is no-herd and lanius is mia. I propose we mask these packages for now.
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-12-15 04:58:12 UTC
zgv is already fixed. See bug 69150 and http://www.gentoo.org/security/en/glsa/glsa-200411-12.xml.
Only xzgv left to patch.
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2004-12-19 06:39:29 UTC
Graphics team, I know this package is theorically no-herd, but would you be so kind as to bump xzgv with the http://rus.members.beeb.net/xzgv-0.8-integer-overflow-fix.diff patch ?

If you don't see the point of having this package in portage, please tell us so that we mask it for security reasons (prior to complete removal).
Comment 9 Thierry Carrez (RETIRED) gentoo-dev 2004-12-29 06:43:35 UTC
Call for adopter sent on gentoo-dev. Will be security-masked in 48 hours if nobody steps up.
Comment 10 Jonathan Smith (RETIRED) gentoo-dev 2004-12-29 10:42:42 UTC
I'm writing an ebuild now. I know NOT an official Gentoo developer, but I saw your call on the gentoo-dev and use the package, and would like to see it remain in portage.

Give me a coupla to write it, as I do have other things to be doing ;-)
Comment 11 Jonathan Smith (RETIRED) gentoo-dev 2004-12-29 11:16:46 UTC
Created attachment 47124 [details]
proposed ebuild to fix security flaw

(of course my last post should have read "I am NOT", but I'm sure you knew
that)

this ebuild applies the patch to fix the security problem associated with this
package. it assumes the patch resides in the files folder of portage, so
whoever comits this will need to remember to do this
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-12-31 01:31:53 UTC
We're in a classic deadlock where a user uses a package and is willing to help but no developer accepts the responsability of the package. We'll try to find someone with commit rights to commit on security behalf... but last weeks were unsuccessful.
Comment 13 Jonathan Smith (RETIRED) gentoo-dev 2004-12-31 13:03:00 UTC
i would like to note that i am applying for an (unrelated) spot on gentoo development, and would be more than happy to maintain this package on the side if/when i become an official developer
Comment 14 Chris White (RETIRED) gentoo-dev 2005-01-05 08:40:28 UTC
Bumped and marked x86 stable, and did ~ppc marking while I was there too.  sparc still nees to mark 0.8-r1 which is the security revbump.
Comment 15 Gustavo Zacarias (RETIRED) gentoo-dev 2005-01-05 10:14:34 UTC
sparc has no stable version, so no need to wait on us.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2005-01-05 11:31:46 UTC
Right, this is ready for GLSA
Comment 17 Jonathan Smith (RETIRED) gentoo-dev 2005-01-05 12:52:23 UTC
thanks all

resolved?
Comment 18 Thierry Carrez (RETIRED) gentoo-dev 2005-01-05 13:47:57 UTC
Not until the GLSA is out.
Comment 19 Thierry Carrez (RETIRED) gentoo-dev 2005-01-06 13:38:03 UTC
GLSA 200501-09