Summary: | media-gfx/xv: new issues | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Sune Kloppenborg Jeppesen (RETIRED) <jaervosz> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED DUPLICATE | ||
Severity: | normal | ||
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | All | ||
Whiteboard: | B2 [upstream] CLASSIFIED | ||
Package list: | Runtime testing required: | --- |
Description
Sune Kloppenborg Jeppesen (RETIRED)
2005-03-27 13:20:03 UTC
Follow up comment by reporter on Vendor-Sec: I think we can consider this vulnerability to be "effectively exploited" in the sense that an exploit for an earlier version of the same problem in XV's BMP decoder was posted to BugTraq last August (http://www.securityfocus.com/archive/1/372345), and demonstration images for the new variant are publicly available from the KDE Bugzilla site (http://bugs.kde.org/show_bug.cgi?id=102328). I'm pretty sure the former can be trivially adapted to the latter, though I have not attempted to do so myself. Ergo, I still plan to release an updated set of XV jumbo patches tonight or tomorrow morning (US/Pacific) and to make an announcement to BugTraq within the next day or two. I realize this is a holiday weekend for many, and that makes things awkward, but unfortunately it doesn't alter anything I said in the previous paragraph. In the meantime, here are some updated test images: http://pobox.com/~newt/test/286572/overflow-examples.zip (189695 bytes) http://pobox.com/~newt/test/286572/normal-examples.zip (189638 bytes) (I trust no one will post the new links on publicly visible bug pages just yet! :-/ ) The archives contain the same 8-bit PCX image as in the KDE bug attachment, plus 24-bit BMP, JPEG, PCX (slightly "improved"), PNG, PPM, and TIFF versions. All but the PNG trigger segfaults in XV: % foreach j ( overflow-[28]* ) foreach? echo $j foreach? /usr/X11R6/bin/xv $j foreach? end overflow-24.bmp Segmentation fault overflow-24.jpg Segmentation fault overflow-24.pcx Segmentation fault overflow-24.png overflow-24.ppm Segmentation fault overflow-24.tif Segmentation fault overflow-8.pcx Segmentation fault (The PNG decoder is saved by internal libpng checks that apparently go all the way back to 1.0.8, maybe even earlier. On the other hand, a different but related libpng vulnerability was fixed just last August, so don't assume a PNG crack is entirely out of the question.) Note that I'm limiting my attention solely to XV, simply because it's the image viewer I know and love^Wuse. Hopefully most modern ones are a bit more secure. Another followup: Unfortunately (or fortunately, depending on your perspective), I still have another 200 memory-allocations to inspect and potentially fix in XV, which means I'm not ready with my own patch and probably won't be before next weekend sometime. In particular, I won't be announcing anything for at least that long; I'd like the fix to be completely ready first. |