Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 114234 - x11-libs/openmotif buffer overflows (CVE-2005-3964)
Summary: x11-libs/openmotif buffer overflows (CVE-2005-3964)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://archives.neohapsis.com/archive...
Whiteboard: B2 []
Keywords:
Depends on:
Blocks:
 
Reported: 2005-12-02 01:11 UTC by Sune Kloppenborg Jeppesen
Modified: 2008-01-04 11:31 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch fot bugs (openmotif-2.2.3-rc4.patch,1.11 KB, patch)
2005-12-12 13:38 UTC, Bartosz Przybylski
no flags Details | Diff
working patch (openmotif-2.2.3-r4.patch,1.11 KB, patch)
2005-12-12 23:28 UTC, Bartosz Przybylski
no flags Details | Diff
UIL patch (foo.diff,10.49 KB, patch)
2005-12-30 22:58 UTC, bartron
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2005-12-02 01:11:26 UTC
Title: [xfocus-SD-051202]openMotif-libUil-Multiple_vulnerability  
  
Affected version : openmotif 2.2.3(not got 2.2.4,so not test in  
 openmotif 2.2.4)  
 Product: http://www.motifzone.net/  
  
xfocus (http://www.xfocus.org) have discovered multiple vulnerability in  
 openmotif libUil library. details following:  
  
1: libUil.so diag_issue_diagnostic buffer overflow  
  
Clients/uil/UilDiags.c  
 diag_issue_diagnostic()  
     202 void diag_issue_diagnostic  
     203 ( int d_message_number, src_source_record_type  
 *az_src_rec,  
     204 int l_start_column, ...)  
     205  
     206 {  
     207 va_list ap; /* ptr to variable  
 length parameter */  
     208 int severity; /* severity of message */  
     209 int message_number; /* message number */  
     210 char msg_buffer[132]; /* buffer to construct  
 message */  
     211 char ptr_buffer[buf_size]; /* buffer to construct  
 pointer */  
     212 char loc_buffer[132]; /* buffer to construct  
 location */  
     213 char src_buffer[buf_size]; /* buffer to hold source  
 line */  
 ......  
     293 va_start(ap, l_start_column);  
     294  
     295 #ifndef NO_MESSAGE_CATALOG  
     296[1.1] vsprintf( msg_buffer,  
     297 catgets(uil_catd, UIL_SET1, msg_cat_table[  
 message_number ],  
     298 diag_rz_msg_table[ message_number ].ac_text),  
     299 ap );  
     300 #else  
     301[1.2] vsprintf( msg_buffer,  
     302 diag_rz_msg_table[ message_number ].ac_text,  
     303 ap );  
  
    304 #endif  
     305 va_end(ap);  
  
[1.1][1.2] call vsprintf will cause buffer overflow if ap is user-support  
 data,so if one local or remote application which used this library may  
 cause execute arbitrary code .  
  
2: libUil.so open_source_file buffer voerflow  
  
Clients/uil/UilSrcSrc.c  
  
    620 status  
     621 open_source_file( XmConst char *c_file_name,  
     622 uil_fcb_type *az_fcb,  
     623 src_source_buffer_type *az_source_buffer )  
     624 {  
     625  
     626 static unsigned short main_dir_len = 0;  
     627 boolean main_file;  
     628 int i; /* loop index through  
 include files */  
     629 char buffer[256];  
     630  
     631  
     632 /* place the file name in the expanded_name buffer */  
     633  
     634[2.1] strcpy(buffer, c_file_name);  
     635  
     636 /* Determine if this is the main file or an include file. */  
     637  
     638 main_file = (main_fcb == NULL);  
     639  
 [2.1] like above  
  
--EOF
Comment 1 Thierry Carrez (RETIRED) gentoo-dev 2005-12-03 08:29:27 UTC
Ccing lanius so that he knows about it, we still need to design a patch.
Also we must determine if lesstif is also affected.
Comment 2 Bartosz Przybylski 2005-12-12 13:38:57 UTC
Created attachment 74595 [details, diff]
patch fot bugs

patch ready and working, ebuild is on a way :)
Comment 3 Bartosz Przybylski 2005-12-12 13:48:23 UTC
> patch ready and working, ebuild is on a way :)

THERE IS SOMETHIG WRONG IN THIS PATCH, DO NOT USE IT.
reparing in progress...
Comment 4 Bartosz Przybylski 2005-12-12 23:28:17 UTC
Created attachment 74616 [details, diff]
working patch

new patch, this one is working for sure.
Sorry for any problems
Comment 5 Thierry Carrez (RETIRED) gentoo-dev 2005-12-13 05:45:58 UTC
Thx for the patch. Lanius, please check and apply.
Comment 6 Thierry Carrez (RETIRED) gentoo-dev 2005-12-20 03:59:59 UTC
lanius: *bump*
Comment 7 Heinrich Wendel (RETIRED) gentoo-dev 2005-12-20 13:19:23 UTC
sorry, i currently have no possibility to upload anything to cvs, can you please do it for me
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2005-12-20 14:27:08 UTC
the patches attached seem identical, if the first one is broken the second one must be as well?

aqu, what is wrong with the first one?
Comment 9 Heinrich Wendel (RETIRED) gentoo-dev 2005-12-20 15:25:23 UTC
the first one misses two commas, the second one has them
Comment 10 Tavis Ormandy (RETIRED) gentoo-dev 2005-12-20 15:40:29 UTC
ahh, so it does :)
Comment 11 Bartosz Przybylski 2005-12-20 22:57:35 UTC
yeah, it was my stupid error, sorry about that :)
Comment 12 Tavis Ormandy (RETIRED) gentoo-dev 2005-12-21 05:15:19 UTC
openmotif-2.2.3-r8 committed, as requested.
Comment 13 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-21 05:27:25 UTC
Arches, please test and mark stable. thx
Comment 14 Gustavo Zacarias (RETIRED) gentoo-dev 2005-12-21 05:36:01 UTC
This will require to ship lesstif-0.94.4 since the new openmotif uses motif-config, is that correct? (otherwise it blocks).
Comment 15 Heinrich Wendel (RETIRED) gentoo-dev 2005-12-21 06:56:33 UTC
if you bump it this way you also have to mark motif-config, openmotif-2.1.30-r13, lesstif-0.94.4 and lesstif-0.93.94-r3 stable. i think that is no problem since they all have been around a long time and the only change is to use motif-config.
alternatively you could bump openmotif-2.2.3-r3 instead of openmotif-2.2.3-7.
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2005-12-21 08:36:01 UTC
this packages are stable on ppc64 now:

x11-libs/motif-config-0.9
x11-libs/openmotif-2.2.3-r8
x11-libs/openmotif-2.1.30-r13
x11-libs/lesstif-0.94.4
x11-libs/lesstif-0.93.94-r3
Comment 17 Gustavo Zacarias (RETIRED) gentoo-dev 2005-12-21 10:48:29 UTC
sparc stable.
Comment 18 Luis Medinas (RETIRED) gentoo-dev 2005-12-21 11:36:22 UTC
amd64 done and btw... please fix those QA issues.
Comment 19 Karol Wojtaszek (RETIRED) gentoo-dev 2005-12-21 14:25:27 UTC
There's problem with digest in that package....
Comment 20 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-12-22 11:39:28 UTC
Stable on ppc, hppa.
Comment 21 Tavis Ormandy (RETIRED) gentoo-dev 2005-12-23 03:01:47 UTC
Karol: I cannot reproduce that problem, are you still seeing it?
Comment 22 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-23 14:07:04 UTC
as a little remark, when writing the GLSA, we might want to write it together with emul-linux-x86-xlibs (bug 116481).
Comment 23 Heinrich Wendel (RETIRED) gentoo-dev 2005-12-24 06:50:47 UTC
what about the x86 team? i currently have no possibility to commit anything.
Comment 24 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-24 08:09:00 UTC
oh, thx for the headsup. sorry, my fault - forgot to add x86 :(
Comment 25 Mark Loeser (RETIRED) gentoo-dev 2005-12-24 13:29:31 UTC
x86 done
Comment 26 Fernando J. Pereda (RETIRED) gentoo-dev 2005-12-24 17:54:25 UTC
Alpha done.

Cheers,
Ferdy
Comment 27 Stefan Cornelius (RETIRED) gentoo-dev 2005-12-25 01:28:22 UTC
seems ready for glsa
Comment 28 Thierry Carrez (RETIRED) gentoo-dev 2005-12-28 08:16:26 UTC
GLSA 200512-16
arm ia64 and mips should mark stable to benefit from GLSA
Comment 29 bartron 2005-12-30 22:01:10 UTC

    
Comment 30 bartron 2005-12-30 22:01:10 UTC
 
  Is the quoted text in Comment #0 the full report?  It only 
seems to mention the first usage of a fixed size buffer directly 
following its declaration, and is missing all cases when it's 
declared anywhere else but the current function; or when 
declaration and usage are too far apart.  Just for example, in 
`clients/uil/UilSrcSrc.c/open_source_file()'...

    629: char buffer[256];
    634: strcpy(buffer, c_file_name);

...these two are listed in the problem URL, but...

    680: strcpy (buffer, c_file_name);

...(executed when opening an include file specified by absolute 
path name... exact same problem) is not.


  As a minor nitpick, the patch in comment #4 replaces `strcpy()' 
with `strncpy()'...  
If the source pointer points to a string longer than the max length 
argument, `strncpy()' will not be '\0' terminate the result (in 
other words this needs to be done manually), meaning it will run 
into whatever comes next in memory until a '\0' character is reached.  
(Personally I'd advise against `strncpy()' in this place though, 
because there is a slim chance the truncated path may refer to an 
existing (but wrong) file which may lead to very confusing error 
messages).
Comment 31 bartron 2005-12-30 22:58:12 UTC
Created attachment 75850 [details, diff]
UIL patch
Comment 32 bartron 2005-12-30 22:58:12 UTC
Created attachment 75850 [details, diff]
UIL patch
Comment 33 Thierry Carrez (RETIRED) gentoo-dev 2005-12-31 05:08:32 UTC
Tavis, could you have a look ?
Comment 34 Stefan Cornelius (RETIRED) gentoo-dev 2006-01-10 00:12:27 UTC
lanius, is it possible for you to create another bump, this time with the other patch (comment #30) and with a workaround for the blocking issues found in bug #117458? If thats ok, please do it, thx.
Comment 35 Thierry Carrez (RETIRED) gentoo-dev 2006-01-13 06:15:10 UTC
assigning.
Comment 36 Sune Kloppenborg Jeppesen gentoo-dev 2006-02-06 12:16:04 UTC
Taviso / Tigger / Solar / Vapier please look into this.
Comment 37 Heinrich Wendel (RETIRED) gentoo-dev 2006-02-16 08:01:51 UTC
commited the new patch, i don't know of a way to fix the blocker
Comment 38 Thierry Carrez (RETIRED) gentoo-dev 2006-02-16 10:38:33 UTC
So this looks ready for GLSA...
Comment 39 Fabian Groffen gentoo-dev 2006-02-16 11:51:11 UTC
ppc-macos stable:

x11-libs/motif-config-0.9
x11-libs/openmotif-2.2.3-r8
x11-libs/openmotif-2.1.30-r13
x11-libs/lesstif-0.94.4
x11-libs/lesstif-0.93.94-r4
Comment 40 Thierry Carrez (RETIRED) gentoo-dev 2006-02-16 12:35:09 UTC
Should probably be published as a GLSA update to GLSA 200512-16...
lanius: shouldn't the patch also be pushed to a 2.1.30-r14 release ?
amd64: how do you stand wrt emul-linux-x86-xlibs ?
Comment 41 Simon Stelling (RETIRED) gentoo-dev 2006-02-18 02:28:45 UTC
(In reply to comment #38)
> amd64: how do you stand wrt emul-linux-x86-xlibs ?

Updated app-emulation/emul-linux-x86-xlibs-2.2.2 is on the mirrors and in cvs
Comment 42 Thierry Carrez (RETIRED) gentoo-dev 2006-02-18 04:21:00 UTC
OK, now we just need to be sure if this doesn't also need a 2.1.30-series bump. lanius ?
Comment 43 Simon Stelling (RETIRED) gentoo-dev 2006-02-23 08:26:01 UTC
removing amd64 from cc, we've already done our job ;)
Comment 44 Heinrich Wendel (RETIRED) gentoo-dev 2006-03-18 09:13:34 UTC
i don't know, whoever posted the patch please check
Comment 45 solar (RETIRED) gentoo-dev 2006-05-29 11:23:19 UTC
kloeri said he would take care of this.
Comment 46 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 08:34:31 UTC
Hi,
kloeri, some news on this ?
What it the status of this bug now ? [stable] or [ebuild] ?
Comment 47 Bryan Østergaard (RETIRED) gentoo-dev 2006-06-11 11:02:16 UTC
Added the patch to openmotif-2.1.30-r14. Sorry about the delay.
Comment 48 Stefan Cornelius (RETIRED) gentoo-dev 2006-06-13 04:16:14 UTC
Finally closing this bugger ... feel free to reopen if you disagree.