GNU gv Stack Overflow Vulnerability //----- Advisory Program : GNU gv Homepage : http://www.gnu.org/software/gv/ Tested version : 3.6.2 Found by : r.lifchitz at sysdream dot com This advisory : r.lifchitz at sysdream dot com Discovery date : 2006/11/06 Vendor notified : 2006/11/09 //----- Application description gv is a comfortable viewer of PostScript and PDF files for the X Window System. It uses the ghostscript PostScript interpreter and is based on the classic X front-end for gs, ghostview, which it has replaced now. //----- Description of vulnerability The 'gv' viewer is prone to a remote stack overflow vulnerability. This issue exists because the application fails to perform proper boundary checks before copying user-supplied data into process buffers. A remote attacker may execute arbitrary code in the context of a user running the application. As a result, the attacker can gain unauthorized access to the vulnerable computer. This issue is present itself in the 'ps_gettext()' function residing in the 'ps.c' file. Long comments in some specific headers (such as '%%DocumentMedia:') of PS files are unconditionally copied into 'text', a 257 character buffer on the stack. This issue is reported to affect gv 3.6.2, but earlier versions are likely prone to this vulnerability as well. Applications using embedded gv code may also be vulnerable. //----- Proof Of Concept [...] /----- Solution No known solution. You have to wait for a vendor upgrade and be careful with unknown PS files. //----- Impact Successful exploitation leads to remote code execution. //----- Credits Renaud Lifchitz r.lifchitz at sysdream dot com http://www.sysdream.com/
SA22787
Created attachment 101813 [details, diff] gv-overflow.patch Patch from Werner Fink.
fixed in 3.6.2-r1
Thx Stefan. Arhces please test and mark stable. Target keywords are: gv-3.6.2-r1.ebuild:KEYWORDS="alpha amd64 ~mips ppc ~ppc-macos ppc64 sparc x86"
x86 is the safest arch in the whole wide world.
ppc stable
SPARC stable
marked ppc64 stable
Works fine so far on amd64, worthy of the amd64 keyword. Gentoo Base System version 1.12.6 Portage 2.1.1-r2 (default-linux/amd64/2006.1, gcc-4.1.1, glibc-2.4-r4, 2.6.17-gentoo-r8 x86_64) ================================================================= System uname: 2.6.17-gentoo-r8 x86_64 AMD Athlon(tm) 64 Processor 3400+ Last Sync: Sun, 19 Nov 2006 23:30:01 +0000 app-admin/eselect-compiler: [Not Present] dev-java/java-config: [Not Present] dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.60 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r4 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-pipe -O3 -march=k8" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/terminfo" CXXFLAGS="-pipe -O3 -march=k8" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig distlocks metadata-transfer sandbox sfperms strict" GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage-etest" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 X berkdb bitmap-fonts cli cracklib crypt cups debug dlloader dri elibc_glibc fortran gdbm gpm iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog kernel_linux libg++ ncurses nls nptl nptlonly pam pcre perl ppds pppd python readline reflection session spl ssl tcpd truetype-fonts type1-fonts udev unicode userland_GNU video_cards_nvidia video_cards_vesa vorbis xorg zlib" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, MAKEOPTS, PORTAGE_RSYNC_EXTRA_OPTS
amd64 stable
Stable on Alpha.
Thx Kloeri. This one is ready for GLSA.
GLSA 200611-20
Seems like some distros are experiencing problems with the patch on x86_64 systems. I'll attach a better one.
Created attachment 103114 [details, diff] gv-CVE-2006-5864-better.patch Proposed patch from SUSE.
Printing please check the new patch and report back.
No comments -> no problems? Closing for now. Feel free to reopen if you disagree.
