Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 154645 - app-text/mgv Stack Overflow Vulnerability
Summary: app-text/mgv Stack Overflow Vulnerability
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal enhancement (vote)
Assignee: Gentoo TreeCleaner Project
Whiteboard: Pending removal 09 Jun 2007
Keywords: PMASKED
Depends on:
Reported: 2006-11-10 01:58 UTC by Lubomir Rintel
Modified: 2007-06-07 21:32 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Lubomir Rintel 2006-11-10 01:58:21 UTC
+++ This bug was initially created as a clone of Bug #154573 +++

The package mgv 3.1.5 also seem to contain the vulnerable code, although I didn't have a closer look at it.


GNU gv Stack Overflow Vulnerability

//----- Advisory

Program          : GNU gv
Homepage         :
Tested version   : 3.6.2
Found by         : r.lifchitz at sysdream dot com
This advisory    : r.lifchitz at sysdream dot com
Discovery date   : 2006/11/06
Vendor notified  : 2006/11/09

//----- Application description

gv is a comfortable viewer of PostScript and PDF files for the X
Window System. It uses the ghostscript PostScript interpreter
and is based on the classic X front-end for gs, ghostview, which
it has replaced now.

//----- Description of vulnerability

The 'gv' viewer is prone to a remote stack overflow
vulnerability. This issue exists because the application fails
to perform proper boundary checks before copying user-supplied
data into process buffers. A remote attacker may execute arbitrary
code in the context of a user running the application. As a result,
the attacker can gain unauthorized access to the vulnerable computer.

This issue is present itself in the 'ps_gettext()' function residing
in the 'ps.c' file.

Long comments in some specific headers (such as '%%DocumentMedia:')
of PS files are unconditionally copied into 'text', a 257 character
buffer on the stack.

This issue is reported to affect gv 3.6.2, but earlier versions are
likely prone to this vulnerability as well. Applications using embedded
gv code may also be vulnerable.

//----- Proof Of Concept


/----- Solution

No known solution. You have to wait for a vendor upgrade and
be careful with unknown PS files.

//----- Impact

Successful exploitation leads to remote code execution.

//----- Credits

Renaud Lifchitz
r.lifchitz at sysdream dot com
Comment 1 Stefan Schweizer (RETIRED) gentoo-dev 2006-11-18 02:18:26 UTC
This can be treecleaned. Upstream is dead, no release in 8 years.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-20 22:06:15 UTC
Security let's start by masking it and let treecleaners do their job. Any comments?
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-11-27 00:22:52 UTC
No objections, would somebody with the magick powers please do the trick?
Comment 4 Stefan Cornelius (RETIRED) gentoo-dev 2007-03-07 13:59:01 UTC
masked. do we really need a maskglsa here?
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-03-09 22:29:21 UTC
The policy says "yes"... i would say "yes" too... (it's about an overflow so it's rather severe)
Comment 6 Matt Drew (RETIRED) gentoo-dev 2007-03-14 01:58:15 UTC
I agree with both masking and GLSA'ing - if there's anyone still using it, they need to know.
Comment 7 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-03-14 07:32:38 UTC
Though this bug is rather old. I've called for a maskglsa now with 2 YES votes.
Comment 8 Raúl Porcel (RETIRED) gentoo-dev 2007-03-26 11:46:28 UTC
Okay, our turn.

Treecleaners, please vote.

Comment 9 Jakub Moc (RETIRED) gentoo-dev 2007-04-09 17:52:51 UTC
Comment 10 Christian Heim (RETIRED) gentoo-dev 2007-04-09 17:54:00 UTC
Upstream is dead, wasn't able to find another source for this package. Voting
yes for that.
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-04-09 18:58:45 UTC
Just FWI it was (masking) GLSA 200703-24
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2007-04-09 20:08:34 UTC
# Raúl Porcel <> (09 Apr 2007)
# Pending removal 09 Jun 2007, for treecleaners
# app-admin/cpu -> bug 173064
# app-admin/quickswitch -> bug 134335
# app-misc/jive -> bug 142838
# app-text/mgv -> bug 154645
# net-misc/dhcp-agent -> bug 168565
# x11-plugins/wmmail -> bug 73987
Comment 13 Raúl Porcel (RETIRED) gentoo-dev 2007-06-07 21:32:41 UTC