163989 – app-doc/chmlib < 0.39 Page Block Length Memory Corruption Vulnerability

Bug 163989 - app-doc/chmlib < 0.39 Page Block Length Memory Corruption Vulnerability

Summary: app-doc/chmlib < 0.39 Page Block Length Memory Corruption Vulnerability

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	High minor (vote)
Assignee:	Gentoo Security

URL:	http://seclists.org/fulldisclosure/20...
Whiteboard:	B2 [glsa]
Keywords:

Depends on:
Blocks:

Reported:	2007-01-26 22:37 UTC by Executioner
Modified:	2007-02-27 15:57 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Executioner 2007-01-26 22:37:45 UTC

CHM files contain various tables and objects stored in "pages." When parsing a page of objects, CHMlib passes an unsanitized value from the file to the alloca() function. This allows an attacker to shift the stack pointer to point to arbitrary locations in memory. Consequently it is possible to write arbitrary data from the file to arbitrary memory locations.

Successful exploitation of this vulnerability allows an attacker to execute arbitrary code with the permissions of the user viewing the file. An attacker would have to first convince the user to view the CHM file through some type of social engineering.

Reproducible: Didn't try




http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=468

Comment 1 Ryan Hill (RETIRED) gentoo-dev

2007-01-26 23:45:03 UTC

chmlib-0.39 is now in the tree.  amd64, hppa, ppc, and x86 need to be stabled.

Comment 2 Matthias Geerdsen (RETIRED) gentoo-dev

2007-01-27 10:41:34 UTC

thanks Ryan

arches, please test and ... well you know...


didn't add hppa, since it has not been stable there before

Comment 3 Markus Meier gentoo-dev

2007-01-27 11:09:36 UTC

app-doc/chmlib-0.39
1. emerges on x86
2. passes collision test
3. app-doc/kchmviewer-2.5 emerges and works fine

Portage 2.1.1-r2 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r4, 2.6.19.2 i686)
=================================================================
System uname: 2.6.19.2 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.6
Last Sync: Fri, 26 Jan 2007 16:31:02 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.31
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.14
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo /etc/texmf/web2c"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://mirror.switch.ch/mirror/gentoo/ http://gentoo.inode.at/"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal iconv input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kdeenablefinal kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp ruby samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

Comment 4 Raúl Porcel (RETIRED) gentoo-dev

2007-01-27 13:57:42 UTC

x86 stable

Comment 5 Tobias Scherbaum (RETIRED) gentoo-dev

2007-01-27 18:01:53 UTC

ppc stable

Comment 6 Steve Dibb (RETIRED) gentoo-dev

2007-01-30 15:51:52 UTC

amd64 stable

Comment 7 Ryan Hill (RETIRED) gentoo-dev

2007-02-11 00:39:48 UTC

all vulnerable versions now booted from the tree.

Comment 8 Executioner 2007-02-19 07:26:30 UTC

Are we going to bother with a GLSA on this one?

Comment 9 Executioner 2007-02-19 07:28:32 UTC

Oops, my bad, looks like one is already being drafted.

Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-23 17:36:33 UTC

(In reply to comment #8)
> Are we going to bother with a GLSA on this one?
> 

B2 == yes

Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2007-02-27 15:57:55 UTC

200702-12, sorry for the delay