Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 220391 (CVE-2008-2080) - sci-libs/cdf <3.2.1 Buffer Overflow Vulnerability (CVE-2008-2080)
Summary: sci-libs/cdf <3.2.1 Buffer Overflow Vulnerability (CVE-2008-2080)
Alias: CVE-2008-2080
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 220591 (view as bug list)
Depends on:
Reported: 2008-05-05 15:37 UTC by Robert Buchholz (RETIRED)
Modified: 2008-05-13 20:45 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2008-05-05 15:37:16 UTC
Quoting from URL:
The libraries for the scientific data file format, Common Data Format (CDF) version 3.2 and earlier, have the potential for a buffer overflow vulnerability when reading specially-crafted (invalid) CDF files. If successful, this could trigger execution of arbitrary code within the context of the CDF-reading program that could be exploited to compromise a system, or otherwise crash the program. While it's unlikely that you would open CDFs from untrusted sources, we recommend everyone upgrade to the latest CDF libraries on their systems, including the IDL and Matlab plugins. Most worrisome is any service that enables the general public to submit CDF files for processing.

The vulnerability is in the CDF library routines not properly checking the length tags on a CDF file before copying data to a stack buffer. Exploitation requires the user to explicitly open a specially-crafted file. CDF users should not open files from untrusted third parties until the patch is applied (and continue then to exercise normal caution for files from untrusted third parties).

CDF 3.2.1 addresses this vulnerability and introduces further usability fixes. Updates for Perl, IDL, Matlab and Java WebStart are also available. Java WebStart applications that refer to, will automatically be updated to include this fix the next time the application is started while connected to the Internet.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2008-05-05 15:45:58 UTC
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2008-05-05 17:35:27 UTC
restricting bug
Comment 3 Robert Buchholz (RETIRED) gentoo-dev 2008-05-06 07:38:58 UTC
This is public now:
Comment 4 Sébastien Fabbro (RETIRED) gentoo-dev 2008-05-06 12:58:22 UTC

cdf-3.2.1.ebuild just committed. cdf-3.2 removed, and waiting for fast-track stabilization on 3.2.1 to remove cdf-3.1.

Comment 5 Markus Dittrich (RETIRED) gentoo-dev 2008-05-06 13:33:11 UTC
(In reply to comment #4)
> Hi,
> cdf-3.2.1.ebuild just committed. cdf-3.2 removed, and waiting for fast-track
> stabilization on 3.2.1 to remove cdf-3.1.
> Thanks,

Thanks much Sebastien! I was just in the middle of fixing this myself;)
Why on earth didn't upstream at least rename their tarballs to to 3.2.1
instead of just re-distributing a patched 3.2 version?

Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-05-06 14:39:39 UTC
Arches, please test and mark stable:
Target keywords : "amd64 ppc release x86"
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-06 14:44:27 UTC
*** Bug 220591 has been marked as a duplicate of this bug. ***
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2008-05-06 19:59:22 UTC
x86 stable
Comment 9 Markus Meier gentoo-dev 2008-05-07 20:00:18 UTC
did they change the tarballs again? changed date on 2008-05-06 which was yesterday...

# emerge --fetchonly cdf
Calculating dependencies... done!

>>> Emerging (1 of 1) sci-libs/cdf-3.2.1 to /
>>> Downloading ''
--2008-05-07 21:58:04--
           => `/usr/portage/distfiles/cdf32-dist-cdf.tar.gz'
Connecting to||:21... connected.
Logging in as anonymous ... Logged in!
==> SYST ... done.    ==> PWD ... done.
==> TYPE I ... done.  ==> CWD /pub/cdf/dist/cdf321/unix ... done.
==> SIZE cdf32-dist-cdf.tar.gz ... 966514
==> PASV ... done.    ==> RETR cdf32-dist-cdf.tar.gz ... done.
Length: 966514 (944K)

100%[===================================================================================================================>] 966,514      226K/s   in 4.5s    

2008-05-07 21:58:28 (208 KB/s) - `/usr/portage/distfiles/cdf32-dist-cdf.tar.gz' saved [966514]

('Filesize does not match recorded size', 966514L, 966480)
!!! Fetched file: cdf32-dist-cdf.tar.gz VERIFY FAILED!
!!! Reason: Filesize does not match recorded size
!!! Got:      966514
!!! Expected: 966480
Refetching... File renamed to '/usr/portage/distfiles/cdf32-dist-cdf.tar.gz._checksum_failure_.lJLiKk'

!!! Couldn't download 'cdf32-dist-cdf.tar.gz'. Aborting.
Comment 10 Sébastien Fabbro (RETIRED) gentoo-dev 2008-05-08 10:34:54 UTC
(In reply to comment #9)
> did they change the tarballs again?

Yes they did! I removed the mirror restriction and suggested upstream to fix this.
Comment 11 Sébastien Fabbro (RETIRED) gentoo-dev 2008-05-09 13:22:00 UTC
Please go for stabilization on cdf-3.2.1-r1 I've just committed. 
Upstream finally changed their tar balls, and 3.2.1 had a bad patch.
Re-adding x86.


Comment 12 Markus Meier gentoo-dev 2008-05-09 19:12:41 UTC
amd64/x86 stable
Comment 13 Tobias Scherbaum (RETIRED) gentoo-dev 2008-05-11 12:24:04 UTC
ppc stable
Comment 14 Peter Volkov (RETIRED) gentoo-dev 2008-05-11 17:58:48 UTC
Fixed in release snapshot.
Comment 15 Tobias Heinlein (RETIRED) gentoo-dev 2008-05-11 18:49:12 UTC
GLSA request filed.
Comment 16 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-13 20:45:24 UTC
GLSA 200805-14