Tielei Wang has discovered some vulnerabilities in XEmacs, which can be exploited by malicious people to potentially compromise a user's system. 1) An integer overflow error within the "tiff_instantiate()" function in glyphs-eimage.c can be exploited to cause a heap-based buffer overflow via a specially crafted TIFF file. 2) An integer overflow error within the "png_instantiate()" function in glyphs-eimage.c can be exploited to cause a heap-based buffer overflow via a specially crafted PNG file. 3) An integer overflow error within the "jpeg_instantiate()" function in glyphs-eimage.c can be exploited to cause a heap-based buffer overflow via a specially crafted JPEG file. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.
Fauli confirmed the issue is non-existant in emacs.
Filed upstream as: http://tracker.xemacs.org/XEmacs/its/issue534
Upstream is aware of this and working on a patch. However, their viewpoint on this is that this is not really a security bug.
I've just added xemacs-21.4.22-r1 to the tree which contains upstreams patch for this. Only lightly tested right now. My suggestion is to leave this in the tree for a couple of days before stablizing it. I'm not sure if upstream will do a release shortly, and there was a bit of discussion on the patch as well.
Hans, have there been an regressions so far?
I haven't seen problems when testing, upstream has not issues updated patches, and I don't see any activity indicating a forthcoming release, so I think we should go ahead and mark this version stable.
Arches, please test and mark stable: =app-editors/xemacs-21.4.22-r1 Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Stable on alpha.
x86 stable
Stable for HPPA.
amd64/sparc stable
ppc stable
ppc64 done
GLSA request filed.
CVE-2009-2688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2688): Multiple integer overflows in glyphs-eimage.c in XEmacs 21.4.22, when running on Windows, allow remote attackers to cause a denial of service (crash) or execute arbitrary code via (1) the tiff_instantiate function processing a crafted TIFF file, (2) the png_instantiate function processing a crafted PNG file, and (3) the jpeg_instantiate function processing a crafted JPEG file, all which trigger a heap-based buffer overflow. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information.
GLSA 201006-15