oCert #2009-008 Dillo integer overflow
Dillo, an open source graphical web browser, suffers from an integer
overflow which may lead to a potentially exploitable heap overflow and
result in arbitrary code execution.
The vulnerability is triggered by HTML pages with embedded PNG images, the
Png_datainfo_callback function does not properly validate the width and
height of the image. Specific PNG images with large width and height can
be crafted to trigger the vulnerability.
Dillo <= 2.1
Dillo >= 2.1.1
Credit: vulnerability report and PoC code received from Tielei Wang
<wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.
I've committed 2.1.1.
Does this vulnerability apply to dillo-0.8.6? Because that's a completely different codebase (gtk1 as opposed to fltk2). If it does, I'd be happy to get rid of it. :-)
From dillos homepage:
Dillo-2.1.1 has been released to provide a security fix for malicious images. A few small improvements in CSS, key bindings, etc., found their way in as well.
Thanks go to oCERT for bringing the matter to our attention.
I sent a mail and asked.
There is no
0.8.6 is abandoned, and frankly I believe it to have a few*10
more security issues! :) We had to rewrite a lot of the code
and fixed lots of bugs along the way.
Distro's should be packing the last dillo version. I say it
in the same spirit that the kernel developers.
Note: yes the bug is there, but patching it and releasing a
security fix would be a false sense of protection.
Ben, please remove the older versions.
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
As dillo-2 depends on fltk:2, I have added a stable request for fltk:2 as a dependency to this bug. I also pinged MIPS team to keyword fltk:2/dillo-2 (bug 253083).
I will mask <=dillo-2.1 now and remove those versions once 2.1.1 is stable.
Integer overflow in the Png_datainfo_callback function in Dillo 2.1
and earlier allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a PNG image with
crafted (1) width or (2) height values.
removing arches until bug 276695 is resolved.
Masking dillo breaks the stable tree which is never allowed. I commented out the line in package.mask for now. Please fix up the keywords before uncommenting the mask.
As Mr. Bones pointed out, no need to mask stable. Removing it after we have a new stable is sufficient and appreciated.
Aches, =www-client/dillo-2.1.1 should be good now.
Sparc stable. I'm curious, though, why dillo-2* requires that fltk be built with USE=-cairo.
(In reply to comment #10)
> I'm curious, though, why dillo-2* requires that fltk be built
> with USE=-cairo.
Because upstream says so.
Stable on alpha.
Stable for HPPA.
Marked stable on ppc:
Stable on all arches now (apart from ppc64 which hasn't actually keyworded dillo-2.x at all). So security can proceed with GLSA.
Is the ppc64 team in agreement with dropping the stable keywords on their architecture?