Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 276432 (CVE-2009-2294) - <www-client/dillo-2.1.1 PNG integer overflow (CVE-2009-2294)
Summary: <www-client/dillo-2.1.1 PNG integer overflow (CVE-2009-2294)
Status: RESOLVED FIXED
Alias: CVE-2009-2294
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://www.ocert.org/advisories/ocert...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 276547 276695
Blocks:
  Show dependency tree
 
Reported: 2009-07-04 09:58 UTC by Robert Buchholz (RETIRED)
Modified: 2009-08-18 21:42 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-07-04 09:58:08 UTC
oCert #2009-008 Dillo integer overflow

Dillo, an open source graphical web browser, suffers from an integer
overflow which may lead to a potentially exploitable heap overflow and
result in arbitrary code execution.

The vulnerability is triggered by HTML pages with embedded PNG images, the
Png_datainfo_callback function does not properly validate the width and
height of the image. Specific PNG images with large width and height can
be crafted to trigger the vulnerability.

Affected version:

Dillo <= 2.1

Fixed version:

Dillo >= 2.1.1

Credit: vulnerability report and PoC code received from Tielei Wang
        <wangtielei [at] icst [dot] pku [dot] edu [dot] cn>, ICST-ERCIS.

CVE: CVE-2009-2294
Comment 1 Ben de Groot (RETIRED) gentoo-dev 2009-07-04 19:13:20 UTC
I've committed 2.1.1.

Does this vulnerability apply to dillo-0.8.6? Because that's a completely different codebase (gtk1 as opposed to fltk2). If it does, I'd be happy to get rid of it. :-)
Comment 2 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-04 20:31:38 UTC
From dillos homepage:

03-Jul-2009
    Dillo-2.1.1 has been released to provide a security fix for malicious images. A few small improvements in CSS, key bindings, etc., found their way in as well.

    Thanks go to oCERT for bringing the matter to our attention. 

Also: http://hg.dillo.org/dillo/file/tip/ChangeLog

I sent a mail and asked.

There is no 
Comment 3 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-04 23:10:01 UTC
Jorge's answer:

  0.8.6 is abandoned, and frankly I believe it to have a few*10
more security issues!  :)   We had to rewrite a lot of the code
and fixed lots of bugs along the way.

  Distro's should be packing the last dillo version. I say it
in the same spirit that the kernel developers.

  Note: yes the bug is there, but patching it and releasing a
security fix would be a false sense of protection.

--------------------

Ben, please remove the older versions.
Comment 4 Stefan Behte (RETIRED) gentoo-dev Security 2009-07-04 23:13:14 UTC
Arches, please test and mark stable:
=www-client/dillo-2.1.1
Target keywords : "alpha amd64 arm hppa ppc ppc64 sparc x86"
Comment 5 Ben de Groot (RETIRED) gentoo-dev 2009-07-05 09:42:23 UTC
As dillo-2 depends on fltk:2, I have added a stable request for fltk:2 as a dependency to this bug. I also pinged MIPS team to keyword fltk:2/dillo-2 (bug 253083).

I will mask <=dillo-2.1 now and remove those versions once 2.1.1 is stable.
Comment 6 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-07-05 23:26:39 UTC
CVE-2009-2294 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2294):
  Integer overflow in the Png_datainfo_callback function in Dillo 2.1
  and earlier allows remote attackers to cause a denial of service
  (crash) and possibly execute arbitrary code via a PNG image with
  crafted (1) width or (2) height values.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-06 09:23:17 UTC
removing arches until bug 276695 is resolved.
Comment 8 Mr. Bones. (RETIRED) gentoo-dev 2009-07-07 14:55:54 UTC
Masking dillo breaks the stable tree which is never allowed.  I commented out the line in package.mask for now.  Please fix up the keywords before uncommenting the mask.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2009-07-08 11:55:24 UTC
As Mr. Bones pointed out, no need to mask stable. Removing it after we have a new stable is sufficient and appreciated.

Aches, =www-client/dillo-2.1.1 should be good now.
Comment 10 Ferris McCormick (RETIRED) gentoo-dev 2009-07-08 12:46:47 UTC
Sparc stable.  I'm curious, though, why dillo-2* requires that fltk be built with USE=-cairo.
Comment 11 Ben de Groot (RETIRED) gentoo-dev 2009-07-08 12:51:03 UTC
(In reply to comment #10)
> I'm curious, though, why dillo-2* requires that fltk be built
> with USE=-cairo.

Because upstream says so.

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-08 14:56:16 UTC
x86 stable
Comment 13 Markus Meier gentoo-dev 2009-07-08 20:41:26 UTC
amd64 stable
Comment 14 Tobias Klausmann gentoo-dev 2009-07-12 13:45:50 UTC
Stable on alpha.
Comment 15 Jeroen Roovers gentoo-dev 2009-07-12 23:50:05 UTC
Stable for HPPA.
Comment 16 Raúl Porcel (RETIRED) gentoo-dev 2009-07-15 15:06:01 UTC
arm stable
Comment 17 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-07-15 21:45:42 UTC
Marked stable on ppc:
=x11-libs/fltk-2.0_pre6786
=www-client/dillo-2.1.1
Comment 18 Ben de Groot (RETIRED) gentoo-dev 2009-07-15 22:15:58 UTC
Stable on all arches now (apart from ppc64 which hasn't actually keyworded dillo-2.x at all). So security can proceed with GLSA.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2009-07-16 00:36:58 UTC
Is the ppc64 team in agreement with dropping the stable keywords on their architecture?
Comment 20 Brent Baude (RETIRED) gentoo-dev 2009-07-26 12:48:51 UTC
~ppc64 done
Comment 21 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-08-18 21:42:25 UTC
GLSA 200908-10