Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 278679 (CVE-2009-2850) - <sci-libs/cdf-3.3.0: remote buffer overflow(s) (CVE-2009-2850)
Summary: <sci-libs/cdf-3.3.0: remote buffer overflow(s) (CVE-2009-2850)
Alias: CVE-2009-2850
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2009-07-22 12:44 UTC by Doron Fediuck
Modified: 2009-08-19 09:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Doron Fediuck 2009-07-22 12:44:27 UTC
Title: NASA Common Data Format remote buffer overflow(s)
Advisory ID: INFIGO-2009-07-09
Advisory URL:
Impact: Remote code execution
Risk Level: High
Vulnerability Type: Remote

The vulnerability exists in the ReadAEDRList64() function. This function 
is used to read a list of attribute entries from a CDF file. 
The attribute entries are stored in a list indexed by the entry number. 

Various other memory corruption vulnerabilities have been identified 
in SearchForRecord_r_64(), LastRecord64(), CDFsel64() and other functions. 
In cooperation with the vendor all identified vulnerable function have 
been fixed, and a proper validation module was developed to verify CDF 
files before processing them.

The vulnerabilities has been identified in the latest available CDF 
version 3.2.4. Previous versions are believed to be vulnerable as well

Reproducible: Always

Steps to Reproduce:

Expected Results:  
The vendor has addressed vulnerabilities on 20.7.2009. with CDF
library version 3.3. New CDF library 3.3 has 'cdfvalidate' module 
that will validate CDF files for potential malformed values.
New version is available at

STATICforIDL CDFstatus ReadAEDRList64 (vFILE *fp,
                                         struct AEDRstructExt64 ***AEDRList,
                                         OFF_T AEDRHead,
                                         Int32 MaxEntry)
  struct AEDRstructExt64 *TempAEDR;
  Int32 LastAEDRNum = -1;
  Int32 i;
  OFF_T temp;
[1]      *AEDRList = cdf_AllocateMemory((MaxEntry + 1) *
                                 sizeof(struct AEDRstructExt64**), NULL);
  while (NxtAEDR != 0 && LastAEDRNum != MaxEntry)
[2]   TempAEDR = cdf_AllocateMemory(sizeof(struct AEDRstructExt64), NULL);
[3]    if (!Read32_64(fp,&(TempAEDR->AEDR.Num))) return CRE;
[4]    (*AEDRList)[TempAEDR->AEDR.Num] = TempAEDR;
  return pStatus;

The code marked as [1] creates an array of AEDRstructExt64 structures, 
allocated on the heap and assigned to the AEDRList variable. The TempAEDR
structure [2] is also allocated on the heap. It is further used in the 
while() loop to read the attributes from the CDF file that is being 
The Read32_64() function [3] is used to read an integer from the
CDF file stream and store it in the TempAEDR->AEDR.Num. At [4] this value
is used as the index that specifies where in the AEDRList the address of 
the TempAEDR structure is stored. 
This is where the vulnerability exists as the code performs no sanity 
checks on the TempAEDR->AEDR.Num value. 
In other words, if the CDF file contains a value that is higher than the
number of allocated AEDRList entries, a malicious CDF file can overwrite
arbitrary heap data after the AEDRList array. The value that will be 
written is the address of the TempAEDR structure. This can be further
exploited as the attacker can control the content of the TempAEDR 
structure, in which malicious code can be embedded.

As the TempAEDR->AEDR.Num is used as the index, the attacker can write 4
bytes to an address higher than the AEDRList's address. Since this index
is added to the AEDRList address, an attacker can also specify a large 
value which allows him to overflow the integer in the adding calculation, 
effectively writing to any address mapped by the process. 
Other protection mechanisms, such as ASLR, could make this exploitation 
method less reliable.
Comment 1 Doron Fediuck 2009-07-22 13:27:59 UTC
Status typo.
Comment 2 Sébastien Fabbro (RETIRED) gentoo-dev 2009-07-23 03:13:35 UTC
bumped to 3.3 in cvs. thanks.
Comment 3 Doron Fediuck 2009-07-23 10:50:21 UTC
Arches, please test and mark stable:
Target keywords: "amd64 ppc x86"
Comment 4 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-23 20:33:26 UTC
x86 stable
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-24 13:03:55 UTC
amd64 stable
Comment 6 nixnut (RETIRED) gentoo-dev 2009-08-09 13:45:57 UTC
ppc stable
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-14 16:21:03 UTC
CVE reqeusted and draft filed.
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-18 21:41:37 UTC
GLSA 200908-06.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-19 09:40:45 UTC
CVE-2009-2850 (
  Multiple buffer overflows in NASA Common Data Format (CDF) allow
  context-dependent attackers to execute arbitrary code, as
  demonstrated using (1) an array index error in the ReadAEDRList64
  function, and other errors in the (2) SearchForRecord_r_64, (3)
  LastRecord64, (4) CDFsel64, and other unspecified functions.