Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 285854 (CVE-2009-2905) - <dev-libs/newt-0.52.10-r1 doReflow() Heap-based buffer overflow (CVE-2009-2905)
Summary: <dev-libs/newt-0.52.10-r1 doReflow() Heap-based buffer overflow (CVE-2009-2905)
Alias: CVE-2009-2905
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 281402 (view as bug list)
Depends on:
Reported: 2009-09-21 18:31 UTC by Robert Buchholz (RETIRED)
Modified: 2010-06-02 21:21 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---

newt-CVE-2009-2905.patch (newt-CVE-2009-2905.patch,466 bytes, patch)
2009-09-21 18:32 UTC, Robert Buchholz (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2009-09-21 18:31:18 UTC
** Please note that this issue is confidential and no information should be
disclosed until it is made public, see "Whiteboard" for a date **

A heap-based buffer overflow was found in the way newt used to process
content, to be rendered in text dialog box. Local attacker could issue
a specially-crafted text dialog box rendering request (direct or via
custom application), leading to denial of service (application crash)
or, potentially, to execution of arbitrary code with the privileges of
the user running the application.

Description of problem:

The function doReflow in textbox.c allocates buffer that might not be large
enough to hold the reflowed text:

    157 static void doReflow(const char * text, char ** resultPtr, int width,
    158                      int * badness, int * heightPtr) {

    167     if (resultPtr) {
    168         /* XXX I think this will work */
    169         result = malloc(strlen(text) + (strlen(text) / width) + 2);
    170         *result = '\0';
    171     }

The problem is that in the length calculation it's assumed that when splitting
long lines they will be width long but they are actually width - 1 long.
The fix is to use following length calculation:

-       result = malloc(strlen(text) + (strlen(text) / width) + 2);
+       result = malloc(strlen(text) + (strlen(text) / (width - 1)) + 2);

Affected versions:
Issue was tested and confirmed in newt-0.51.5, newt-0.51.6, newt-0.52.2
and newt-0.52.10 versions of newt.

CVE identifier:
CVE-2009-2905 has been assigned for this issue.

Miroslav Lichvar <mlichvar () redhat ! com>

Coordinated release date:
Thursday, 2009-09-24 12:00 UTC

Please let us know, if this doesn't correspond
to your needs for some reason.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2009-09-21 18:32:17 UTC
Created attachment 204853 [details, diff]

Upstream patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2009-09-21 18:33:17 UTC
Due to the limited exploitability of the issue and the short timeframe, I suggest not participating in coordinated disclosure. Let's fix this in the tree on Sept. 24 and wait until then.
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-07 17:48:01 UTC
This is now public (c.f.
Comment 4 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-07 17:52:18 UTC
CVE-2009-2905 (
  Heap-based buffer overflow in textbox.c in newt 0.51.5, 0.51.6, and
  0.52.2 allows local users to cause a denial of service (application
  crash) or possibly execute arbitrary code via a request to display a
  crafted text dialog box.

Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-07 18:28:45 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-10-07 18:29:23 UTC
*** Bug 281402 has been marked as a duplicate of this bug. ***
Comment 7 Markus Meier gentoo-dev 2009-10-09 19:18:46 UTC
amd64/arm/x86 stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2009-10-11 15:27:55 UTC
Stable on alpha.
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2009-10-11 23:53:17 UTC
Stable for HPPA.
Comment 10 Raúl Porcel (RETIRED) gentoo-dev 2009-10-12 16:59:23 UTC
ia64/sparc stable
Comment 11 Brent Baude (RETIRED) gentoo-dev 2009-10-18 14:28:16 UTC
ppc64 done
Comment 12 Mounir Lamouri (volkmar) (RETIRED) gentoo-dev 2009-10-26 08:40:31 UTC
ppc stable
Bug ready to be fixed by security team.
Comment 13 Tobias Heinlein (RETIRED) gentoo-dev 2009-11-06 09:28:51 UTC
Request filed.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-05-31 05:46:11 UTC
Please remove vulnerable ebuilds. I still see newt-0.52.2.ebuild and newt-0.52.10.ebuild.
GLSA draft filed.
Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-02 21:21:51 UTC
GLSA 201006-14