Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 290222 (CVE-2009-3296) - <dev-ml/camlimages-3.0.2 Integer Overflows (CVE-2009-3296)
Summary: <dev-ml/camlimages-3.0.2 Integer Overflows (CVE-2009-3296)
Status: RESOLVED FIXED
Alias: CVE-2009-3296
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://security.debian.org/pool/updat...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-10-23 09:45 UTC by Alex Legler (RETIRED)
Modified: 2010-06-01 15:44 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-10-23 09:45:17 UTC
CVE-2009-3296 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3296):
  Multiple integer overflows in tiffread.c in CamlImages 2.2 might
  allow remote attackers to execute arbitrary code via TIFF images
  containing large width and height values that trigger heap-based
  buffer overflows.
Comment 1 Alexis Ballier gentoo-dev 2009-10-23 10:07:26 UTC
any more info? i've just made a patch that checks overflows for width*height in tiffread.c but won't commit it unless i'm sure that's all.
Comment 3 Alexis Ballier gentoo-dev 2009-11-25 17:10:53 UTC
3.0.2 in tree with the debian patch, i'll let you handle rekeywording due to the new build dep (ocaml-autoconf) and stabling.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2009-11-26 17:23:19 UTC
Arches, please test and mark stable:
=dev-ml/ocaml-autoconf-1.1
=dev-ml/camlimages-3.0.2
Target keywords : "ppc x86"
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-27 08:56:33 UTC
in camlimages:

ocamlc.opt -warn-error A -annot  -I /usr/lib/ocaml/lablgtk2 -o info.cmi -c info.mli
ocamlc.opt: unknown option `-annot'.
Usage: ocamlc <options> <files>
Options are:

Portage 2.1.6.13 (default/linux/x86/10.0/desktop, gcc-4.3.4, glibc-2.9_p20081201-r2, 2.6.31-gentoo-r6 i686)
=================================================================
System uname: Linux-2.6.31-gentoo-r6-i686-Intel-R-_Core-TM-2_Duo_CPU_T8100_@_2.10GHz-with-gentoo-1.12.13
Timestamp of tree: Fri, 27 Nov 2009 08:00:01 +0000
distcc 3.1 i686-pc-linux-gnu [disabled]
app-shells/bash:     4.0_p28
dev-java/java-config: 2.1.9-r1
dev-lang/python:     2.4.6, 2.6.2-r1
dev-python/pycrypto: 2.0.1-r8
dev-util/cmake:      2.6.4-r3
sys-apps/baselayout: 1.12.13
sys-apps/sandbox:    1.6-r2
sys-devel/autoconf:  2.13, 2.63-r1
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10.2
sys-devel/binutils:  2.18-r3
sys-devel/gcc-config: 1.4.1
sys-devel/libtool:   2.2.6a
virtual/os-headers:  2.6.27-r2
ACCEPT_KEYWORDS="x86"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=i686 -pipe"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /opt/openfire/resources/security/ /opt/openjms/config /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/lib/fax /usr/share/config /var/bind /var/lib/hsqldb /var/qmail/alias /var/qmail/control /var/spool/fax/etc /var/spool/torque"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/eselect/postgresql /etc/fonts/fonts.conf /etc/gconf /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c /etc/udev/rules.d"
CXXFLAGS="-O2 -march=i686 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="distlocks fixpackages parallel-fetch protect-owned sandbox sfperms strict unmerge-orphans userfetch userpriv"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LANG="en_EN.UTF8"
LC_ALL="en_US.UTF-8"
LDFLAGS="-Wl,-O1"
LINGUAS="en"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="3dnow 3dnowext X a52 aac acl acpi alsa apache apache2 bash-completion berkdb bluetooth bootsplash branding bzip2 cairo cdr cdrom cli consolekit cracklib crypt css cups curl dbus directfb dri dts dvd dvdr dvi eds emacs emboss encode escreen evo fam fat fbcon fbcondecor ffmpeg firefox flac foomatic fortran gdbm gif gnome gpm gs gstreamer gtk hal iconv imlib ipv6 jadetex java5 jpeg jpeg2k kde kpathsea laptop latex ldap libnotify libotf lm_sensors m17n-lib mad mikmod mmx modules mono mp3 mp4 mpeg mudflap musicbrainz ncurses nls nptl nptl-only nptlonly ntfs objc ogg opengl openmp openssh pam pcre pdf perl pmu png ppds pppd preview-latex python qt3support qt4 quicktime readline reflection reports sdl session smp spell spl sqlite sse ssl startup-notification svg svga sysfs t1lib tcpd test-framework tetex theora thunar tiff tk toolkit-scroll-bars truetype unicode usb userlocales video vorbis win32codecs wmf x264 x86 xft xml xorg xpm xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="synaptics mouse keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" LIRC_DEVICES="atiusb" USERLAND="GNU" VIDEO_CARDS="vesa fbdev intel"
Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 6 Alexis Ballier gentoo-dev 2009-11-27 09:06:57 UTC
(In reply to comment #5)
> in camlimages:
> 
> ocamlc.opt -warn-error A -annot  -I /usr/lib/ocaml/lablgtk2 -o info.cmi -c
> info.mli
> ocamlc.opt: unknown option `-annot'.
> Usage: ocamlc <options> <files>
> Options are:


and it fails? whats the ocaml version?
Comment 7 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-27 09:15:53 UTC
It fails, yes.

The Objective Caml toplevel, version 3.10.2
Comment 8 Alexis Ballier gentoo-dev 2009-11-27 09:28:25 UTC
(In reply to comment #7)
> It fails, yes.
> 
> The Objective Caml toplevel, version 3.10.2

yep thanks, the -annot option appeared in 3.11 but is not useful for packages, hence i added a patch that removes that flag.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-27 12:21:11 UTC
This happens when compiling active-dvi (rdep of camlimages), and it is a regression.

/usr/bin/ocamlopt.opt -o advi \
                 -I /usr/lib/ocaml/lablgtk2 -I /usr/lib/ocaml -I /usr/lib/ocaml/site-packages/camlimages \
                events.o grwm.o grY11.o lablgtk.cmxa graphics.cmxa camlimages.cmxa unix.cmxa str.cmxa config.cmx misc.cmx timeout.cmx ageometry.cmx options.cmx rc.cmx userfile.cmx graphicsY11.cmx global_options.cmx busy.cmx gradient.cmx gterm.cmx launch.cmx dvicolor.cmx shot.cmx laser_pointer.cmx symbol.cmx input.cmx table.cmx pkfont.cmx ttfont.cmx jfm.cmx search.cmx font.cmx glyph.cmx devfont.cmx units.cmx dimension.cmx dvi.cmx drawimage.cmx gs.cmx transimpl.cmx embed.cmx grdev.cmx addons.cmx scratch.cmx cdvi.cmx driver.cmx thumbnails.cmx dviview.cmx main.cmx -cclib -lXinerama
Files units.cmx and /usr/lib/ocaml/site-packages/camlimages/camlimages.cmxa
both define a module named Units
make[2]: *** [advi] Error 2
make[2]: Leaving directory `/var/tmp/portage/app-text/active-dvi-1.7.3-r1/work/advi-1.7.3/src'
make[1]: *** [all] Error 2
make[1]: Leaving directory `/var/tmp/portage/app-text/active-dvi-1.7.3-r1/work/advi-1.7.3/src'
make: *** [all-recursive] Error 1
Comment 10 Alexis Ballier gentoo-dev 2009-11-27 12:27:21 UTC
this should be fixed with active-dvi 1.8; could you please check if it can go stable too?
Comment 11 Christian Faulhammer (RETIRED) gentoo-dev 2009-11-27 12:44:38 UTC
x86 stable
Comment 12 Brent Baude (RETIRED) gentoo-dev 2010-04-15 14:48:02 UTC
ppc done
Comment 13 Tomás Touceda (RETIRED) gentoo-dev 2010-04-15 15:05:29 UTC
All arches done, GLSA request filled according to the Gentoo Linux Vulnerability Treatment Policy.
Comment 14 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2010-06-01 15:44:36 UTC
GLSA 201006-02