Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 307525 - <media-gfx/splashutils- statically links to vulnerable jpeg and freetype
Summary: <media-gfx/splashutils- statically links to vulnerable jpeg and fr...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Auditing (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2010-03-02 20:08 UTC by Samuli Suominen (RETIRED)
Modified: 2014-12-12 00:30 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Samuli Suominen (RETIRED) gentoo-dev 2010-03-02 20:08:30 UTC
jpeg-6b is vuln. to CVE-2006-3005 or GLSA 200606-11. And you should also review the status of other bundled libs, here is a list:

[ .. snip .. ]




[ .. snip .. ]
Comment 1 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-02 20:17:04 UTC
spock, can you please check to see if fixing this is possible?
Comment 2 Samuli Suominen (RETIRED) gentoo-dev 2010-03-02 20:19:00 UTC
Freetype should be vulnerable to CVE-2009-0946,

Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-02 20:53:33 UTC
The "bundled" libpng version is vulnerable to:
- GLSA 200711-08
- GLSA 200804-15
- GLSA 200903-28
- GLSA 200906-01

>=1.2.37 is not vulnerable.
Comment 4 Michal Januszewski (RETIRED) gentoo-dev 2010-03-02 20:56:35 UTC
All of the above problems should be fixed in which I just pushed to CVS.
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-02 21:21:07 UTC
Cool, thanks for the fast fix! However, isn't it possible to make it use the system zlib/jpeg/freetype/libpng rather than download them? Or is the build system too screwed up for that?
Comment 6 Michal Januszewski (RETIRED) gentoo-dev 2010-03-02 21:26:06 UTC
(In reply to comment #5)
> Cool, thanks for the fast fix! However, isn't it possible to make it use the
> system zlib/jpeg/freetype/libpng rather than download them? Or is the build
> system too screwed up for that?

It's not a matter of the build system.  The libraries are downloaded because the kernel helper in splashutils is built against klibc and statically linked with minimal versions of libpng/libjpeg/.. built out of the downloaded sources.  This makes the kernel helper binary small and suitable for inclusion in an initramfs image.

Please note that the "bundled" libraries are only used for the kernel helper, which in turn is only used if the fbcondecor patch is active.  All other splashutils binaries, both the statically and dynamically linked ones, use system libraries only.

Comment 7 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-03 16:36:11 UTC
Okay, I understand that attack vectors are very limited, but a new issue turned up:

Please bump the ebuild again to use >=libpng-1.2.43.
Comment 8 Michal Januszewski (RETIRED) gentoo-dev 2010-03-03 20:19:33 UTC
(In reply to comment #7)

> Please bump the ebuild again to use >=libpng-1.2.43.

Done in -r2. 

Comment 9 Tobias Heinlein (RETIRED) gentoo-dev 2010-03-03 20:59:13 UTC

Arches, please test and mark stable:
Target keywords : "amd64 ppc x86"
Comment 10 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2010-03-04 08:00:21 UTC
x86 stable
Comment 11 Markus Meier gentoo-dev 2010-03-07 15:38:56 UTC
amd64 stable
Comment 12 Joe Jezak (RETIRED) gentoo-dev 2010-03-09 22:11:15 UTC
Marked ppc stable.
Comment 13 Tim Sammut (RETIRED) gentoo-dev 2011-01-02 04:14:30 UTC
Add to existing GLSA request.
Comment 14 Pacho Ramos gentoo-dev 2013-06-16 17:37:01 UTC
security, ping
Comment 15 Sean Amoss (RETIRED) gentoo-dev Security 2014-12-12 00:30:07 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at
by GLSA coordinator Sean Amoss (ackle).