Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 61619 - media-gfx/xv: multiple buffer overflows
Summary: media-gfx/xv: multiple buffer overflows
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal
Assignee: Gentoo Security
URL: http://www.securityfocus.com/archive/...
Whiteboard: B2 [glsa] condordes
Keywords:
Depends on:
Blocks:
 
Reported: 2004-08-25 04:30 UTC by Carsten Lohrke (RETIRED)
Modified: 2011-10-30 22:38 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
fix security issues reported (xv-3.10a-validation.diff,2.75 KB, patch)
2004-08-31 16:16 UTC, Tavis Ormandy (RETIRED)
no flags Details | Diff
Suse's security patch (xv-3.10a-security.patch,3.98 KB, patch)
2004-09-02 07:29 UTC, Tom Lynema
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2004-08-25 04:30:59 UTC
there are at least 5 exploitable buffer and heap overflows in the image handling
code. this allows someone to craft a malicious image, trick a user into viewing
the file in xv, and upon viewing that image execute arbitrary code under
privileges of the user viewing image. note the AT LEAST part of the above
sentence. there is such a plethora of bad code that I just stopped reading
after a while. there are at least 100 calls to sprintf() and strcpy() with no
regards for bounds of buffers. 95% of these deal with program arguments or
filenames, so they are of no interest to exploit. however I just got sick of
reading this code after not too long. so im sure there are still other
overflows in the image handling code for other image types.


Sounds like it would be better to hard mask xv in general...
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-25 04:50:18 UTC
The poster <infamous41md hotpop com> has previously filed bogus advisories. But we'll keep it here for reference for now.
Comment 2 Carsten Lohrke (RETIRED) gentoo-dev 2004-08-25 07:25:04 UTC
It was brought to my attention through the biggest german IT related newsticker: http://www.heise.de/newsticker/meldung/50350 Would be news, if they hoaxed their readers. :-/
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-25 12:03:37 UTC
This is confirmed by condordes. No known fix available.
Comment 4 Joshua J. Berry (CondorDes) (RETIRED) gentoo-dev 2004-08-25 12:54:17 UTC
I agree with Carsten, I think we should hard mask, unless upstream comes through with a patch.

The first vulnerability in the email could lead to arbitrary code execution.  The others would probably only cause a crash (if that), at least on Linux.

If upstream doesn't come through (given the email to Bugtraq, it sounds like he might not), we would have to roll our own patch, and I don't know if it's worth the effort.  I don't think very many people use xv anymore.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-08-27 12:22:06 UTC
I suggest hard masking if no fix is found.

CC'ing usata.
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2004-08-31 15:28:18 UTC
waah! please don't do that, I rely on xv and use it constantly.

I'll fix the bugs, they dont seem too complex, just need to add some simple validation in there.

here's one for the bug the exploit is for:

--- xv-3.10a/xvbmp.c    2004-08-31 23:26:20.711591624 +0100
+++ xv-3.10a.new/xvbmp.c        2004-08-31 23:21:48.887915104 +0100
@@ -165,6 +165,11 @@
     int i, cmaplen;
 
     cmaplen = (biClrUsed) ? biClrUsed : 1 << biBitCount;
+
+       /* sanity check user supplied value */
+       if (cmaplen > 256)
+               { bmpError(bname,"invalid colormap length"); goto ERROR; }
+
     for (i=0; i<cmaplen; i++) {
       pinfo->b[i] = getc(fp);
       pinfo->g[i] = getc(fp);

I promise I'm working on the other ones, don't hard mask it! :)
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2004-08-31 16:16:52 UTC
Created attachment 38628 [details, diff]
fix security issues reported

Okay, I've checked the reported issues, I check for over and underflow, and
check the user value is sane according to the bitmap specs.

I can't find any iris image files to test with (it looks okay though), but pcx
and bmp both work.
Comment 8 Kurt Lieber (RETIRED) gentoo-dev 2004-08-31 16:24:31 UTC
carlo -- your thoughts?  Is this patch good enough?
Comment 9 Carsten Lohrke (RETIRED) gentoo-dev 2004-09-01 02:42:05 UTC
Kurt, I'm really only the reporter. I don't even use xv. It's your call as the security herd to decide, if Tavis patches suffice or if upstream unresponsiveness indicates, that it is better to mask the package. Don't know what's your policy in such cases.

Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2004-09-01 03:02:52 UTC
I vote for masking unless someone (taviso ?) takes over package maintenance with proper metadata.xml information.

But I think xv is widely used so doing so will probably do BS damage.

As for the patch correctness, our experts (solar, plasmaroo, ChrisWhite) should have a look and give their opinion.
Comment 11 Tavis Ormandy (RETIRED) gentoo-dev 2004-09-01 04:12:39 UTC
I'll maintain if necessary, It's definitely widely used, especially in things like ~/.mailcaps.
Comment 12 Lisa Seelye (RETIRED) gentoo-dev 2004-09-01 09:11:30 UTC
I'll help test it, I use xv fairly regularly too.
Comment 13 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 06:52:34 UTC
taviso: please proceed in taking over that package and submitting a fixed ebuild revision

lisa: when the ebuild will be in portage we'll call you to help test it :)
Comment 14 Tom Lynema 2004-09-02 07:29:33 UTC
Created attachment 38759 [details, diff]
Suse's security patch

Attached the patch from Suse's "fixed" rpm package.  Gotten from
http://www.suse.de/cgi-bin/print_page_www.pl?NPSPath=/webredesign/htdocs/en/private/download/updates/91_i386.html


Havn't tested them, but it may help.
Comment 15 Tavis Ormandy (RETIRED) gentoo-dev 2004-09-02 07:45:54 UTC
Okay, i've added suse's patch, i tested it with the supplied exploit and it prevents it from working (mine did as well, but they look like they have more clue about what they're doing:)

I've committed -r7 and removed previous vulnerable versions.

added metadata.xml with me as maintainer.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-09-02 13:37:15 UTC
Already stable.. Go GLSA go
Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-03 05:54:38 UTC
taviso congrats with the new baby;-)

GLSA 200409-07