Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 79762 - media-gfx/{xloadimage,xli}: multiple vulnerabilities
Summary: media-gfx/{xloadimage,xli}: multiple vulnerabilities
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All All
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
Depends on:
Reported: 2005-01-27 11:48 UTC by Tavis Ormandy (RETIRED)
Modified: 2005-08-15 21:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-01-27 11:48:26 UTC
xli and xloadimage use insufficient validation when parsing images, there is almost certainly a security issue waiting to be found in there somewhere that could be exploited by getting a user to display an image with one of these utilities (via gpg key photos, for example).

examples of insufficient validation:

ppm images are simple pixmap files, you can read about the format here:

values arent verified very well, so setting illegal values can cause crazy behaviour, for example:

1 1
# max_value can't be > 255 in a P6 (raw) ppm, this is illegal.
# however, this will kill xli

1 1
# will SIGFPE xli

# this causes odd behaviour in xli and xloadimage, and calls malloc(0)
0 0

# allocating huge amounts of memory seems to cause some sort of race 
# condition in xli.
9999 9999

I've also noticed return codes from libpng are sometimes ignored, I'm not sure if that's such a good idea, it will happily try to display illegal png files, I've seen it segfault after this, although i no longer have the png file that caused it or a core file...if it happens again i'll try to track it down.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-08 06:56:29 UTC
Look at these two examples I just tried:

1073741825 4

65536 65536

both overflow the value passed to malloc, and then die trying to copy the image data past the allocated buffer. I'm confident this could lead to an attack, I've emailed the author for his opinion.
Comment 2 rob holland (RETIRED) gentoo-dev 2005-02-18 12:18:12 UTC
xli suffers from a bug fixed in xloadimage in 2001:

details here:

rob@leet ~/projects/test/xli-1.17.0 $ xli ./foo.faces 
./foo.faces is a  32x32 8-bit grayscale Faces Project image
xli: stack smashing attack in function facesLoad()
Comment 3 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-18 12:53:39 UTC
There's also a quoting problem in xli's zio.c

sprintf(buf, "gunzip -c %s", name);

If a user were to use xli via ~/.mailcap or similar, someone could send a file with Content-Type set to image/jpeg and a filename like ';id 1>&2;: .Z', they could potentially execute arbitrary shell commands.


$ touch ';id 1>&2;: .Z'
$ xli ';id 1>&2;: .Z'
gunzip: compressed data not read from a terminal. Use -f to force
For help, type: gunzip -h
uid=1000(taviso) gid=100(users)
;id 1>&2;: .Z: unknown or unsupported image type

This also seems to affect xloadimage.
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-18 12:53:59 UTC
upstreamn informed.
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2005-02-23 12:45:53 UTC
any news yet?

CC'ing desktop-misc herd for xloadimage, xli is no-herd
Comment 6 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-23 12:52:59 UTC
xli author responded that he's planning a new release to fix these two issues by next week.
Comment 7 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-28 00:40:13 UTC
A new upstream version is available that fixes these problems:
Comment 8 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 02:56:58 UTC
This is somewhat noherd, we've got lu_zero (from graphics herd) approval to fix them.
Comment 9 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-28 04:10:04 UTC
xli-1.17.0-r1 contains the fixes
Comment 10 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 05:36:05 UTC
Waiting for xloadimage to get backported fix too...
Comment 11 Tavis Ormandy (RETIRED) gentoo-dev 2005-02-28 07:47:08 UTC
media-gfx/xloadimage-4.1-r2 contains the shell meta-char escaping from xli.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2005-02-28 11:37:36 UTC
Arches, please test and mark stable :
media-gfx/xli-1.17.0-r1: x86 ppc hppa
media-gfx/xloadimage-4.1-r2: alpha amd64 arm hppa ia64 mips ppc ppc64 sparc x86 ppc-macos
Comment 13 Markus Rothe (RETIRED) gentoo-dev 2005-02-28 11:53:45 UTC
stable on ppc64
Comment 14 Jan Brinkmann (RETIRED) gentoo-dev 2005-02-28 12:08:36 UTC
stable on amd64
Comment 15 Olivier Crete (RETIRED) gentoo-dev 2005-02-28 12:57:19 UTC
x86 there
Comment 16 Gustavo Zacarias (RETIRED) gentoo-dev 2005-02-28 13:05:28 UTC
sparc stable.
Comment 17 Michael Hanselmann (hansmi) (RETIRED) gentoo-dev 2005-02-28 14:10:10 UTC
Stable on ppc.
Comment 18 Aron Griffis (RETIRED) gentoo-dev 2005-02-28 15:47:31 UTC
all set on ia64
Comment 19 Lina Pezzella (RETIRED) gentoo-dev 2005-02-28 21:04:07 UTC
Stable ppc-macos.
Comment 20 Hardave Riar (RETIRED) gentoo-dev 2005-03-01 10:01:09 UTC
xloadimage stable on mips.
Comment 21 Bryan Østergaard (RETIRED) gentoo-dev 2005-03-01 11:01:31 UTC
Alpha stable.
Comment 22 Thierry Carrez (RETIRED) gentoo-dev 2005-03-02 11:06:08 UTC
GLSA 200503-05
Comment 23 René Nussbaumer (RETIRED) gentoo-dev 2005-06-26 05:50:46 UTC
Already stable on hppa.