Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 208464 (CVE-2008-0553) - <dev-lang/tk-8.4.18-r1, <dev-util/sourcenav-5.1.4, <dev-util/insight-6.7.1-r1, <dev-perl/perl-tk-804.028-r2 (...): malformed GIF buffer overflow (CVE-2008-0553)
Summary: <dev-lang/tk-8.4.18-r1, <dev-util/sourcenav-5.1.4, <dev-util/insight-6.7.1-r1...
Status: RESOLVED FIXED
Alias: CVE-2008-0553
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/28784/
Whiteboard: B2 [glsa]
Keywords:
Depends on: 210326 271789
Blocks:
  Show dependency tree
 
Reported: 2008-02-01 17:58 UTC by Raphael Marichez (Falco) (RETIRED)
Modified: 2014-12-12 00:20 UTC (History)
7 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
patch with testcase (tkImgGIF.patch,2.52 KB, patch)
2008-02-01 18:00 UTC, Raphael Marichez (Falco) (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-01 17:58:47 UTC
Hi,

a similar problem to bug 207933 (CVE-2006-4484) has been found in Tk, but it's not public yet. (it should be public today, but i've seen no public advisory yet).

Maintainers, please do not commit anything yet, but you might want to test this patch now, since it'll probably be public in a matter of hours.

--- generic/tkImgGIF.c  11 Sep 2007 18:01:45 -0000      1.24.2.5
+++ generic/tkImgGIF.c  25 Jan 2008 19:23:01 -0000
@@ -826,6 +826,12 @@
                Tcl_PosixError(interp), (char *) NULL);
        return TCL_ERROR;                              
     }
+
+    if (initialCodeSize > MAX_LWZ_BITS) {
+       Tcl_SetResult(interp, "malformed image", TCL_STATIC);
+       return TCL_ERROR;
+    }
+
     if (transparent != -1) {
        cmap[transparent][CM_RED] = 0;
        cmap[transparent][CM_GREEN] = 0;
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-01 18:00:07 UTC
Created attachment 142420 [details, diff]
patch with testcase
Comment 2 MATSUU Takuto (RETIRED) gentoo-dev 2008-02-04 16:32:10 UTC
dev-lang/tk-8.4.15-r2
dev-lang/tk-8.4.17
dev-lang/tk-8.5.0-r2
in cvs.
plz mark stable tk-8.4.15-r2
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-07 17:51:15 UTC
Public now, it's SA28784 and CVE-2008-0553

If you know about other packages actually using a vulnerable embedded code, please let us know.
Comment 4 Steve Arnold gentoo-dev 2008-02-10 22:40:06 UTC
Sourcenav patched (both versions).
Comment 5 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-11 20:39:35 UTC
Hi,

the patch is official in tk 8.5.1, you (maintainers) can include it in your ebuilds so that i can call arches one time for all these packages, and we can avoid splitting this bug into several bugs and several glsas.

Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2008-02-11 23:50:54 UTC
A copy of the code is also shipped by:
* sci-astronomy/ds9
* sci-visualization/paraview
* games-util/umodpack
* media-sound/rat
* sys-devel/gcc-nios2
* sys-devel/binutils-nios2

I did not check whether the code is actually used yet, hopefully someone else can.
Comment 7 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-14 15:55:22 UTC
Thanks rbu, i performed further checks. Since there are numerous affected ebuilds, if maintainers don't manifest in a reasonable time (1 week), i'll add the patch to the ebuilds myself.

dev-lang/tk compiles the vulnerable code.

dev-util/sourcenav compiles it

dev-util/insight compiles it

dev-perl/perl-tk compiles it


* sci-astronomy/ds9 compiles it

* sci-visualization/paraview only in 2.x . Not in 3.x. Latest version unaffected --> not a problem, just remove 2.x or patch 2.x

* games-util/umodpack uses it as a dependency but does not ship it

* media-sound/rat only in the latest version (3.x). No stable ebuild affected. Not sure it actually uses the code. We'll suppose so. 3.x has to be patched.

* sys-devel/gcc-nios2 didn't try to compile, but code is here

* sys-devel/binutils-nios2 didn't try to compile, but code is here
Comment 8 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2008-02-14 16:13:59 UTC
I would also like to know whether an attacker can control the GIF images that would be opened by the Tk component of the applications. If the attacker cannot entice a user to open a specially crafted GIF image with the Tk library, there is no vulnerability in your package. I don't know the mentioned package enough to say, so i need maintainers' help.
Comment 9 Sébastien Fabbro (RETIRED) gentoo-dev 2008-02-14 23:33:59 UTC
> * sci-astronomy/ds9 compiles it

fixed.
Comment 10 Markus Dittrich (RETIRED) gentoo-dev 2008-02-15 11:16:05 UTC
> * sci-visualization/paraview only in 2.x

Fixed in portage cvs via patch.

Thanks,
Markus
Comment 11 Sune Kloppenborg Jeppesen gentoo-dev 2008-02-26 20:46:50 UTC
Any news on this one?
Comment 12 Olivier Crete (RETIRED) gentoo-dev 2008-03-08 16:31:20 UTC
very very late...
dev-util/insight-6.7.1-r1 has the patch
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2008-05-07 22:55:54 UTC
falco, any news here?
Comment 14 Rajmund Klonowski 2009-02-14 23:16:55 UTC
Is it fixed yet?
Comment 15 Samuli Suominen gentoo-dev 2009-05-12 06:07:52 UTC
+  12 May 2009; Samuli Suominen <ssuominen@gentoo.org> package.mask:
+  Mask media-sound/rat for removal wrt security #208464, CVE-2008-0553.
Comment 16 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-05-29 17:10:32 UTC
+*perl-tk-804.028-r2 (29 May 2009)
+
+  29 May 2009; Alex Legler <a3li@gentoo.org> +perl-tk-804.028-r2.ebuild,
+  +files/perl-tk-CVE-2008-0553.patch:
+  Non-maintainer commit: Revbump to fix the CVE-2008-0553 security issue,
+  bug 208464.

Asked for stabilization in bug 271789
Comment 17 Alex Legler (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2009-06-11 18:22:40 UTC
perl-tk done, vulnerable ebuild removed.
Comment 18 Justin Lecher gentoo-dev 2012-11-29 15:20:57 UTC
If I see it correctly we are done here, right?
Comment 19 Sean Amoss gentoo-dev Security 2012-11-29 16:33:41 UTC
(In reply to comment #18)
> If I see it correctly we are done here, right?

Almost. It's GLSA time.
Comment 20 Mark Loeser (RETIRED) gentoo-dev 2013-02-22 23:17:17 UTC
* sys-devel/gcc-nios2
* sys-devel/binutils-nios2

These aren't in the tree anymore.  Removing toolchain
Comment 21 GLSAMaker/CVETool Bot gentoo-dev 2014-12-12 00:20:18 UTC
This issue was resolved and addressed in
 GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml
by GLSA coordinator Sean Amoss (ackle).