Hi, a similar problem to bug 207933 (CVE-2006-4484) has been found in Tk, but it's not public yet. (it should be public today, but i've seen no public advisory yet). Maintainers, please do not commit anything yet, but you might want to test this patch now, since it'll probably be public in a matter of hours. --- generic/tkImgGIF.c 11 Sep 2007 18:01:45 -0000 1.24.2.5 +++ generic/tkImgGIF.c 25 Jan 2008 19:23:01 -0000 @@ -826,6 +826,12 @@ Tcl_PosixError(interp), (char *) NULL); return TCL_ERROR; } + + if (initialCodeSize > MAX_LWZ_BITS) { + Tcl_SetResult(interp, "malformed image", TCL_STATIC); + return TCL_ERROR; + } + if (transparent != -1) { cmap[transparent][CM_RED] = 0; cmap[transparent][CM_GREEN] = 0;
Created attachment 142420 [details, diff] patch with testcase
dev-lang/tk-8.4.15-r2 dev-lang/tk-8.4.17 dev-lang/tk-8.5.0-r2 in cvs. plz mark stable tk-8.4.15-r2
Public now, it's SA28784 and CVE-2008-0553 If you know about other packages actually using a vulnerable embedded code, please let us know.
Sourcenav patched (both versions).
Hi, the patch is official in tk 8.5.1, you (maintainers) can include it in your ebuilds so that i can call arches one time for all these packages, and we can avoid splitting this bug into several bugs and several glsas.
A copy of the code is also shipped by: * sci-astronomy/ds9 * sci-visualization/paraview * games-util/umodpack * media-sound/rat * sys-devel/gcc-nios2 * sys-devel/binutils-nios2 I did not check whether the code is actually used yet, hopefully someone else can.
Thanks rbu, i performed further checks. Since there are numerous affected ebuilds, if maintainers don't manifest in a reasonable time (1 week), i'll add the patch to the ebuilds myself. dev-lang/tk compiles the vulnerable code. dev-util/sourcenav compiles it dev-util/insight compiles it dev-perl/perl-tk compiles it * sci-astronomy/ds9 compiles it * sci-visualization/paraview only in 2.x . Not in 3.x. Latest version unaffected --> not a problem, just remove 2.x or patch 2.x * games-util/umodpack uses it as a dependency but does not ship it * media-sound/rat only in the latest version (3.x). No stable ebuild affected. Not sure it actually uses the code. We'll suppose so. 3.x has to be patched. * sys-devel/gcc-nios2 didn't try to compile, but code is here * sys-devel/binutils-nios2 didn't try to compile, but code is here
I would also like to know whether an attacker can control the GIF images that would be opened by the Tk component of the applications. If the attacker cannot entice a user to open a specially crafted GIF image with the Tk library, there is no vulnerability in your package. I don't know the mentioned package enough to say, so i need maintainers' help.
> * sci-astronomy/ds9 compiles it fixed.
> * sci-visualization/paraview only in 2.x Fixed in portage cvs via patch. Thanks, Markus
Any news on this one?
very very late... dev-util/insight-6.7.1-r1 has the patch
falco, any news here?
Is it fixed yet?
+ 12 May 2009; Samuli Suominen <ssuominen@gentoo.org> package.mask: + Mask media-sound/rat for removal wrt security #208464, CVE-2008-0553.
+*perl-tk-804.028-r2 (29 May 2009) + + 29 May 2009; Alex Legler <a3li@gentoo.org> +perl-tk-804.028-r2.ebuild, + +files/perl-tk-CVE-2008-0553.patch: + Non-maintainer commit: Revbump to fix the CVE-2008-0553 security issue, + bug 208464. Asked for stabilization in bug 271789
perl-tk done, vulnerable ebuild removed.
If I see it correctly we are done here, right?
(In reply to comment #18) > If I see it correctly we are done here, right? Almost. It's GLSA time.
* sys-devel/gcc-nios2 * sys-devel/binutils-nios2 These aren't in the tree anymore. Removing toolchain
This issue was resolved and addressed in GLSA 201412-08 at http://security.gentoo.org/glsa/glsa-201412-08.xml by GLSA coordinator Sean Amoss (ackle).
