Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 275397 (CVE-2009-2688) - <app-editors/xemacs-21.4.22-r1: Multiple Image Processing Integer Overflows (CVE-2009-2688)
Summary: <app-editors/xemacs-21.4.22-r1: Multiple Image Processing Integer Overflows (...
Status: RESOLVED FIXED
Alias: CVE-2009-2688
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://secunia.com/advisories/35348/
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-06-25 13:41 UTC by Alex Legler (RETIRED)
Modified: 2010-06-03 14:08 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-25 13:41:13 UTC
Tielei Wang has discovered some vulnerabilities in XEmacs, which can
be exploited by malicious people to potentially compromise a user's
system.

1) An integer overflow error within the "tiff_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted TIFF file.

2) An integer overflow error within the "png_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted PNG file.

3) An integer overflow error within the "jpeg_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted JPEG file.

Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-06-25 13:46:20 UTC
Fauli confirmed the issue is non-existant in emacs.
Comment 2 Hans de Graaff gentoo-dev Security 2009-06-25 14:59:27 UTC
Filed upstream as: http://tracker.xemacs.org/XEmacs/its/issue534
Comment 3 Hans de Graaff gentoo-dev Security 2009-07-04 08:16:40 UTC
Upstream is aware of this and working on a patch. However, their viewpoint on this is that this is not really a security bug.
Comment 4 Hans de Graaff gentoo-dev Security 2009-07-06 20:24:05 UTC
I've just added xemacs-21.4.22-r1 to the tree which contains upstreams patch for this. Only lightly tested right now. My suggestion is to leave this in the tree for a couple of days before stablizing it. I'm not sure if upstream will do a release shortly, and there was a bit of discussion on the patch as well.
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-07-10 11:40:11 UTC
Hans, have there been an regressions so far?
Comment 6 Hans de Graaff gentoo-dev Security 2009-07-12 07:19:52 UTC
I haven't seen problems when testing, upstream has not issues updated patches, and I don't see any activity indicating a forthcoming release, so I think we should go ahead and mark this version stable.

Comment 7 Robert Buchholz (RETIRED) gentoo-dev 2009-07-12 14:34:29 UTC
Arches, please test and mark stable:
=app-editors/xemacs-21.4.22-r1
Target keywords : "alpha amd64 hppa ppc ppc64 sparc x86"
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2009-07-12 15:18:23 UTC
Stable on alpha. 
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2009-07-14 06:36:27 UTC
x86 stable
Comment 10 Jeroen Roovers (RETIRED) gentoo-dev 2009-07-15 14:13:23 UTC
Stable for HPPA.
Comment 11 Tiago Cunha (RETIRED) gentoo-dev 2009-07-17 14:44:08 UTC
amd64/sparc stable
Comment 12 nixnut (RETIRED) gentoo-dev 2009-07-19 16:26:20 UTC
ppc stable
Comment 13 Brent Baude (RETIRED) gentoo-dev 2009-07-26 15:37:41 UTC
ppc64 done
Comment 14 Tobias Heinlein (RETIRED) gentoo-dev 2009-07-30 20:43:25 UTC
GLSA request filed.
Comment 15 Robert Buchholz (RETIRED) gentoo-dev 2009-08-07 17:20:41 UTC
CVE-2009-2688 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2688):
  Multiple integer overflows in glyphs-eimage.c in XEmacs 21.4.22, when
  running on Windows, allow remote attackers to cause a denial of
  service (crash) or execute arbitrary code via (1) the
  tiff_instantiate function processing a crafted TIFF file, (2) the
  png_instantiate function processing a crafted PNG file, and (3) the
  jpeg_instantiate function processing a crafted JPEG file, all which
  trigger a heap-based buffer overflow.  NOTE: the provenance of this
  information is unknown; the details are obtained solely from third
  party information.

Comment 16 Alex Legler (RETIRED) archtester gentoo-dev Security 2010-06-03 14:08:57 UTC
GLSA 201006-15