Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 278186 (CVE-2009-3050) - <app-text/htmldoc-1.8.27-r1 Multiple insecure calls to sscanf() (CVE-2009-3050)
Summary: <app-text/htmldoc-1.8.27-r1 Multiple insecure calls to sscanf() (CVE-2009-3050)
Status: RESOLVED FIXED
Alias: CVE-2009-3050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal
Assignee: Gentoo Security
URL: http://www.htmldoc.org/str.php?L214
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2009-07-17 17:50 UTC by Alex Legler (RETIRED)
Modified: 2009-09-12 16:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
htmldoc-set_page_size.patch (htmldoc-set_page_size.patch,425 bytes, patch)
2009-07-17 18:19 UTC, Alex Legler (RETIRED)
no flags Details | Diff
Updated patch (htmldoc-sscanf-overflows.patch,1.29 KB, patch)
2009-08-01 20:38 UTC, Alex Legler (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-17 17:50:43 UTC
Original PoC (http://en.securitylab.ru/poc/extra/382563.php)
# [*] Autore: ANTHRAX666 <anthrax.the.666@gmail.com>
# [+] StackBased OverFlow In set_page_size()
# [/] EIPregister Is Raped By Us So Not Just Krash

On milw0rm ($URL)
# htmldoc 1.8.27.1 (.html) Universal Stack Overflow Exploit
# By ksa04
# j-7[at]hotmail[dot]com
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-17 17:54:35 UTC
In util.cxx:

420 set_page_size(const char *size) /* I - Page size string */
..
424   char  units[255];             /* Units string */
..
487   else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
Comment 2 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-17 18:19:54 UTC
Created attachment 198347 [details, diff]
htmldoc-set_page_size.patch

Quick patch that should fix this issue. Comments?
Comment 3 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-17 19:09:06 UTC
From Secunia (http://secunia.com/advisories/35780/):

Description:
ANTHRAX666 has discovered a vulnerability in HTMLDOC, which can be exploited by malicious people to compromise a vulnerable system.

The vulnerability is caused due to an unsafe call to "sscanf()" in the "set_page_size()" function in htmldoc/util.cxx. This can be exploited to cause a stack-based buffer overflow when an HTML document containing e.g. a specially crafted "MEDIA SIZE" comment is being processed.

The vulnerability is confirmed in version 1.8.27. Other versions may also be affected.
Comment 4 Vladimir Lettiev 2009-07-18 13:22:43 UTC
2 symbols are enough. units may contain values: "mm", "cm", "in" (any other value == "px")

-  else if (sscanf(size, "%fx%f%s", &width, &length, units) >= 2)
+  else if (sscanf(size, "%fx%f%2s", &width, &length, units) >= 2)
Comment 5 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-20 20:38:14 UTC
Mh, true. I have included this question in the upstream bug report.

Filed upstream as: http://www.htmldoc.org/str.php?L214
Comment 6 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-07-26 07:26:48 UTC
nion of Debian found two more insecure calls:

htmllib.cxx:
2142   if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)

ps-pdf.cxx:
12515  if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)

I tried to reproduce it and was able to cause a buffer overflow by supplying a crafted AFM font file with an overly long glyph name.
Comment 7 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-01 20:38:12 UTC
Created attachment 199846 [details, diff]
Updated patch
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-14 08:42:28 UTC
Upstream won't include the fix until 1.9 is released, so Carlo, please apply the patch.
Comment 9 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-16 18:22:24 UTC
Arches, please test and mark stable:
=app-text/htmldoc-1.8.27-r1
Target keywords : "alpha amd64 ia64 ppc sparc x86"
Comment 10 Christian Faulhammer (RETIRED) gentoo-dev 2009-08-17 17:41:25 UTC
x86 stable
Comment 11 nixnut (RETIRED) gentoo-dev 2009-08-23 09:31:10 UTC
ppc stable
Comment 12 Raúl Porcel (RETIRED) gentoo-dev 2009-08-25 13:49:06 UTC
alpha/ia64/sparc stable
Comment 13 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-08-26 23:44:37 UTC
23 Aug 2009; Alex Legler <a3li@gentoo.org> htmldoc-1.8.27-r1.ebuild:
amd64 stable, security bug 278186.

GLSA draft filed.
Comment 14 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-06 09:43:54 UTC
CVE-2009-3050 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3050):
  Buffer overflow in the set_page_size function in util.cxx in HTMLDOC
  1.8.27 and earlier allows context-dependent attackers to execute
  arbitrary code via a long MEDIA SIZE comment.  NOTE: it was later
  reported that there were additional vectors in htmllib.cxx and
  ps-pdf.cxx using an AFM font file with a long glyph name, but these
  vectors do not cross privilege boundaries.

Comment 15 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-12 16:31:54 UTC
GLSA 200909-12