From https://bugzilla.redhat.com/show_bug.cgi?id=871187 : A stack-based buffer overflow flaw was reported [1] in how plib handles errors when loading 3d model files as X (Direct X), ASC, ASE, ATG, and OFF. The description of the flaw follows: Vulnerability Details: Plib is prone to stack based Buffer overflow in the error function in ssg/ssgParser.cxx when it loads 3d model files as X (Direct x), ASC, ASE, ATG, and OFF, if a very long error message is passed to the function, in line 68: // Output an error void _ssgParser::error( const char *format, ... ) { char msgbuff[ 255 ]; va_list argp; char* msgptr = msgbuff; if (linenum) { msgptr += sprintf ( msgptr,"%s, line %d: ", path, linenum ); } va_start( argp, format ); 68 vsprintf( msgptr, format, argp ); va_end( argp ); ulSetError ( UL_WARNING, "%s", msgbuff ) ; } I'm unsure whether or not this was reported upstream (there is no relevant bugs, and the last commit to ssgParser.cxx [2] was five years ago). [1] http://www.openwall.com/lists/oss-security/2012/10/29/8 [2] http://plib.svn.sourceforge.net/viewvc/plib/trunk/src/ssg/ssgParser.cxx?view=log
CVE-2012-4552 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4552): Stack-based buffer overflow in the error function in ssg/ssgParser.cxx in PLIB 1.8.5 allows remote attackers to execute arbitrary code via a crafted 3d model file that triggers a long error message, as demonstrated by a .ase file.
plib is no longer being maintained upstream.
Created attachment 423698 [details, diff] Patch from debian Extracted from https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=694810#10
Update: There's a public exploit for this vulnerability, the shellcode is for windows but it shouldn't be hard to use it on linux because is a bufferoverflow. https://www.exploit-db.com/exploits/21831/
(In reply to Christopher Díaz from comment #4) > Update: > > There's a public exploit for this vulnerability, the shellcode is for > windows but it shouldn't be hard to use it on linux because is a > bufferoverflow. > > https://www.exploit-db.com/exploits/21831/ There's some extra info to be considered about this bug. Those are the packages that depend on this library: games-action/tuxkart-0.4.0 (>=media-libs/plib-1.8.0) games-action/tuxkart-0.4.0-r1 (>=media-libs/plib-1.8.0) games-simulation/crashtest-1.1 (>=media-libs/plib-1.8.4) games-simulation/crashtest-1.1-r1 (>=media-libs/plib-1.8.4) games-simulation/crrcsim-0.9.13 (media-libs/plib) games-simulation/flightgear-2016.4.4 (>=media-libs/plib-1.8.5) games-simulation/flightgear-2017.1.2 (>=media-libs/plib-1.8.5) games-simulation/flightgear-2017.1.3 (>=media-libs/plib-1.8.5) games-simulation/flightgear-2017.2.1 (>=media-libs/plib-1.8.5) games-simulation/flightgear-9999 (>=media-libs/plib-1.8.5) games-sports/gracer-0.1.5 (media-libs/plib) games-sports/gracer-0.1.5-r1 (media-libs/plib) games-sports/speed-dreams-1.4.0 (>=media-libs/plib-1.8.3) games-sports/speed-dreams-1.4.0-r1 (>=media-libs/plib-1.8.3) games-sports/stormbaancoureur-2.1.6 (>=media-libs/plib-1.8.4) games-sports/stormbaancoureur-2.1.6-r1 (>=media-libs/plib-1.8.4) games-sports/torcs-1.3.6 (>=media-libs/plib-1.8.5) games-sports/torcs-1.3.6-r1 (>=media-libs/plib-1.8.5) games-util/atlas-0.5.1_beta_pre20160907 (media-libs/plib) And since there is no more maintenance from upstream, and probably no more patches are going to be released, maybe we should consider to apply debian's patch or mask all of them.
This was fixed long time ago via commit https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2c3350ada353ca2c523210909a4fea07fcc5a10 (notice that Michael Sterrett picked the wrong file name "CVE-2011-4552" instead of "CVE-2012-4552"). Fixed version is already stable, repository is clean.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=539747730dbc4f08b16985be312e13acd20f8f3d commit 539747730dbc4f08b16985be312e13acd20f8f3d Author: Thomas Deutschmann <whissi@gentoo.org> AuthorDate: 2018-02-23 21:45:01 +0000 Commit: Thomas Deutschmann <whissi@gentoo.org> CommitDate: 2018-02-23 21:52:33 +0000 media-libs/plib: Fix patch naming It is "CVE-2012-4552", not "CVE-2011-4552". Bug: https://bugs.gentoo.org/440762 Package-Manager: Portage-2.3.24, Repoman-2.3.6 ...lib-1.8.5-CVE-2011-4552.patch => plib-1.8.5-CVE-2012-4552.patch} | 0 media-libs/plib/plib-1.8.5-r1.ebuild | 6 +++--- 2 files changed, 3 insertions(+), 3 deletions(-)}
GLSA request filed
This issue was resolved and addressed in GLSA 201803-13 at https://security.gentoo.org/glsa/201803-13 by GLSA coordinator Aaron Bauman (b-man).
