Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 510472 (CVE-2014-2977, CVE-2014-2978) - <dev-libs/DirectFB-1.7.5: two vulnerabilities (CVE-2014-{2977,2978})
Summary: <dev-libs/DirectFB-1.7.5: two vulnerabilities (CVE-2014-{2977,2978})
Status: RESOLVED FIXED
Alias: CVE-2014-2977, CVE-2014-2978
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
: 601028 (view as bug list)
Depends on:
Blocks:
 
Reported: 2014-05-16 09:42 UTC by Agostino Sarubbo
Modified: 2017-07-16 00:55 UTC (History)
1 user (show)

See Also:
Package list:
=dev-libs/DirectFB-1.7.6
Runtime testing required: ---
kensington: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2014-05-16 09:42:16 UTC
From http://www.openwall.com/lists/oss-security/2014/05/15/9:

[CVE-2014-2977] DirectFB integer signedness vulnerability
________________________________________________________________________
Summary:
DirectFB is prone to an integer signedness vulnerability since
version 1.4.13.

The vulnerability can be triggered remotely without authentication
through Voodoo interface (network layer of DirectFB).
________________________________________________________________________
Details:
 This integer coercion error may lead to a stack overflow.
________________________________________________________________________
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
________________________________________________________________________
Disclosure Timeline:
2014-03-27 Developer notified
2014-04-21 CVE-2014-2977 assigned
2014-05-16 Public advisory
________________________________________________________________________
References:
http://www.directfb.org/
http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html
________________________________________________________________________


From http://www.openwall.com/lists/oss-security/2014/05/15/10:

[CVE-2014-2978] DirectFB remote out-of-bounds write vulnerability
________________________________________________________________________
Summary:
DirectFB is prone to an out-of-bound write vulnerability since version
1.4.4.

The vulnerability can be triggered remotely without authentication
through Voodoo interface (network layer of DirectFB).
________________________________________________________________________
Details:
An attacker can choose to overflow in the heap or the stack.
________________________________________________________________________
CVSS Version 2 Metrics:
Access Vector: Network exploitable
Access Complexity: Low
Authentication: None
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
________________________________________________________________________
Disclosure Timeline:
2014-03-27 Developer notified
2014-04-21 CVE-2014-2978 assigned
2014-05-16 Public advisory
________________________________________________________________________
References:
http://www.directfb.org/
http://mail.directfb.org/pipermail/directfb-dev/2014-March/006805.html
________________________________________________________________________


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Julian Ospald 2014-05-16 12:50:09 UTC
directfb is a bitchy package... I'd rather go for backporting the fixes and stabilizing 1.4.9-r2

but the only one who actually uses it seems to be vapier...
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2014-10-14 21:49:58 UTC
CVE-2014-2978 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2978):
  The Dispatch_Write function in
  proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB 1.4.4 allows
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via the Voodoo interface, which triggers an out-of-bounds
  write.

CVE-2014-2977 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2014-2977):
  Multiple integer signedness errors in the Dispatch_Write function in
  proxy/dispatcher/idirectfbsurface_dispatcher.c in DirectFB 1.4.13 allow
  remote attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via the Voodoo interface, which triggers a stack-based buffer
  overflow.
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2016-11-22 13:05:36 UTC
@ Arches,

please test and mark stable: =dev-libs/DirectFB-1.7.6
Comment 5 Tobias Klausmann (RETIRED) gentoo-dev 2016-11-23 09:21:21 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2016-11-25 18:28:17 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2016-11-25 18:55:06 UTC
x86 stable
Comment 8 Markus Meier gentoo-dev 2016-11-29 17:30:49 UTC
arm stable
Comment 9 Pacho Ramos gentoo-dev 2016-12-05 18:58:11 UTC
*** Bug 601028 has been marked as a duplicate of this bug. ***
Comment 10 Agostino Sarubbo gentoo-dev 2017-01-01 12:44:24 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2017-01-03 10:39:13 UTC
ppc64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2017-01-15 19:42:38 UTC
Stable for HPPA.
Comment 13 Agostino Sarubbo gentoo-dev 2017-01-17 14:25:13 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 14 Markus Meier gentoo-dev 2017-01-17 17:19:48 UTC
vulnerable versions removed.
Comment 15 Aaron Bauman (RETIRED) gentoo-dev 2017-01-18 08:11:44 UTC
GLSA request filed.
Comment 16 Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-18 10:54:19 UTC
(In reply to Markus Meier from comment #14)
> vulnerable versions removed.

I had to revert the removal of =dev-libs/DirectFB-1.4.9-r1 (fa0999c97caa29cbcbf0bb95cea7d769afeb0ec0) which is still needed for =media-libs/FusionSound-1.1.1-r1 (334b90c2fa85adcf5c2f4cbbd046d9cc24d1f248) to fix the Gentoo repository.

A removal bug for media-libs/FusionSound was created as bug 606194.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2017-01-23 03:39:06 UTC
This issue was resolved and addressed in
 GLSA 201701-55 at https://security.gentoo.org/glsa/201701-55
by GLSA coordinator Aaron Bauman (b-man).
Comment 18 Aaron Bauman (RETIRED) gentoo-dev 2017-01-23 03:39:49 UTC
Re-opened for cleanup.
Comment 19 Yury German Gentoo Infrastructure gentoo-dev 2017-06-03 05:36:44 UTC
Fusionsound no longer in tree.. please clean-up.