Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 580038 (CVE-2016-4024) - <media-libs/imlib2-1.4.9: integer overflow resulting in insufficient heap allocation (CVE-2016-4024)
Summary: <media-libs/imlib2-1.4.9: integer overflow resulting in insufficient heap all...
Status: RESOLVED FIXED
Alias: CVE-2016-4024
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://git.enlightenment.org/legacy/...
Whiteboard: B2 [glsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-04-15 06:53 UTC by Agostino Sarubbo
Modified: 2016-11-20 22:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-04-15 06:53:38 UTC
From ${URL} :

IMAGE_DIMENSIONS_OK ensures that image width and height are less then
46340, so that maximum number of pixels is ~2**31.

Unfortunately, there are a lot of code that allocates image data with
something like

   malloc(w * h * sizeof(DATA32));

Obviously, on 32-bit machines this results in integer overflow,
insufficient heap allocation, with [massive] out-of-bounds heap
overwrite.
Either X_MAX should be reduced to 32767, or (w)*(h) should be checked to
not exceed ULONG_MAX/sizeof(DATA32).

Security implications:
*) for 32-bit machines: insufficient heap allocation and heap overwrite
in many image loaders, with escalation potential to remote code
execution;
*) for 64-bit machines: it seems, no impact.


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 SpanKY gentoo-dev 2016-04-16 05:30:34 UTC
there's some other fixes going on in the git repo.  probably want to just wait for 1.4.9 to roll all of them up.
Comment 2 SpanKY gentoo-dev 2016-05-11 14:02:50 UTC
1.4.9 is in the tree now.  should be fine for stable.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-13 13:53:00 UTC
Stable for PPC64.
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2016-05-14 08:13:48 UTC
Stable for HPPA.
Comment 5 Agostino Sarubbo gentoo-dev 2016-05-14 22:22:34 UTC
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2016-05-14 22:24:14 UTC
x86 stable
Comment 7 Markus Meier gentoo-dev 2016-05-17 18:33:54 UTC
arm stable
Comment 8 Tobias Klausmann gentoo-dev 2016-05-20 15:27:25 UTC
Stable on alpha.
Comment 9 Agostino Sarubbo gentoo-dev 2016-07-08 07:56:50 UTC
ppc stable
Comment 10 Agostino Sarubbo gentoo-dev 2016-07-08 10:05:22 UTC
sparc stable
Comment 11 Agostino Sarubbo gentoo-dev 2016-07-08 12:04:53 UTC
ia64 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2016-11-20 06:14:54 UTC
CVE-2016-4024 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-4024):
  Integer overflow in imlib2 before 1.4.9 on 32-bit platforms allows remote
  attackers to execute arbitrary code via large dimensions in an image, which
  triggers an out-of-bounds heap memory write operation.
Comment 13 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-11-20 06:15:38 UTC
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2016-11-20 22:09:01 UTC
This issue was resolved and addressed in
 GLSA 201611-12 at https://security.gentoo.org/glsa/201611-12
by GLSA coordinator Aaron Bauman (b-man).