Bug 121922

Summary: VUL-0: xloadimage/xli: buffer overflow
Product: [openSUSE] SUSE Linux 10.1 Reporter: Thomas Biege <thomas>
Component: X11 ApplicationsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Stefan Dirsch <sndirsch>
Severity: Normal    
Priority: P5 - None CC: patch-request, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVE-2005-3178: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: large.niff.gz

Description Thomas Biege 2005-10-10 09:39:52 UTC
this is a report about xloadimgae (which we seem not to ship) but the bugs
should also affect xli.

To: bugtraq@securityfocus.com
Subject: xloadimage buffer overflow.
Date: Wed, 5 Oct 2005 16:27:57 -0500
Importance: Normal
Envelope-To: tom@electric-sheep.org

[-- Anhang #1 --]
[-- Typ: text/plain, Kodierung: 7bit, GröÃe: 2,4K --]


While creating a stripped down version of xloadimage, I have discovered
three buffer overflows in xloadimage when handling the image title name.

Unlike most of the supported image formats in xloadimage, the NIFF image
format can store a title name of arbitrary length as part of the image file.

When xloadimage is processing a loaded image, it is creating a new Image
object and then writing the processed image to it. At that point, it will
also copy the title from the old image to the newly created image.

The 'zoom', 'reduce', and 'rotate' functions are using a fixed length buffer
to construct the new title name when an image processing is done. Since the
title name in a NIFF format is of varying length, and there are insufficient
buffer size validations, the buffer can be overflowed.

A malicious user can construct a NIFF file that when viewed and processed
(with either zoom, reduce or rotate) by xloadimage, will cause the program
to overwrite the return address and execute arbitrary code.

Proof of concept for the 'zoom' image processing bug, tested on a x86
computer running Gentoo Linux:

emerge xloadimage
xloadimage -zoom 20 small.niff                  (small.niff is attached)

This will execute '/bin/sh'.

Note: some systems may have the (/proc/sys/kernel/)randomize_va_space option
enabled, which will cause the program to crash instead of executing /bin/sh
in most cases. Using a larger NIFF file (large.niff.gz [800KB unzipped]), it
is possible to execute arbitrary code even when the random address space
option is enabled (with about 33% success rate).

The 'reduce' and 'rotate' bugs are similar, but require a slightly different
NIFF file and different ( processing options.

The bugs are in :

zoom.c, zoom() writes an arbitrarily large buffer into a 8192 bytes sized
buffer buf[].

reduce.c, reduce() writes an arbitrarily large buffer into a 8192 bytes
sized buffer buf[].

rotate.c, rotate() writes an arbitrarily large buffer into a 8192 bytes
sized buffer buf[].

The bugs discussed above exist in the latest xloadimage package that Gentoo
provides (xloadimage.4.1-r3), and the latest xloadimage source package from
debian I could find (xloadimage_4.1-14.2). I haven't tested xloadimage
packages from other sources.

I emailed jimf@centerline.com (the contact information on the help page)
more than two weeks ago, but since I've recieved no reply, I am announcing
it here.

Ariel Berkman.

[-- Anhang #2: large.niff.gz --]
Comment 1 Thomas Biege 2005-10-10 09:43:06 UTC
Created attachment 52071 [details]
Comment 2 Thomas Biege 2005-10-10 09:43:23 UTC
Created attachment 52072 [details]
Comment 3 Thomas Biege 2005-10-10 09:43:52 UTC
Candidate: CAN-2005-3178
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3178
Reference: BUGTRAQ:20051005 xloadimage buffer overflow.
Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112862493918840&w=2

Buffer overflow in xloadimage 4.1 and earlier might allow
user-complicit attackers to execute arbitrary code via (1) a long
title name in a NIFF file, which triggers the overflow during (1)
zoom, (2) reduce, or (3) rotate operations.
Comment 4 Ladislav Michnovic 2005-10-10 10:00:32 UTC
I will look at it.
Comment 5 Ladislav Michnovic 2005-10-13 08:34:01 UTC
I'm not sure if this bug in xloadimage can affect xli. 
Security team : Can you please enlighten this problem?
The link http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3178  seemed to
be broken.
Comment 6 Thomas Biege 2005-10-13 10:24:04 UTC
Yes it is indeed broken. Maybe due to the database change.

Please have a look at this Debian advisory:
Debian Security Advisory DSA 859-1                     security@debian.org
http://www.debian.org/security/                             Martin Schulze
October 10th, 2005                      http://www.debian.org/security/faq

Package        : xli
Vulnerability  : buffer overflows
Problem type   : local (remote)
Debian-specific: no
CVE ID         : CAN-2005-3178
Debian Bug     : 332524

Ariel Berkman discovered several buffer overflows in xloadimage, which
are also present in xli, a command line utility for viewing images in
X11, and could be exploited via large image titles and cause the
execution of arbitrary code.

For the old stable distribution (woody) these problems have been fixed in
version 1.17.0-11woody2.

For the stable distribution (sarge) these problems have been fixed in
version 1.17.0-18sarge1.

For the unstable distribution (sid) these problems will be fixed soon.

We recommend that you upgrade your xli package.

Upgrade Instructions

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.0 alias woody

  Source archives:

      Size/MD5 checksum:      620 0276fa4de8addea1ba22891082860983
      Size/MD5 checksum:    17956 71eaa54284c5a94cd1da8eeb84640158
      Size/MD5 checksum:   200070 504f916c9a7d062c8f856f1625634ba8

Comment 7 Ladislav Michnovic 2005-10-14 16:41:00 UTC
Many thanks for info.
This problem was already partly fixed, but not completely. Submited for STABLE.
Do we want to get this fix also for SL 10.0?
Comment 8 Thomas Biege 2005-10-17 07:08:24 UTC
Yes, for all affected versions >= SL 9.0 + SLES and derivates.
Comment 9 Ladislav Michnovic 2005-10-18 14:56:37 UTC
I have submited patched xli for these distributions:
xli  9.0-all     /work/SRC/old-versions/9.0/all/xli   /work/src/done/9.0
xli  9.1-all     /work/SRC/old-versions/9.1/all/xli   /work/src/done/9.1
xli  9.2-all     /work/SRC/old-versions/9.2/all/xli   /work/src/done/9.2
xli  9.3-all     /work/SRC/old-versions/9.3/all/xli   /work/src/done/9.3
xli  10.0-all    /work/SRC/old-versions/10.0/all/xli  /work/src/done/10.0

I assume that patchinfo and SWAMPID will provide security-team.
Comment 10 Thomas Biege 2005-10-19 15:00:55 UTC
Yes.. 'll do so. Thanks.

Comment 11 Thomas Biege 2005-10-19 15:05:55 UTC
Comment 12 Thomas Biege 2005-10-19 15:13:56 UTC
Comment 13 Marcus Meissner 2005-10-21 11:06:04 UTC
updates approved, thanks!
Comment 14 Thomas Biege 2009-10-13 21:40:20 UTC
CVE-2005-3178: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)