Bug 59100 (CVE-2004-0788)

Summary: VUL-0: CVE-2004-0788: gtk+ XPM decoder issue
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, sbrabec, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0788: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: The patch from vendor-sec (mclasen@redhat.com)
pixbuftest.c
Updated patch without the stray g_print()
ico.diff - fix for ico header overflow
gdk-pixbuf patch (also applies to earlier gdk-pixbuf versions)

Description Sebastian Krahmer 2004-08-23 20:14:05 UTC
Date: Mon, 23 Aug 2004 13:05:50 +0100 (BST)
From: chris@scary.beasts.org
To: vendor-sec@lst.de
Cc: otaylor@redhat.com
Subject: [vendor-sec] gtk+ XPM decoder flaws

Hi,

Details appeneded.
I'm not going to pick a disclosure date until
- We have fixes.
- I've had a look at some of the other gtk+ decoders; might as well batch
together any issues found into a single update.

Cheers
Chris

CESA-2004-005 - rev 1

gtk+-2.4.4 XPM image decoder parsing flaws
==========================================

Programs:          gtk+, and any programs which use gtk+ to decode XPM files.
                   For example, Evolution.
Severity:          Compromise of account used to browse malicious XPM file.
CAN identifier(s): CAN-2004-0782, CAN-2004-0783

This advisory lists code flaws discovered by inspection of the XPM parser
within the gtk+ code. Specifically, gtk+-2.4.4 was investigated.

Flaw 1. Heap-based overflow in pixbuf_create_from_xpm (io-xpm.c)
CAN-2004-0782

  name_buf = g_new (gchar, n_col * (cpp + 1));
  colors = g_new (XPMColor, n_col);

Here, n_col is an arbitrary integer value from the XPM. cpp is an integer value
ranging from 1 to 31 from the XPM. By careful choice of values of n_col and
cpp, integer overflow can occur on integer multiplication. This leads to heap
buffers being allocated that cannot hold n_col elements, so a subsequent heap
overflow occurs.

Demo XPM: http://scary.beasts.org/misc/gdk1.xpm


Flaw 2. Subtle stack-based overflow in xpm_extract_color (io-xpm.c)
CAN-2004-0783

  gint space = 128;
  gchar word[128], color[128], current_color[128];
...
      if (color[0] != '\0') {
        strcat (color, " ");
[*]     space--;
      }
      strncat (color, word, space);
      space -= MIN (space, strlen (word));

Here, an attempt is actually made to prevent overflow of the stack buffers.
However, a logic error means one of the buffers can still be made to overflow.
When "space" reaches 0, "space" can be sent to -1 by the line marked with [*],
if the color string is broken up by whitespace. When "space" is -1, the
strncat() call is effectively morphed to a strcat() call, allowing overflow of
the "color" buffer (probably into the "word" buffer, which may cause a minor
inconvenience to exploitation. Note use of the word "minor" :-)

Demo XPM: http://scary.beasts.org/misc/gdk2.xpm


CESA-2004-005 - rev 1
Chris Evans
chris@scary.beasts.org
Comment 1 Sebastian Krahmer 2004-08-23 20:14:05 UTC
<!-- SBZ_reproduce  -->
...
Comment 2 Sebastian Krahmer 2004-08-24 17:01:20 UTC
Created attachment 22861 [details]
The patch from vendor-sec (mclasen@redhat.com)

...
Comment 3 Holger Hetterich 2004-08-24 18:34:32 UTC
packages for for 9.1 are available... 
Comment 4 Holger Hetterich 2004-08-24 20:07:09 UTC
continuing with versions for SLES, 8.1, 8.2... 
 
gtk2.patchinfo-box: 
 
DISTRIBUTION: 8.1-i386,8.2-i386,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64 
PACKAGE: gtk2 
PACKAGER: hhetter@suse.de 
BUGZILLA: 44100 
CATEGORY: security 
DESCRIPTION: 
This update contains a security fix for the two flaws registered 
as CAN Identifiers CAN-2004-0782, which descripes a heap based 
overflow in a function of the XPM loader in GTK, and CAN-2004-0783, 
descriping a stack overflow in another function of the XPM loader. 
DESCRIPTION_DE: 
Dieses Sicherheitsupdate beinhaltet einen Fix für zwei Verwundbar- 
keiten, registriert als CAN Intendifiers CAN-2004-0782, welches            
einen Heap-basierten Überlauf in einer Funktion des XPM Loaders in GTK 
beschreibt, sowie CAN-2004-0783, in dem ein Stack Overflow in einer 
anderen Funktion des XPM Loaders beschrieben wird. 
 
 
Comment 5 Holger Hetterich 2004-08-24 21:28:55 UTC
now we have: 
SLES8, 8.1, SLEC, 9.1, 8.2 
 
for all <= 8.2, I had to replace G_MAXSIZE with G_MAXUINT, because it was not 
defined in older versions. 
 
going on with STABLE and NLD... 
Comment 6 Sebastian Krahmer 2004-08-24 21:30:26 UTC
Ok. Thanks. I will write a laufzettel.
Comment 7 Ludwig Nussel 2004-08-24 21:31:34 UTC
you need to take care of the gtk1 based gdk-pixbuf as well 
Comment 8 Holger Hetterich 2004-08-24 21:57:53 UTC
working on it... 
Comment 9 Holger Hetterich 2004-08-24 22:33:30 UTC
about gdk-pixbuf:  
 
apart from this part of the patch, it is completely other code, totally 
rewritten. The old xpm code has only 593 lines of code, while the xpm code in  
GTK2's gdk-pixbuf includes 1541 lines. 
 
Sebastian, can you please ask on vendor-sec, what to do about GTK-1's 
gdk-pixbuf? Before digging into this stuff, I would like to know if it's needed 
at all. 
 
 
 
       /* The hash is used for fast lookups of color from chars */ 
        color_hash = g_hash_table_new (g_str_hash, g_str_equal); 
  
-       name_buf = g_new (gchar, n_col * (cpp + 1)); 
-       colors = g_new (XPMColor, n_col); 
+       name_buf = g_try_malloc (n_col * (cpp + 1)); 
+       if (!name_buf) { 
+               g_set_error (error, 
+                            GDK_PIXBUF_ERROR, 
+                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY, 
+                             _("Cannot allocate memory for loading XPM 
image")) 
; 
+               g_hash_table_destroy (color_hash); 
+               return NULL; 
+       } 
+       colors = (XPMColor *) g_try_malloc (sizeof (XPMColor) * n_col); 
+       if (!colors) { 
+               g_set_error (error, 
+                            GDK_PIXBUF_ERROR, 
+                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY, 
+                             _("Cannot allocate memory for loading XPM 
image")) 
; 
+               g_hash_table_destroy (color_hash); 
+               g_free (name_buf); 
+               return NULL; 
+       } 
+       g_print ("n_col %d name_buf %p (%d) colors %p (%d)\n", 
+                n_col, name_buf, n_col * (cpp + 1), colors, sizeof (XPMColor) 
* 
 n_col); 
 
Comment 10 Holger Hetterich 2004-08-25 17:21:55 UTC
I have submitted gtk2 for STABLE, so that NLD development can go on. 
All other packages are on hold, until I know if gdk-pixbuf from GTK1 is 
actually affected at all. Sebastian, do you know more meanwhile? 
 
Comment 11 Ludwig Nussel 2004-08-25 17:30:50 UTC
Created attachment 22897 [details]
pixbuftest.c

q&d test program for gtk1&2, it crashes on the xpm in the advisory also with
gdk-pixbuf-0.22.0 from 9.1
Comment 12 Jody Goldberg 2004-08-27 06:31:56 UTC
This patch has a bug that will break compilation of all pacakges that use
gdk-pixbuf-csource with xpm files.  That trailing g_print should not be there.
Comment 13 Federico Mena Quintero 2004-08-27 23:13:14 UTC
I just updated the patch in autobuild.  I'm also attaching it here, for reference.
Comment 14 Federico Mena Quintero 2004-08-27 23:14:20 UTC
Created attachment 22999 [details]
Updated patch without the stray g_print()
Comment 15 Marcus Meissner 2004-08-30 19:44:39 UTC
from vendor-sec: 
CAN-2004-0782/3     gtk+ xpm            Sep 15 1400UTC(*3)                       
*3: These are suggested release dates, if these are problems for anyone, you     
should probably speak up.                                                        
Comment 16 Sebastian Krahmer 2004-09-06 16:20:21 UTC
CAN-2004-0804
Comment 17 Sebastian Krahmer 2004-09-06 16:22:37 UTC
Huh, dont believe in my last comment, vendor-sec confused me.
The correct CANs seem to be:

CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm
CAN-2004-0783 Stack-based overflow in xpm_extract_color
CAN-2004-0788 ico loader integer overflow.

These issues go public on September 15.
Comment 18 Marcus Meissner 2004-09-06 17:08:58 UTC
Created attachment 23166 [details]
ico.diff - fix for ico header overflow
Comment 19 Marcus Meissner 2004-09-06 23:39:30 UTC
status: 
- gtk2 fixes checked in for NLD and STABLE. 
- all other not yet checked in. 
 
gdk-pixbuf is also affected, we are polling vendor-sec. 
Comment 20 Marcus Meissner 2004-09-06 23:40:51 UTC
Created attachment 23191 [details]
gdk-pixbuf patch (also applies to earlier gdk-pixbuf versions)

from Chris Evans via vendor-sec
Comment 21 Holger Hetterich 2004-09-07 20:43:54 UTC
working on it completing gtk2 packages with the ico.diff patch 
 
Comment 22 Holger Hetterich 2004-09-07 22:23:29 UTC
all packages, gdk-pixbuf and gtk2, are ready to submit, now reworking patchinfo 
files 
 
Comment 23 Holger Hetterich 2004-09-08 19:03:41 UTC
gtk-patchinfo.maintained: 
 
 
DISTRIBUTION: 
sles8-ppc,sles8-s390,sles8-s390x,sles8-slec-i386,sles9-i386,sles9-ia64,sles9-ppc,sles9-s390,sles9-s390x,sles9-x86_64,ul1-i386,ul1-ia64,ul1-x86_64 
PACKAGE: gtk2 gdk-pixbuf 
PACKAGER: hhetter@suse.de 
BUGZILLA: 44100 
CATEGORY: security 
INDICATIONS: All users using GTK based software should update 
CONTRAINDICATIONS: none 
DESCRIPTION: 
This update fixes three vulnerabilites found in the XPM loader code of the 
GTK Library. They are registered as: 
 
CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm 
CAN-2004-0783 Stack-based overflow in xpm_extract_color 
CAN-2004-0788 ico loader integer overflow. 
 
 
 
Comment 24 Marcus Meissner 2004-09-08 19:31:50 UTC
the vulnerable code is also in the static libraries, or? 
 
the gtk2-devel should probably inside the patchinfo too. 
 
Comment 25 Holger Hetterich 2004-09-08 20:12:50 UTC
Ok, this should be correct then: 
 
I took gdk-pixbuf-devel and gtk2-devel into account: 
 
Patchinfo for maintained products: 
 
DISTRIBUTION: 
sles8-ppc,sles8-s390,sles8-s390x,sles8-slec-i386,sles9-i386,sles9-ia64,sles9-ppc,sles9-s390,sles9-s390x,sles9-x86_64,ul1-i386,ul1-ia64,ul1-x86_64 
PACKAGE: gtk2 gdk-pixbuf gtk2-devel gdk-pixbuf-devel 
PACKAGER: hhetter@suse.de 
BUGZILLA: 44100 
CATEGORY: security 
INDICATIONS: All users using GTK based software should update 
CONTRAINDICATIONS: none 
DESCRIPTION: 
This update fixes three vulnerabilites found in the XPM loader code of the 
GTK Library. They are registered as: 
 
CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm 
CAN-2004-0783 Stack-based overflow in xpm_extract_color 
CAN-2004-0788 ico loader integer overflow. 
 
----------------------------------------------------------------- 
 
Patchinfo for the boxes: 
 
DISTRIBUTION: 8.1-i386,8.2-i386,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64 
PACKAGE: gtk2 gtk2-devel gdk-pixbuf gdk-pixbuf-devel 
PACKAGER: hhetter@suse.de 
BUGZILLA:  44100 
CATEGORY: security 
DESCRIPTION: 
This update fixes three vulnerabilites found in the XPM loader code of the 
GTK Library. They are registered as: 
 
CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm 
CAN-2004-0783 Stack-based overflow in xpm_extract_color 
CAN-2004-0788 ico loader integer overflow. 
 
DESCRIPTION_DE: 
Dieses Update behebt drei Sicherheitslücken im XPM Loader der GTK Library. 
Diese sind registriert als: 
 
CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm 
CAN-2004-0783 Stack-based overflow in xpm_extract_color 
CAN-2004-0788 ico loader integer overflow. 
 
 
 
Comment 26 Holger Hetterich 2004-09-08 22:34:13 UTC
submitted packages and 
 
/work/src/done/PATCHINFO/patchinfo-gtk2.box 
/work/src/done/PATCHINFO/patchinfo-gtk2.maintained  
 
 
Comment 27 Holger Hetterich 2004-09-08 23:46:15 UTC
Marcus, thanks for the revision of the patchinfo's. 
 
I now reassign this bug to security-team, to be able track the package release 
state. 
 
Comment 28 Marcus Meissner 2004-09-17 19:28:59 UTC
updates and advisory released. 
Comment 29 Stanislav Brabec 2005-10-21 15:17:28 UTC
Reopening. Patch is missing in 9.2, 9.3 and 10.0.

Patch submitted altogether with fix of the bug 129642, which extends this issue.
Comment 30 Ludwig Nussel 2005-11-03 08:42:27 UTC
close as fixed, further tracked in #129642
Comment 31 Thomas Biege 2009-10-13 19:48:02 UTC
CVE-2004-0788: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)