|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-0: CVE-2004-0788: gtk+ XPM decoder issue | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Sebastian Krahmer <krahmer> |
| Component: | Incidents | Assignee: | Security Team bot <security-team> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P3 - Medium | CC: | meissner, sbrabec, security-team |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | CVE-2004-0788: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) | ||
| Found By: | Other | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Attachments: |
The patch from vendor-sec (mclasen@redhat.com)
pixbuftest.c Updated patch without the stray g_print() ico.diff - fix for ico header overflow gdk-pixbuf patch (also applies to earlier gdk-pixbuf versions) |
||
|
Description
Sebastian Krahmer
2004-08-23 20:14:05 UTC
<!-- SBZ_reproduce --> ... Created attachment 22861 [details] The patch from vendor-sec (mclasen@redhat.com) ... packages for for 9.1 are available... continuing with versions for SLES, 8.1, 8.2... gtk2.patchinfo-box: DISTRIBUTION: 8.1-i386,8.2-i386,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64 PACKAGE: gtk2 PACKAGER: hhetter@suse.de BUGZILLA: 44100 CATEGORY: security DESCRIPTION: This update contains a security fix for the two flaws registered as CAN Identifiers CAN-2004-0782, which descripes a heap based overflow in a function of the XPM loader in GTK, and CAN-2004-0783, descriping a stack overflow in another function of the XPM loader. DESCRIPTION_DE: Dieses Sicherheitsupdate beinhaltet einen Fix für zwei Verwundbar- keiten, registriert als CAN Intendifiers CAN-2004-0782, welches einen Heap-basierten Überlauf in einer Funktion des XPM Loaders in GTK beschreibt, sowie CAN-2004-0783, in dem ein Stack Overflow in einer anderen Funktion des XPM Loaders beschrieben wird. now we have: SLES8, 8.1, SLEC, 9.1, 8.2 for all <= 8.2, I had to replace G_MAXSIZE with G_MAXUINT, because it was not defined in older versions. going on with STABLE and NLD... Ok. Thanks. I will write a laufzettel. you need to take care of the gtk1 based gdk-pixbuf as well working on it... about gdk-pixbuf:
apart from this part of the patch, it is completely other code, totally
rewritten. The old xpm code has only 593 lines of code, while the xpm code in
GTK2's gdk-pixbuf includes 1541 lines.
Sebastian, can you please ask on vendor-sec, what to do about GTK-1's
gdk-pixbuf? Before digging into this stuff, I would like to know if it's needed
at all.
/* The hash is used for fast lookups of color from chars */
color_hash = g_hash_table_new (g_str_hash, g_str_equal);
- name_buf = g_new (gchar, n_col * (cpp + 1));
- colors = g_new (XPMColor, n_col);
+ name_buf = g_try_malloc (n_col * (cpp + 1));
+ if (!name_buf) {
+ g_set_error (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
+ _("Cannot allocate memory for loading XPM
image"))
;
+ g_hash_table_destroy (color_hash);
+ return NULL;
+ }
+ colors = (XPMColor *) g_try_malloc (sizeof (XPMColor) * n_col);
+ if (!colors) {
+ g_set_error (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY,
+ _("Cannot allocate memory for loading XPM
image"))
;
+ g_hash_table_destroy (color_hash);
+ g_free (name_buf);
+ return NULL;
+ }
+ g_print ("n_col %d name_buf %p (%d) colors %p (%d)\n",
+ n_col, name_buf, n_col * (cpp + 1), colors, sizeof (XPMColor)
*
n_col);
I have submitted gtk2 for STABLE, so that NLD development can go on. All other packages are on hold, until I know if gdk-pixbuf from GTK1 is actually affected at all. Sebastian, do you know more meanwhile? Created attachment 22897 [details]
pixbuftest.c
q&d test program for gtk1&2, it crashes on the xpm in the advisory also with
gdk-pixbuf-0.22.0 from 9.1
This patch has a bug that will break compilation of all pacakges that use gdk-pixbuf-csource with xpm files. That trailing g_print should not be there. I just updated the patch in autobuild. I'm also attaching it here, for reference. Created attachment 22999 [details]
Updated patch without the stray g_print()
from vendor-sec: CAN-2004-0782/3 gtk+ xpm Sep 15 1400UTC(*3) *3: These are suggested release dates, if these are problems for anyone, you should probably speak up. CAN-2004-0804 Huh, dont believe in my last comment, vendor-sec confused me. The correct CANs seem to be: CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm CAN-2004-0783 Stack-based overflow in xpm_extract_color CAN-2004-0788 ico loader integer overflow. These issues go public on September 15. Created attachment 23166 [details]
ico.diff - fix for ico header overflow
status: - gtk2 fixes checked in for NLD and STABLE. - all other not yet checked in. gdk-pixbuf is also affected, we are polling vendor-sec. Created attachment 23191 [details]
gdk-pixbuf patch (also applies to earlier gdk-pixbuf versions)
from Chris Evans via vendor-sec
working on it completing gtk2 packages with the ico.diff patch all packages, gdk-pixbuf and gtk2, are ready to submit, now reworking patchinfo files gtk-patchinfo.maintained: DISTRIBUTION: sles8-ppc,sles8-s390,sles8-s390x,sles8-slec-i386,sles9-i386,sles9-ia64,sles9-ppc,sles9-s390,sles9-s390x,sles9-x86_64,ul1-i386,ul1-ia64,ul1-x86_64 PACKAGE: gtk2 gdk-pixbuf PACKAGER: hhetter@suse.de BUGZILLA: 44100 CATEGORY: security INDICATIONS: All users using GTK based software should update CONTRAINDICATIONS: none DESCRIPTION: This update fixes three vulnerabilites found in the XPM loader code of the GTK Library. They are registered as: CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm CAN-2004-0783 Stack-based overflow in xpm_extract_color CAN-2004-0788 ico loader integer overflow. the vulnerable code is also in the static libraries, or? the gtk2-devel should probably inside the patchinfo too. Ok, this should be correct then: I took gdk-pixbuf-devel and gtk2-devel into account: Patchinfo for maintained products: DISTRIBUTION: sles8-ppc,sles8-s390,sles8-s390x,sles8-slec-i386,sles9-i386,sles9-ia64,sles9-ppc,sles9-s390,sles9-s390x,sles9-x86_64,ul1-i386,ul1-ia64,ul1-x86_64 PACKAGE: gtk2 gdk-pixbuf gtk2-devel gdk-pixbuf-devel PACKAGER: hhetter@suse.de BUGZILLA: 44100 CATEGORY: security INDICATIONS: All users using GTK based software should update CONTRAINDICATIONS: none DESCRIPTION: This update fixes three vulnerabilites found in the XPM loader code of the GTK Library. They are registered as: CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm CAN-2004-0783 Stack-based overflow in xpm_extract_color CAN-2004-0788 ico loader integer overflow. ----------------------------------------------------------------- Patchinfo for the boxes: DISTRIBUTION: 8.1-i386,8.2-i386,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64 PACKAGE: gtk2 gtk2-devel gdk-pixbuf gdk-pixbuf-devel PACKAGER: hhetter@suse.de BUGZILLA: 44100 CATEGORY: security DESCRIPTION: This update fixes three vulnerabilites found in the XPM loader code of the GTK Library. They are registered as: CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm CAN-2004-0783 Stack-based overflow in xpm_extract_color CAN-2004-0788 ico loader integer overflow. DESCRIPTION_DE: Dieses Update behebt drei Sicherheitslücken im XPM Loader der GTK Library. Diese sind registriert als: CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm CAN-2004-0783 Stack-based overflow in xpm_extract_color CAN-2004-0788 ico loader integer overflow. submitted packages and /work/src/done/PATCHINFO/patchinfo-gtk2.box /work/src/done/PATCHINFO/patchinfo-gtk2.maintained Marcus, thanks for the revision of the patchinfo's. I now reassign this bug to security-team, to be able track the package release state. updates and advisory released. Reopening. Patch is missing in 9.2, 9.3 and 10.0. Patch submitted altogether with fix of the bug 129642, which extends this issue. close as fixed, further tracked in #129642 CVE-2004-0788: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |