Bug 59120 (CVE-2004-1726)

Summary: VUL-0: CVE-2004-1726: multiple buffer overflows in xv
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-1726: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: create-suckit-bmp.c
v-3.10a-security.patch

Description Marcus Meissner 2004-08-24 15:41:10 UTC 
from bugtraq: 
Date: Fri, 20 Aug 2004 03:26:05 -0400 
From: infamous41md@hotpop.com 
Subject: XV multiple buffer overflows, exploit included 
 
Program Description: 
 
xv is an interactive image manipulation program for the X Window System. It 
can 
operate on images in the GIF, JPEG, TIFF, PBM, PGM, PPM, XPM, X11 bitmap, Sun 
Rasterfile, Targa, RLE, RGB, BMP, PCX, FITS, and PM formats on all known types 
of X displays. It can generate PostScript files, and if you have ghostscript 
(version 2.6 or above) installed on your machine, it can also display them. 
 
 
Vulnerable Versions: 
 
probably all of them, but I only looked at the newest, 3.10a. 
 
 
Summary: 
 
there are at least 5 exploitable buffer and heap overflows in the image 
handling 
code.  this allows someone to craft a malicious image, trick a user into 
viewing 
the file in xv, and upon viewing that image execute arbitrary code under 
privileges of the user viewing image.  note the AT LEAST part of the above 
sentence.  there is such a plethora of bad code that I just stopped reading 
after a while.  there are at least 100 calls to sprintf() and strcpy() with no 
regards for bounds of buffers.  95% of these deal with program arguments or 
filenames, so they are of no interest to exploit.  however I just got sick of 
reading this code after not too long.  so im sure there are still other 
overflows in the image handling code for other image types. 
 
 
Details: 
 
xvbmp.c +168 -  a user value is used to iterate a loop and copy data to a 
stack 
                buffer. 
 
xviris.c +270 - multiple heap overflows due to integer overflows in memory 
                allocation with user supplied values. 
 
xvpcx.c +226 -  another integer overflow in memory allocation leading to a 
heap 
                overflow. 
 
xvpm.c +141 -   another integer overflow in memory allocation leading to a 
heap 
                overflow. 
Exploits: 
 
an exploit for the first overflow is attached.  I might write some more 
exploits 
for the rest when i'm bored, but atm there are more interesting things to try 
and exploit, ie Qt.  if you're really in need of more exploits, email me at my  
REAL email address and i'll make some time to try and write them. 
 
 
Credits, Thanks, and Shouts: 
 
All vulnerabilities were found by myself.  thanks to christian I don't know if 
he wants me to say his last name for suggesting I audit xv.  shouts to peeps 
at 
byterage. 
 
 
Vendor Status: 
 
this guy doesn't answer emails.
Comment 1 Marcus Meissner 2004-08-24 15:41:10 UTC 
<!-- SBZ_reproduce  -->
there was an exploit program attached, but it does not work on all platforms.
Comment 2 Marcus Meissner 2004-08-24 15:42:34 UTC 
Created attachment 22856 [details]
create-suckit-bmp.c

$ ./create-suckit-bmp 0xff00ff00
$ xv suckit.bmp 
Speicherzugriffsfehler
$

will only work on intel.
Comment 3 Marcus Meissner 2004-08-24 15:54:03 UTC 
Fix for 
xvbmp.c:168 use limit check against biBitCount (biBitCount <= 8) 
 
Fix for rest (malloc related overflows): 
try limiting the number of bytes passed in there, so there is no integer 
overflow. :/
Comment 4 Dr. Werner Fink 2004-08-24 18:17:15 UTC 
biBitCount can be 1, 4, 8, 16, 24, 32 bits.
Comment 5 Dr. Werner Fink 2004-08-24 18:36:24 UTC 
The solution forthis problem is simply

     if (biClrUsed > (1 << biBitCount))
         biClrUsed = (1 << biBitCount);

in other word, do not allow more colors than the color depth
can handle.
Comment 6 Marcus Meissner 2004-08-24 18:39:58 UTC 
in palette mode it should have biBitCount of 8 or less (1,4,8), otherwise 
we overflow the r,g,b arrays.
Comment 7 Dr. Werner Fink 2004-08-24 18:46:11 UTC 
Yep my check does the work.  The suckit.bmp uses 700 colors and a deep
of 4 and this will be catched now.  Nevertheless I've added also some
sanity checks to exit before allocation colors.
Comment 8 Dr. Werner Fink 2004-08-24 19:04:29 UTC 
For xviris.c at line 307 ff 

    if (rlebuflen < 0 || tablen < 0 || (tablen * sizeof(long)) < 0) {
      loaderr = "Bogus IRIS File!";
      return (byte *)NULL;
    }

this check may help.
Comment 9 Dr. Werner Fink 2004-08-24 19:19:52 UTC 
Created attachment 22864 [details]
v-3.10a-security.patch

Should avoid described overflows
Comment 10 Marcus Meissner 2004-08-24 19:53:43 UTC 
Can you submit packages with this patch for 8.1 up to 9.1 and STABLE? 
 
And also forward the patch to the maintainer? 
 
I will forward it to vendor-sec for review.
Comment 11 Dr. Werner Fink 2004-08-24 20:24:46 UTC 
AFAIK xv isn't maintained anymore.
For STABLE I've put it to /work/srd/done/STABLE/
other changes are in progress
Comment 12 Marcus Meissner 2004-08-24 20:54:55 UTC 
submitted /work/src/done/PATCHINFO/xv.patch.{box,maintained) 
szubmitted laufzettel.
Comment 13 Dr. Werner Fink 2004-08-24 21:06:07 UTC 
Hmmm ... then please remove my patchinfo files

       /work/src/done/PATCHINFO/xv.cEy7PE

and

       /work/src/done/PATCHINFO/xv.rU9VL8
Comment 14 Dr. Werner Fink 2004-08-24 21:07:05 UTC 
Btw: the bugzilla number is 44120 and not 41420
Comment 15 Marcus Meissner 2004-08-24 21:43:40 UTC 
<!-- SBZ_reopen -->Reopened by meissner@suse.de at Tue Aug 24 15:43:40 2004
Comment 16 Marcus Meissner 2004-08-24 21:43:40 UTC 
thanks! 
 
reopen for update tracking
Comment 17 Thomas Biege 2004-08-31 21:34:18 UTC 
packages approved
Comment 18 Ludwig Nussel 2005-04-12 07:37:02 UTC 
Should be  
CAN-2004-1725  
CAN-2004-1726
Comment 19 Thomas Biege 2009-10-13 19:48:16 UTC 
CVE-2004-1726: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)