Bug 64899 (CVE-2005-0076)

Summary: VUL-0: CVE-2005-0076: xview-lib buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Michael Andres <ma>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: nadvornik, postadal, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2005-0076: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-01-17 21:25:06 UTC 
Hello, 
we received the following *non-public* report. 
 
From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] CAN-2005-0076: Potentional arbitrary code execution 
in xview 
Errors-To: vendor-sec-admin@lst.de 
Date: Sat, 15 Jan 2005 17:37:59 +0100 
 
Erik Sjölund discovered that programs linked against xview are 
vulnerable to a number of buffer overflows in the XView library.  When 
the overflow is triggered in a program which is installed setuser root 
a malicious user could perhaps execute arbitrary code as privileged 
user. 
 
These commands will create a segmentation fault: 
 
$ ln -s  /usr/X11R6/bin/xvmount  /tmp/`perl -e 'print "A" x 200'` 
$  /tmp/`perl -e 'print "A" x 200'`  -Wt 
 
The overflowed variable seems to be sufficiently far away from the 
stack frame, but I'm not totally sure that it is impossible to 
overwrite it as well.  I'm attaching a proposed patch. 
 
Please let me know if you need coordination for this bug. 
This package is probably part of most other distributions as well. 
 
Regards, 
 
        Joey 
 
-- 
There are lies, statistics and benchmarks.
Comment 1 Thomas Biege 2005-01-17 21:25:06 UTC 
<!-- SBZ_reproduce  -->
$ ln -s  /usr/X11R6/bin/xvmount  /tmp/`perl -e 'print "A" x 200'` 
$  /tmp/`perl -e 'print "A" x 200'`  -Wt
Comment 2 Thomas Biege 2005-01-17 21:26:00 UTC 
Do you know if setuid code (on our distries since 8.1) links against this 
vulnerable code?
Comment 3 Michael Andres 2005-01-18 21:59:04 UTC 
'olvwm' does not contain setuid binaries. Besides this we shipped

'xvnews'        maintained by 'nadvornik@suse.cz' (until 8.2)
'workman'       maintained by 'postadal@suse.cz'  (until 9.1)

AFAIK they did not contain setuid binaries either.
Comment 4 Thomas Biege 2005-01-25 20:19:23 UTC 
Vladimir, Petr, can you confirm this please? 
 
If we do not ship it setuid we do not need to make a full blown security 
update. Nevertheless a fix in STABLE should be added.
Comment 5 Vladimir Nadvornik 2005-01-25 21:17:33 UTC 
xvnews was never shipped with setuid.
Comment 6 Petr Ostadal 2005-01-27 02:12:05 UTC 
workman didn't contain setuid binaries.
Comment 7 Thomas Biege 2005-01-27 19:37:35 UTC 
Ok, I'll close it now. 
 
If you *like* add a patch to STABLE.
Comment 8 Thomas Biege 2009-10-13 20:58:31 UTC 
CVE-2005-0076: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)