Bug 66139 (CVE-2005-0639)

Summary: VUL-0: CVE-2005-0639: xli: buffer overflow
Product: [Novell Products] SUSE Security Incidents Reporter: Thomas Biege <thomas>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-0639: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Thomas Biege 2005-02-21 16:09:16 UTC 
Hello Lukas,
we got the following report via vendor-sec. (not public!)

From: Tavis Ormandy <taviso@gentoo.org>
To: solar@gentoo.org
Subject: xli 1.17.0 vulnerabilities
Date: Sat, 19 Feb 2005 12:16:25 +0000
Hello there, we've identified two problems with xli 1.17.0 that we
expect an upstream fix for shortly. Firstly, Rob Holland
(tigger@gentoo.org) noticed that an xloadimage vulnerability reported in
2001 was unfixed in xli, credit for the original xloadimage
vulnerability should goto zen-parse.

An exploit is in the wild for this vulnerability.

--- faces.c       2005-02-19 11:34:26.731014488 +0000
+++ faces.c       2005-02-19 11:34:26.731014488 +0000
@@ -136,7 +136,7 @@

   image= newRGBImage(w, h, d);
   fname[strlen(fname) - 1]= ' ';
-  strcat(fname, lname);
+  strncat(fname, lname, BUFSIZ - strlen(fname) - 1);
   fname[strlen(fname) - 1]= '\0';
   image->title= dupString(fname);

additionally, a problem exists with shell meta-characters in filenames,
this could potentially lead to execution of commands via mailcap by sending
MIME attachments with Content-Type set to image/foo and a filename set to,
for example, ';id 1>&2;: .Z'.

the responsible lines are in zio.c,

        sprintf(buf, "gunzip -c %s", name); (line ~373)

This is followed by a popen(). the code responsible for this is #ifndef'd
out, with NO_UNCOMPRESS. I expect the upstream maintainer will replace
the gunzip+popen with a zlib solution or pipe/fork/etc.


--
Ned Ludd <solar@gentoo.org>
Comment 1 Thomas Biege 2005-02-22 13:23:39 UTC 
 SM-Tracker-446
Comment 2 Marcus Meissner 2005-02-23 10:29:50 UTC 
the first issue was already fixed in 2001. 
 
the second is not fixed yet.
Comment 3 Thomas Biege 2005-03-04 08:44:51 UTC 
From: Thierry Carrez <koon@gentoo.org> 
User-Agent: Mozilla Thunderbird 1.0 (X11/20041209) 
To: vendor-sec@lst.de 
Cc: taviso@gentoo.org, tigger@gentoo.org 
Subject: Re: [vendor-sec] [Fwd: xli 1.17.0 vulnerabilities] 
Errors-To: vendor-sec-admin@lst.de 
Date: Tue, 01 Mar 2005 11:01:09 +0100 
 
[-- PGP Ausgabe folgt (aktuelle Zeit: Fr 04 MÃ?r 2005 09:44:09 CET) --] 
gpg: Unterschrift vom Di 01 MÃ?r 2005 11:01:15 CET, DSA SchlÃ?ssel ID B6A55F4F 
gpg: Unterschrift kann nicht geprÃ?ft werden: Ãffentlicher SchlÃ?ssel nicht 
gefunden 
[-- Ende der PGP-Ausgabe --] 
 
[-- Die folgenden Daten sind signiert --] 
 
Here is the draft of our GLSA : 
 
=================================== 
Description: 
Tavis Ormandy of the Gentoo Linux Security Audit Team has reported that 
xli and xloadimage contain a flaw in the handling of compressed images, 
where shell meta-characters are not adequately escaped. Rob Holland of 
the Gentoo Linux Security Audit Team has reported that an xloadimage 
vulnerability in the handling of Faces Project images discovered by 
zen-parse in 2001 remained unpatched in xli. Additionally, it has been 
reported that insufficient validation of image properties in xli could 
potentially result in buffer management errors. 
 
Impact: 
Successful exploitation would permit a remote attacker to execute 
arbitrary shell commands, or arbitrary code with the privileges of the 
xloadimage or xli user. 
=================================== 
 
The 2001 xloadimage thing that passed unfixed in xli (at least on Gentoo 
and Debian) is CAN-2001-0775. 
 
If someone has CAN numbers for the xli buffer management errors (fixed 
upstream 2005-02-27 snapshot) and the xli/xloadimage gunzip shell escape 
(also fixed in xli upstream 2005-02-27 snapshot)... 
 
Note that the discussion of this bug was in a public setting so we 
should consider it public. 
 
-- 
Thierry Carrez 
Gentoo Linux Security 
 
[-- Ende der signierten Daten --]
Comment 4 Thomas Biege 2005-03-09 12:48:53 UTC 
CAN-2005-0638

SM-Tracker-576

Lukas,
we need updates for all affected box products.
It's not part of a sles product, right?
Comment 5 Lukas Tinkl 2005-03-09 13:05:43 UTC 
Is there a patch available somewhere?
Comment 6 Thomas Biege 2005-03-09 13:20:51 UTC 
Latest changes:
2005/02/27 A new snapshot of xli is available, which fixes some security problems. 

http://pantransit.reptiles.org/prog/
Comment 7 Thomas Biege 2005-04-12 14:34:12 UTC 
Lukas,
were you able to extract the patch?
Comment 8 Lukas Tinkl 2005-04-12 17:14:31 UTC 
Not really, I'll update the whole package for STABLE, dunno what about prior
versions tho.
Comment 9 Thomas Biege 2005-04-13 04:58:46 UTC 
- getpac -r 9.2 xli
- build xli
- cp -arp $BUILD_ROOT/usr/src/packages/BUILD/xli* .
- (cd xli-1.17.0/;make clean)
- wget http://pantransit.reptiles.org/prog/xli/xli-2005-02-27.tar.gz
- diff -pruNEb xli-1.17.0/ xli-2005-02-27/ > xli-sec.diff
- use your favorit editor to strip the diff by hand

Apply the patch to all prior versions since (and including) 8.2.
Comment 10 Thomas Biege 2005-04-13 05:17:27 UTC 
The interesting parts are:
- zio.c
- faces.c (that is the one we should have already fixed, s. comment #2)
- (Makefile.std)
- (Imakefile)

The author also fixed possible integer overflows.
diff -pruNEb xli-1.17.0/new.c xli-2005-02-27/new.c
--- xli-1.17.0/new.c    1999-10-25 04:14:59.000000000 +0200
+++ xli-2005-02-27/new.c        2005-02-28 01:42:39.000000000 +0100
@@ -104,6 +104,18 @@ void freeRGBMapData(RGBMap *rgb)
        lfree((byte *) rgb->blue);
 }

+static unsigned int ovmul(unsigned int a, unsigned int b)
+{
+       unsigned int r;
+
+       r = a * b;
+       if (r / a != b) {
+               memoryExhausted();
+       }
+
+       return r;
+}
+
 static Image *newImage(unsigned width, unsigned height)
 {
        Image *image;
@@ -133,7 +145,7 @@ Image *newBitImage(unsigned width, unsig
        image->rgb.used = 2;
        image->depth = 1;
        linelen = ((width + 7) / 8);
-       image->data = (unsigned char *) lcalloc(linelen * height);
+       image->data = (unsigned char *) lcalloc(ovmul(linelen, height));
[...]

I am not sure if this can be exploited remotely.
Comment 11 Lukas Tinkl 2005-04-20 13:37:33 UTC 
Fixed packages submitted
Comment 12 Thomas Biege 2005-04-21 08:07:59 UTC 
/work/src/done/PATCHINFO/xli.patch.box
Comment 13 Thomas Biege 2005-04-21 08:29:06 UTC 
Looks like the patch does not avoid passing extra arguments to the command-line
tools and does not protect against directorx traversal. :( I'll talk to th author.
Comment 14 Ludwig Nussel 2005-04-22 07:55:47 UTC 
There are two issues, CAN-2005-0638 and CAN-2005-0639
Comment 15 Thomas Biege 2005-04-22 08:31:09 UTC 
The second one (CAN-2005-0639) sounds like the integer overflow bug.
Lukas added this patch too.
Comment 16 Thomas Biege 2005-04-29 09:41:22 UTC 
for sake of completeness.

the patch is ok. the option args are "filtered" earlier. the direc. traversal
ist a problem of the calling appl xli shouldn't apply restrictions here
Comment 17 Thomas Biege 2005-04-29 12:22:06 UTC 
packages released
Comment 18 Thomas Biege 2009-10-13 21:07:49 UTC 
CVE-2005-0639: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)