Bugzilla – Bug 1043479
VUL-0: CVE-2017-18215: xv: xv crashes reading gimp created png image
Last modified: 2019-07-10 05:56:07 UTC
opensuse Tumbleweed xv-3.10a 1296.49 xv crashed while loading png images created by gimp. *** Error in `xv': free(): invalid next size (fast): 0x0000000000c7c380 *** ======= Backtrace: ========= /lib64/libc.so.6(+0x7383b)[0x7ff155f6983b] /lib64/libc.so.6(+0x79dee)[0x7ff155f6fdee] /lib64/libc.so.6(+0x7a5fe)[0x7ff155f705fe] xv[0x42396e] xv[0x412698] xv[0x40bd7f] /lib64/libc.so.6(__libc_start_main+0xf1)[0x7ff155f16541] xv[0x40d44a] I ran valgrind, but the default does not have line numbers, and I had to build the opensuse version with debug. ==16988== Invalid write of size 1 ==16988== at 0x4C32638: __stpcpy_sse2_unaligned (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16988== by 0x1A04F8: strcat (string3.h:147) ==16988== by 0x1A04F8: LoadPNG (xvpng.c:1162) ==16988== by 0x124F98: openPic (xv.c:2520) ==16988== by 0x11DD5C: openFirstPic (xv.c:3666) ==16988== by 0x11DD5C: mainLoop (xv.c:3785) ==16988== by 0x11DD5C: main (xv.c:1043) ==16988== Address 0x7953d8b is 0 bytes after a block of size 11 alloc'd ==16988== at 0x4C2C0AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so) ==16988== by 0x1A045C: LoadPNG (xvpng.c:1154) ==16988== by 0x124F98: openPic (xv.c:2520) ==16988== by 0x11DD5C: openFirstPic (xv.c:3666) ==16988== by 0x11DD5C: mainLoop (xv.c:3785) ==16988== by 0x11DD5C: main (xv.c:1043)
Created attachment 728337 [details] correctly calculate string buffer size The code uses .text_length to determine size of buffer, but uses .text as the data to append, and .text_length is not the length of the .text string. Use .text to calculate the correct size of the buffer.
If you already have a patch, you can send it to multimedia:apps/xv in build.opensuse.org
This is an autogenerated message for OBS integration: This bug (1043479) was mentioned in https://build.opensuse.org/request/show/502764 Factory:NonFree / xv
(In reply to Rich Coe from comment #1) > Created attachment 728337 [details] > correctly calculate string buffer size > > The code uses .text_length to determine size of buffer, but uses .text as > the data to append, and .text_length is not the length of the .text string. > > Use .text to calculate the correct size of the buffer. Thanks a lot ... now as the request has already been accepted this one if fixed as well
This is an autogenerated message for OBS integration: This bug (1043479) was mentioned in https://build.opensuse.org/request/show/578282 42.3:NonFree / xv
this seems to be a security issue.
Rich, is the patch from comment 1 coming from upstream xv? Are they aware of this problem? (I did a quick check on the available patches[1], but couldn't find the one from comment 1.) [1] http://www.trilon.com/xv/downloads.html#patches
Looking through my email, I did not follow up with the patch to upstream. I would have waited for it to be accepted by opensuse and it looks like I neglected to forward the patch after it was accepted.
openSUSE-SU-2018:0517-1: An update that contains security fixes can now be installed. Category: security (moderate) Bug References: 1043479 CVE References: Sources used: openSUSE Leap 42.3:NonFree (src): xv-3.10a-1280.3.1
cve requested from Mitre.
(In reply to Swamp Workflow Management from comment #9) > openSUSE-SU-2018:0517-1: An update that contains security fixes can now be > installed. > > Category: security (moderate) > Bug References: 1043479 > CVE References: > Sources used: > openSUSE Leap 42.3:NonFree (src): xv-3.10a-1280.3.1
also checked in 15.0:NoNfree and later.