Bug 1043479 (CVE-2017-18215) - VUL-0: CVE-2017-18215: xv: xv crashes reading gimp created png image
Summary: VUL-0: CVE-2017-18215: xv: xv crashes reading gimp created png image
Status: RESOLVED FIXED
Alias: CVE-2017-18215
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: x86-64 Other
: P3 - Medium : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-06-08 20:43 UTC by Rich Coe
Modified: 2019-07-10 05:56 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
correctly calculate string buffer size (651 bytes, patch)
2017-06-08 20:50 UTC, Rich Coe
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Rich Coe 2017-06-08 20:43:36 UTC
opensuse Tumbleweed
xv-3.10a 1296.49

xv crashed while loading png images created by gimp.
 *** Error in `xv': free(): invalid next size (fast): 0x0000000000c7c380 ***
======= Backtrace: =========
/lib64/libc.so.6(+0x7383b)[0x7ff155f6983b]
/lib64/libc.so.6(+0x79dee)[0x7ff155f6fdee]
/lib64/libc.so.6(+0x7a5fe)[0x7ff155f705fe]
xv[0x42396e]
xv[0x412698]
xv[0x40bd7f]
/lib64/libc.so.6(__libc_start_main+0xf1)[0x7ff155f16541]
xv[0x40d44a]

I ran valgrind, but the default does not have line numbers, and I had to build the opensuse version with debug.

==16988== Invalid write of size 1
==16988==    at 0x4C32638: __stpcpy_sse2_unaligned (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16988==    by 0x1A04F8: strcat (string3.h:147)
==16988==    by 0x1A04F8: LoadPNG (xvpng.c:1162)
==16988==    by 0x124F98: openPic (xv.c:2520)
==16988==    by 0x11DD5C: openFirstPic (xv.c:3666)
==16988==    by 0x11DD5C: mainLoop (xv.c:3785)
==16988==    by 0x11DD5C: main (xv.c:1043)
==16988==  Address 0x7953d8b is 0 bytes after a block of size 11 alloc'd
==16988==    at 0x4C2C0AF: malloc (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
==16988==    by 0x1A045C: LoadPNG (xvpng.c:1154)
==16988==    by 0x124F98: openPic (xv.c:2520)
==16988==    by 0x11DD5C: openFirstPic (xv.c:3666)
==16988==    by 0x11DD5C: mainLoop (xv.c:3785)
==16988==    by 0x11DD5C: main (xv.c:1043)
Comment 1 Rich Coe 2017-06-08 20:50:03 UTC
Created attachment 728337 [details]
correctly calculate string buffer size

The code uses .text_length to determine size of buffer, but uses .text as the data to append, and .text_length is not the length of the .text string.

Use .text to calculate the correct size of the buffer.
Comment 2 Stephan Kulow 2017-06-09 04:58:48 UTC
If you already have a patch, you can send it to multimedia:apps/xv in build.opensuse.org
Comment 3 Bernhard Wiedemann 2017-06-10 10:01:00 UTC
This is an autogenerated message for OBS integration:
This bug (1043479) was mentioned in
https://build.opensuse.org/request/show/502764 Factory:NonFree / xv
Comment 4 Dr. Werner Fink 2017-06-12 11:33:44 UTC
(In reply to Rich Coe from comment #1)
> Created attachment 728337 [details]
> correctly calculate string buffer size
> 
> The code uses .text_length to determine size of buffer, but uses .text as
> the data to append, and .text_length is not the length of the .text string.
> 
> Use .text to calculate the correct size of the buffer.

Thanks a lot ... now as the request has already been accepted this one if fixed as well
Comment 5 Swamp Workflow Management 2018-02-20 09:40:06 UTC
This is an autogenerated message for OBS integration:
This bug (1043479) was mentioned in
https://build.opensuse.org/request/show/578282 42.3:NonFree / xv
Comment 6 Marcus Meissner 2018-02-20 10:55:18 UTC
this seems to be a security issue.
Comment 7 Alexander Bergmann 2018-02-21 08:51:14 UTC
Rich, is the patch from comment 1 coming from upstream xv? Are they aware of this problem?

(I did a quick check on the available patches[1], but couldn't find the one from comment 1.)

[1] http://www.trilon.com/xv/downloads.html#patches
Comment 8 Rich Coe 2018-02-21 15:38:29 UTC
Looking through my email, I did not follow up with the patch to upstream.
I would have waited for it to be accepted by opensuse and it looks like I neglected to forward the patch after it was accepted.
Comment 9 Swamp Workflow Management 2018-02-21 20:21:03 UTC
openSUSE-SU-2018:0517-1: An update that contains security fixes can now be installed.

Category: security (moderate)
Bug References: 1043479
CVE References: 
Sources used:
openSUSE Leap 42.3:NonFree (src):    xv-3.10a-1280.3.1
Comment 10 Marcus Meissner 2018-03-05 16:12:49 UTC
cve requested from Mitre.
Comment 11 Dr. Werner Fink 2018-09-11 10:00:07 UTC
(In reply to Swamp Workflow Management from comment #9)
> openSUSE-SU-2018:0517-1: An update that contains security fixes can now be
> installed.
> 
> Category: security (moderate)
> Bug References: 1043479
> CVE References: 
> Sources used:
> openSUSE Leap 42.3:NonFree (src):    xv-3.10a-1280.3.1
Comment 12 Marcus Meissner 2019-07-10 05:56:07 UTC
also checked in 15.0:NoNfree and later.