Bug 64899 (CVE-2005-0076) - VUL-0: CVE-2005-0076: xview-lib buffer overflow
Summary: VUL-0: CVE-2005-0076: xview-lib buffer overflow
Status: RESOLVED INVALID
Alias: CVE-2005-0076
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: All Linux
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Michael Andres
QA Contact: Security Team bot
URL:
Whiteboard: CVE-2005-0076: CVSS v2 Base Score: 7....
Keywords:
Depends on:
Blocks:
 
Reported: 2005-01-17 21:25 UTC by Thomas Biege
Modified: 2021-11-02 16:21 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Biege 2005-01-17 21:25:06 UTC 
Hello, 
we received the following *non-public* report. 
 
From: Martin Schulze <joey@infodrom.org> 
To: Free Software Distribution Vendors <vendor-sec@lst.de> 
User-Agent: Mutt/1.5.6+20040907i 
Subject: [vendor-sec] CAN-2005-0076: Potentional arbitrary code execution 
in xview 
Errors-To: vendor-sec-admin@lst.de 
Date: Sat, 15 Jan 2005 17:37:59 +0100 
 
Erik Sjölund discovered that programs linked against xview are 
vulnerable to a number of buffer overflows in the XView library.  When 
the overflow is triggered in a program which is installed setuser root 
a malicious user could perhaps execute arbitrary code as privileged 
user. 
 
These commands will create a segmentation fault: 
 
$ ln -s  /usr/X11R6/bin/xvmount  /tmp/`perl -e 'print "A" x 200'` 
$  /tmp/`perl -e 'print "A" x 200'`  -Wt 
 
The overflowed variable seems to be sufficiently far away from the 
stack frame, but I'm not totally sure that it is impossible to 
overwrite it as well.  I'm attaching a proposed patch. 
 
Please let me know if you need coordination for this bug. 
This package is probably part of most other distributions as well. 
 
Regards, 
 
        Joey 
 
-- 
There are lies, statistics and benchmarks.
Comment 1 Thomas Biege 2005-01-17 21:25:06 UTC 
<!-- SBZ_reproduce  -->
$ ln -s  /usr/X11R6/bin/xvmount  /tmp/`perl -e 'print "A" x 200'` 
$  /tmp/`perl -e 'print "A" x 200'`  -Wt
Comment 2 Thomas Biege 2005-01-17 21:26:00 UTC 
Do you know if setuid code (on our distries since 8.1) links against this 
vulnerable code?
Comment 3 Michael Andres 2005-01-18 21:59:04 UTC 
'olvwm' does not contain setuid binaries. Besides this we shipped

'xvnews'        maintained by 'nadvornik@suse.cz' (until 8.2)
'workman'       maintained by 'postadal@suse.cz'  (until 9.1)

AFAIK they did not contain setuid binaries either.
Comment 4 Thomas Biege 2005-01-25 20:19:23 UTC 
Vladimir, Petr, can you confirm this please? 
 
If we do not ship it setuid we do not need to make a full blown security 
update. Nevertheless a fix in STABLE should be added.
Comment 5 Vladimir Nadvornik 2005-01-25 21:17:33 UTC 
xvnews was never shipped with setuid.
Comment 6 Petr Ostadal 2005-01-27 02:12:05 UTC 
workman didn't contain setuid binaries.
Comment 7 Thomas Biege 2005-01-27 19:37:35 UTC 
Ok, I'll close it now. 
 
If you *like* add a patch to STABLE.
Comment 8 Thomas Biege 2009-10-13 20:58:31 UTC 
CVE-2005-0076: CVSS v2 Base Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)