Bugzilla – Bug 66139
VUL-0: CVE-2005-0639: xli: buffer overflow
Last modified: 2021-10-27 11:55:04 UTC
Hello Lukas, we got the following report via vendor-sec. (not public!) From: Tavis Ormandy <taviso@gentoo.org> To: solar@gentoo.org Subject: xli 1.17.0 vulnerabilities Date: Sat, 19 Feb 2005 12:16:25 +0000 Hello there, we've identified two problems with xli 1.17.0 that we expect an upstream fix for shortly. Firstly, Rob Holland (tigger@gentoo.org) noticed that an xloadimage vulnerability reported in 2001 was unfixed in xli, credit for the original xloadimage vulnerability should goto zen-parse. An exploit is in the wild for this vulnerability. --- faces.c 2005-02-19 11:34:26.731014488 +0000 +++ faces.c 2005-02-19 11:34:26.731014488 +0000 @@ -136,7 +136,7 @@ image= newRGBImage(w, h, d); fname[strlen(fname) - 1]= ' '; - strcat(fname, lname); + strncat(fname, lname, BUFSIZ - strlen(fname) - 1); fname[strlen(fname) - 1]= '\0'; image->title= dupString(fname); additionally, a problem exists with shell meta-characters in filenames, this could potentially lead to execution of commands via mailcap by sending MIME attachments with Content-Type set to image/foo and a filename set to, for example, ';id 1>&2;: .Z'. the responsible lines are in zio.c, sprintf(buf, "gunzip -c %s", name); (line ~373) This is followed by a popen(). the code responsible for this is #ifndef'd out, with NO_UNCOMPRESS. I expect the upstream maintainer will replace the gunzip+popen with a zlib solution or pipe/fork/etc. -- Ned Ludd <solar@gentoo.org>
SM-Tracker-446
the first issue was already fixed in 2001. the second is not fixed yet.
From: Thierry Carrez <koon@gentoo.org> User-Agent: Mozilla Thunderbird 1.0 (X11/20041209) To: vendor-sec@lst.de Cc: taviso@gentoo.org, tigger@gentoo.org Subject: Re: [vendor-sec] [Fwd: xli 1.17.0 vulnerabilities] Errors-To: vendor-sec-admin@lst.de Date: Tue, 01 Mar 2005 11:01:09 +0100 [-- PGP Ausgabe folgt (aktuelle Zeit: Fr 04 MÃ?r 2005 09:44:09 CET) --] gpg: Unterschrift vom Di 01 MÃ?r 2005 11:01:15 CET, DSA SchlÃ?ssel ID B6A55F4F gpg: Unterschrift kann nicht geprÃ?ft werden: Ãffentlicher SchlÃ?ssel nicht gefunden [-- Ende der PGP-Ausgabe --] [-- Die folgenden Daten sind signiert --] Here is the draft of our GLSA : =================================== Description: Tavis Ormandy of the Gentoo Linux Security Audit Team has reported that xli and xloadimage contain a flaw in the handling of compressed images, where shell meta-characters are not adequately escaped. Rob Holland of the Gentoo Linux Security Audit Team has reported that an xloadimage vulnerability in the handling of Faces Project images discovered by zen-parse in 2001 remained unpatched in xli. Additionally, it has been reported that insufficient validation of image properties in xli could potentially result in buffer management errors. Impact: Successful exploitation would permit a remote attacker to execute arbitrary shell commands, or arbitrary code with the privileges of the xloadimage or xli user. =================================== The 2001 xloadimage thing that passed unfixed in xli (at least on Gentoo and Debian) is CAN-2001-0775. If someone has CAN numbers for the xli buffer management errors (fixed upstream 2005-02-27 snapshot) and the xli/xloadimage gunzip shell escape (also fixed in xli upstream 2005-02-27 snapshot)... Note that the discussion of this bug was in a public setting so we should consider it public. -- Thierry Carrez Gentoo Linux Security [-- Ende der signierten Daten --]
CAN-2005-0638 SM-Tracker-576 Lukas, we need updates for all affected box products. It's not part of a sles product, right?
Is there a patch available somewhere?
Latest changes: 2005/02/27 A new snapshot of xli is available, which fixes some security problems. http://pantransit.reptiles.org/prog/
Lukas, were you able to extract the patch?
Not really, I'll update the whole package for STABLE, dunno what about prior versions tho.
- getpac -r 9.2 xli - build xli - cp -arp $BUILD_ROOT/usr/src/packages/BUILD/xli* . - (cd xli-1.17.0/;make clean) - wget http://pantransit.reptiles.org/prog/xli/xli-2005-02-27.tar.gz - diff -pruNEb xli-1.17.0/ xli-2005-02-27/ > xli-sec.diff - use your favorit editor to strip the diff by hand Apply the patch to all prior versions since (and including) 8.2.
The interesting parts are: - zio.c - faces.c (that is the one we should have already fixed, s. comment #2) - (Makefile.std) - (Imakefile) The author also fixed possible integer overflows. diff -pruNEb xli-1.17.0/new.c xli-2005-02-27/new.c --- xli-1.17.0/new.c 1999-10-25 04:14:59.000000000 +0200 +++ xli-2005-02-27/new.c 2005-02-28 01:42:39.000000000 +0100 @@ -104,6 +104,18 @@ void freeRGBMapData(RGBMap *rgb) lfree((byte *) rgb->blue); } +static unsigned int ovmul(unsigned int a, unsigned int b) +{ + unsigned int r; + + r = a * b; + if (r / a != b) { + memoryExhausted(); + } + + return r; +} + static Image *newImage(unsigned width, unsigned height) { Image *image; @@ -133,7 +145,7 @@ Image *newBitImage(unsigned width, unsig image->rgb.used = 2; image->depth = 1; linelen = ((width + 7) / 8); - image->data = (unsigned char *) lcalloc(linelen * height); + image->data = (unsigned char *) lcalloc(ovmul(linelen, height)); [...] I am not sure if this can be exploited remotely.
Fixed packages submitted
/work/src/done/PATCHINFO/xli.patch.box
Looks like the patch does not avoid passing extra arguments to the command-line tools and does not protect against directorx traversal. :( I'll talk to th author.
There are two issues, CAN-2005-0638 and CAN-2005-0639
The second one (CAN-2005-0639) sounds like the integer overflow bug. Lukas added this patch too.
for sake of completeness. the patch is ok. the option args are "filtered" earlier. the direc. traversal ist a problem of the calling appl xli shouldn't apply restrictions here
packages released
CVE-2005-0639: CVSS v2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)