Bugzilla – Bug 74687
VUL-0: CVE-2005-0665: xv: more overflows in xv
Last modified: 2021-11-08 10:29:11 UTC
We received the following report via vendor-sec. This issue is not public yet, please keep any information about it inside SUSE. Date: Sun, 27 Mar 2005 13:04:08 -0800 From: Greg Roelofs <newt@pobox.com> To: cert@cert.org, cve@mitre.org, security@kde.org, vendor-sec@lst.de Subject: [vendor-sec] Re: buffer-overrun vulnerabilities in XV and other image decoders Reply-To: Greg Roelofs <newt@pobox.com> This is an interim update to earlier reports to CERT (with subject line as above) and to vendor-sec with this subject line: Re: [Security] [vendor-sec] valid list? updated vulnerability... I think we can consider this vulnerability to be "effectively exploited" in the sense that an exploit for an earlier version of the same problem in XV's BMP decoder was posted to BugTraq last August (http://www.securityfocus.com/archive/1/372345), and demonstration images for the new variant are publicly available from the KDE Bugzilla site (http://bugs.kde.org/show_bug.cgi?id=102328). I'm pretty sure the former can be trivially adapted to the latter, though I have not attempted to do so myself. Ergo, I still plan to release an updated set of XV jumbo patches tonight or tomorrow morning (US/Pacific) and to make an announcement to BugTraq within the next day or two. I realize this is a holiday weekend for many, and that makes things awkward, but unfortunately it doesn't alter anything I said in the previous paragraph. In the meantime, here are some updated test images: http://pobox.com/~newt/test/286572/overflow-examples.zip (189695 bytes) http://pobox.com/~newt/test/286572/normal-examples.zip (189638 bytes) (I trust no one will post the new links on publicly visible bug pages just yet! :-/ ) The archives contain the same 8-bit PCX image as in the KDE bug attachment, plus 24-bit BMP, JPEG, PCX (slightly "improved"), PNG, PPM, and TIFF versions. All but the PNG trigger segfaults in XV: % foreach j ( overflow-[28]* ) foreach? echo $j foreach? /usr/X11R6/bin/xv $j foreach? end overflow-24.bmp Segmentation fault overflow-24.jpg Segmentation fault overflow-24.pcx Segmentation fault overflow-24.png overflow-24.ppm Segmentation fault overflow-24.tif Segmentation fault overflow-8.pcx Segmentation fault (The PNG decoder is saved by internal libpng checks that apparently go all the way back to 1.0.8, maybe even earlier. On the other hand, a different but related libpng vulnerability was fixed just last August, so don't assume a PNG crack is entirely out of the question.) Note that I'm limiting my attention solely to XV, simply because it's the image viewer I know and love^Wuse. Hopefully most modern ones are a bit more secure. Regards, -- Greg Roelofs newt@pobox.com http://pobox.com/~newt/ Newtware, PNG Group, AlphaWorld Map, etc. _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Date: Sun, 27 Mar 2005 23:41:56 -0800 From: Greg Roelofs <newt@pobox.com> To: cert@cert.org, cve@mitre.org, security@kde.org, vendor-sec@lst.de Subject: [vendor-sec] Re: buffer-overrun vulnerabilities in XV and other image decoders Reply-To: Greg Roelofs <newt@pobox.com> I wrote earlier today: > Ergo, I still plan to release an updated set of XV jumbo patches tonight > or tomorrow morning (US/Pacific) and to make an announcement to BugTraq > within the next day or two. I realize this is a holiday weekend for many, > and that makes things awkward, but unfortunately it doesn't alter anything > I said in the previous paragraph. Unfortunately (or fortunately, depending on your perspective), I still have another 200 memory-allocations to inspect and potentially fix in XV, which means I'm not ready with my own patch and probably won't be before next weekend sometime. In particular, I won't be announcing anything for at least that long; I'd like the fix to be completely ready first. I apologize for the poor time estimate! Feel free to contact me for updates or further info. -- Greg Roelofs newt@pobox.com http://pobox.com/~newt/ Newtware, PNG Group, AlphaWorld Map, etc.
Where are the patches?
Date: Wed, 6 Apr 2005 08:49:13 -0700 From: Greg Roelofs <newt@pobox.com> To: cert@cert.org, cve@mitre.org, security@imagemagick.org, security@kde.org, vendor-sec@lst.de Cc: glennrp@comcast.net Subject: [vendor-sec] Re: buffer-overrun vulnerabilities in XV and other image decoders (VU#622622) Reply-To: Greg Roelofs <newt@pobox.com> X-Spam-Level: I wrote (Sunday, 3 April): > I believe I've fixed all of the image-loading heap overflows in XV, but > I didn't quite have time to polish things up, do final sanity tests, etc. > However, I have created a prototype jumbo-fixes patch, which you can now > find here: I've created a nearly complete jumbo-patch update and put it here for the moment: http://pobox.com/~newt/test/xv-3.10a-jumbo-patches-20050405-pre2.tar.gz Again, this is a full jumbo-patch set per my web page (http://pobox.com/~newt/greg_xv.html), not simply a security fix. Comparison with the previous jumbo-patch set, which is available from my XV page, will reveal the security fixes without a huge amount of noise, although there are a few other things in there as well: 20040531 fixed undefined CLK_TCK with gcc -ansi (enh/USE_TICKS option); made libjpeg, libtiff, libpng and zlib sections of makefile more consistent (enh); 20040606 added freshmeat link, build instructions, and changelog to jumbo README (this file) 20050213 increased max number of files from 4096 to 32768 (enh) 20050320-20050405 fixed two very long-standing YCbCr bugs in TIFF decoder (fix); provisionally fixed bug in TIFF decoder for contiguous tiled TIFFs with bottom-* orientation (fix/USE_TILED_TIFF_BOTLEFT_FIX option); fixed new gcc 3.3 warnings (fix); fixed incorrect 16/24-bit display of xwd dumps (fix); fixed multiple input-validation bugs (potential heap overflows) and mktemp() dependencies (*SECURITY* fixes: CAN-2004-1725, CAN-2004- 1726, CAN-2005-0665, CERT VU#622622, and others); added support for 16- and 32-bit BMPs using bitfields "compression" (enh) This would be the ready-for-public-release version if not for one last- minute issue in xvimage.c; in trying to quash a gcc 3.3 lvalue-cast warning, I seem to have found a byte-ordering bug in one of the enhancement patches (possibly fixpix). Oddly enough, no one has ever reported a problem with that, so it may also be my error. I need to dig into it more. > My current plans are to finish up both jumbo patches as soon as possible > (ideally, within the next day or two), upload them and update my jumbo- > patch web page (http://pobox.com/~newt/greg_xv.html), let you folks know, > and then make a freshmeat announcement and submit a BugTraq advisory around > 24 hours after that. That's still the plan, depending on how the xvimage.c issue goes. I may simply revert the warning "fix" (i.e., define USE_DEPRECATED_LVALUE_CAST) and let things ride for this release, in which case I'd let you know tonight, and public announcements would happen either tomorrow night or Friday morning (US/Pacific). Regards, -- Greg Roelofs newt@pobox.com http://pobox.com/~newt/ Newtware, PNG Group, AlphaWorld Map, etc. _______________________________________________ Vendor Security mailing list Vendor Security@lst.de https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Date: Mon, 11 Apr 2005 08:28:43 -0700 From: Greg Roelofs <newt@pobox.com> To: newt@pobox.com Cc: cert@cert.org, cve@mitre.org, glennrp@comcast.net, security@imagemagick.org, security@kde.org, vendor-sec@lst.de Subject: [vendor-sec] Re: buffer-overrun vulnerabilities in XV and other image decoders (VU#622622) Reply-To: Greg Roelofs <newt@pobox.com> >> I've created a nearly complete jumbo-patch update and put it here for >> the moment: >> http://pobox.com/~newt/test/xv-3.10a-jumbo-patches-20050405-pre2.tar.gz > I'll assume no news^Wfeedback is good news, so here are the final > release archives (identical except for compression): > http://pobox.com/~newt/code/xv-3.10a-jumbo-patches-20050408.tar.bz2 > http://pobox.com/~newt/code/xv-3.10a-jumbo-patches-20050408.tar.gz > Since it's almost the weekend, I'll wait with the announcement until > Monday morning US/Pacific. I haven't updated my XV web page yet > (http://pobox.com/~newt/greg_xv.html), but I'll get to that sometime > this weekend. OK, web page is updated, as are the patches (slightly). The only security- related change in the 20050410 versions was for xvpictoppm.c (a standalone utility bundled with XV), which required the same sort of malloc-multiplier check as all the others. (I also incorporated some third-party keyboard- and configurability-related changes into the enhancements patch.) http://pobox.com/~newt/code/xv-3.10a-jumbo-patches-20050410.tar.bz2 http://pobox.com/~newt/code/xv-3.10a-jumbo-patches-20050410.tar.gz A freshmeat.net announcement has been submitted, and a BugTraq announcement will follow in a few minutes.
Please provide a SWAMP ID for: /work/src/done/8.2/xv/ /work/src/done/9.0/xv/ /work/src/done/9.1/xv/ /work/src/done/9.2/xv/ /work/src/done/9.3/xv/ /work/src/done/SLES8/xv/ /work/src/done/SLES9/xv/ /work/src/done/UL1/xv/
SM-Tracker-911
The neverending story, continued. Date: Tue, 12 Apr 2005 08:29:34 +0100 From: Tavis Ormandy <taviso@gentoo.org> To: vendor-sec@lst.de Cc: newt@pobox.com, security@gentoo.org Subject: [vendor-sec] XV Vulnerabilities Hello, while integrating Greg's XV patches into our package, various other issues have been identified: xvpds.c: at least a few dozen obviously exploitable overflows in the processing and manipulation of pds comments (starting around line ~400, you can't miss them, sscanf(), strcat() (line ~452, a few more starting ~650), etc) for example, - } else if (sscanf(scanbuff," SPACECRAFT_NAME = %s", spacecraft) == 1) { + } else if (sscanf(scanbuff," SPACECRAFT_NAME = %50s", spacecraft) == 1) { and - strcat(spacecraft,xv_strstr(scanbuff, spacecraft)+strlen(spacecraft)); + if (strlen (spacecraft) + strlen (xv_strstr(scanbuff, spacecraft)+strlen(spacecraft)) < COMMENTSIZE) + strcat(spacecraft,xv_strstr(scanbuff, spacecraft)+strlen(spacecraft)); and - if (*target) { + if (*target && (strlen(infobuff)+strlen(target)+2 < sizeof (infobuff))) { etc., etc. xvpds.c: format string issues, via SetISTR() (around line ~665) - SetISTR(ISTR_WARNING,infobuff); + SetISTR(ISTR_WARNING,"%s",infobuff); xvtiff.c: format string issue parsing errors returned from tiff - SetISTR(ISTR_WARNING,buf); + SetISTR(ISTR_WARNING,"%s",buf); xvps.c: insufficient shell metacharacter protection from malformed filenames (if invoking xv via mailcap, pluggerrc, etc). xv.c: ditto xvdir.c: uses system("rm -rf %s") without quoting, could be abused to trick user into removing wrong files. we have just added code to quote the portion of the command. We havn't released an update for the issues Greg identified yet, and would like to roll these issues together if possible, so a short disclosure time would be great.
btw 8.1 is no longer supported and sles8 doesn't contain xv
Just put the current version to /work/src/done/ ... now the question is: how or when the other vendors will finish the xv fixes.
Guess: fixed
reopen for tracking
this should not have been reassoigned to you werner, sorry.
are there any example pictures to test the fix? (the links above give a 404)
no, I don't have them either.
Created attachment 35654 [details] xv test files In this bzip2ed tar file you'll find some test cases for xv
updates released
CVE-2005-0665: CVSS v2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)