Bug 59100 – VUL-0: CVE-2004-0788: gtk+ XPM decoder issue

Bug 59100 - (CVE-2004-0788) VUL-0: CVE-2004-0788: gtk+ XPM decoder issue

(CVE-2004-0788)
Summary:	VUL-0: CVE-2004-0788: gtk+ XPM decoder issue

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	All Linux

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVE-2004-0788: CVSS v2 Base Score: 5....
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2004-08-23 20:14 UTC by Sebastian Krahmer
Modified:	2021-09-27 14:40 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
The patch from vendor-sec (mclasen@redhat.com) (2.62 KB, patch) 2004-08-24 17:01 UTC, Sebastian Krahmer	Details \| Diff
pixbuftest.c (2.53 KB, text/plain) 2004-08-25 17:30 UTC, Ludwig Nussel	Details
Updated patch without the stray g_print() (2.33 KB, patch) 2004-08-27 23:14 UTC, Federico Mena Quintero	Details \| Diff
ico.diff - fix for ico header overflow (634 bytes, patch) 2004-09-06 17:08 UTC, Marcus Meissner	Details \| Diff
gdk-pixbuf patch (also applies to earlier gdk-pixbuf versions) (2.06 KB, patch) 2004-09-06 23:40 UTC, Marcus Meissner	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2004-08-23 20:14:05 UTC

Date: Mon, 23 Aug 2004 13:05:50 +0100 (BST)
From: chris@scary.beasts.org
To: vendor-sec@lst.de
Cc: otaylor@redhat.com
Subject: [vendor-sec] gtk+ XPM decoder flaws

Hi,

Details appeneded.
I'm not going to pick a disclosure date until
- We have fixes.
- I've had a look at some of the other gtk+ decoders; might as well batch
together any issues found into a single update.

Cheers
Chris

CESA-2004-005 - rev 1

gtk+-2.4.4 XPM image decoder parsing flaws
==========================================

Programs:          gtk+, and any programs which use gtk+ to decode XPM files.
                   For example, Evolution.
Severity:          Compromise of account used to browse malicious XPM file.
CAN identifier(s): CAN-2004-0782, CAN-2004-0783

This advisory lists code flaws discovered by inspection of the XPM parser
within the gtk+ code. Specifically, gtk+-2.4.4 was investigated.

Flaw 1. Heap-based overflow in pixbuf_create_from_xpm (io-xpm.c)
CAN-2004-0782

  name_buf = g_new (gchar, n_col * (cpp + 1));
  colors = g_new (XPMColor, n_col);

Here, n_col is an arbitrary integer value from the XPM. cpp is an integer value
ranging from 1 to 31 from the XPM. By careful choice of values of n_col and
cpp, integer overflow can occur on integer multiplication. This leads to heap
buffers being allocated that cannot hold n_col elements, so a subsequent heap
overflow occurs.

Demo XPM: http://scary.beasts.org/misc/gdk1.xpm

Flaw 2. Subtle stack-based overflow in xpm_extract_color (io-xpm.c)
CAN-2004-0783

  gint space = 128;
  gchar word[128], color[128], current_color[128];
...
      if (color[0] != '\0') {
        strcat (color, " ");
[*]     space--;
      }
      strncat (color, word, space);
      space -= MIN (space, strlen (word));

Here, an attempt is actually made to prevent overflow of the stack buffers.
However, a logic error means one of the buffers can still be made to overflow.
When "space" reaches 0, "space" can be sent to -1 by the line marked with [*],
if the color string is broken up by whitespace. When "space" is -1, the
strncat() call is effectively morphed to a strcat() call, allowing overflow of
the "color" buffer (probably into the "word" buffer, which may cause a minor
inconvenience to exploitation. Note use of the word "minor" :-)

Demo XPM: http://scary.beasts.org/misc/gdk2.xpm

CESA-2004-005 - rev 1
Chris Evans
chris@scary.beasts.org

Comment 1 Sebastian Krahmer 2004-08-23 20:14:05 UTC

<!-- SBZ_reproduce  -->
...

Comment 2 Sebastian Krahmer 2004-08-24 17:01:20 UTC

Created attachment 22861 [details]
The patch from vendor-sec (mclasen@redhat.com)

...

Comment 3 Holger Hetterich 2004-08-24 18:34:32 UTC

packages for for 9.1 are available...

Comment 4 Holger Hetterich 2004-08-24 20:07:09 UTC

continuing with versions for SLES, 8.1, 8.2... 
 
gtk2.patchinfo-box: 
 
DISTRIBUTION: 8.1-i386,8.2-i386,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64 
PACKAGE: gtk2 
PACKAGER: hhetter@suse.de 
BUGZILLA: 44100 
CATEGORY: security 
DESCRIPTION: 
This update contains a security fix for the two flaws registered 
as CAN Identifiers CAN-2004-0782, which descripes a heap based 
overflow in a function of the XPM loader in GTK, and CAN-2004-0783, 
descriping a stack overflow in another function of the XPM loader. 
DESCRIPTION_DE: 
Dieses Sicherheitsupdate beinhaltet einen Fix für zwei Verwundbar- 
keiten, registriert als CAN Intendifiers CAN-2004-0782, welches            
einen Heap-basierten Überlauf in einer Funktion des XPM Loaders in GTK 
beschreibt, sowie CAN-2004-0783, in dem ein Stack Overflow in einer 
anderen Funktion des XPM Loaders beschrieben wird.

Comment 5 Holger Hetterich 2004-08-24 21:28:55 UTC

now we have: 
SLES8, 8.1, SLEC, 9.1, 8.2 
 
for all <= 8.2, I had to replace G_MAXSIZE with G_MAXUINT, because it was not 
defined in older versions. 
 
going on with STABLE and NLD...

Comment 6 Sebastian Krahmer 2004-08-24 21:30:26 UTC

Ok. Thanks. I will write a laufzettel.

Comment 7 Ludwig Nussel 2004-08-24 21:31:34 UTC

you need to take care of the gtk1 based gdk-pixbuf as well

Comment 8 Holger Hetterich 2004-08-24 21:57:53 UTC

working on it...

Comment 9 Holger Hetterich 2004-08-24 22:33:30 UTC

about gdk-pixbuf:  
 
apart from this part of the patch, it is completely other code, totally 
rewritten. The old xpm code has only 593 lines of code, while the xpm code in  
GTK2's gdk-pixbuf includes 1541 lines. 
 
Sebastian, can you please ask on vendor-sec, what to do about GTK-1's 
gdk-pixbuf? Before digging into this stuff, I would like to know if it's needed 
at all. 
 
 
 
       /* The hash is used for fast lookups of color from chars */ 
        color_hash = g_hash_table_new (g_str_hash, g_str_equal); 
  
-       name_buf = g_new (gchar, n_col * (cpp + 1)); 
-       colors = g_new (XPMColor, n_col); 
+       name_buf = g_try_malloc (n_col * (cpp + 1)); 
+       if (!name_buf) { 
+               g_set_error (error, 
+                            GDK_PIXBUF_ERROR, 
+                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY, 
+                             _("Cannot allocate memory for loading XPM 
image")) 
; 
+               g_hash_table_destroy (color_hash); 
+               return NULL; 
+       } 
+       colors = (XPMColor *) g_try_malloc (sizeof (XPMColor) * n_col); 
+       if (!colors) { 
+               g_set_error (error, 
+                            GDK_PIXBUF_ERROR, 
+                             GDK_PIXBUF_ERROR_INSUFFICIENT_MEMORY, 
+                             _("Cannot allocate memory for loading XPM 
image")) 
; 
+               g_hash_table_destroy (color_hash); 
+               g_free (name_buf); 
+               return NULL; 
+       } 
+       g_print ("n_col %d name_buf %p (%d) colors %p (%d)\n", 
+                n_col, name_buf, n_col * (cpp + 1), colors, sizeof (XPMColor) 
* 
 n_col);

Comment 10 Holger Hetterich 2004-08-25 17:21:55 UTC

I have submitted gtk2 for STABLE, so that NLD development can go on. 
All other packages are on hold, until I know if gdk-pixbuf from GTK1 is 
actually affected at all. Sebastian, do you know more meanwhile?

Comment 11 Ludwig Nussel 2004-08-25 17:30:50 UTC

Created attachment 22897 [details]
pixbuftest.c

q&d test program for gtk1&2, it crashes on the xpm in the advisory also with
gdk-pixbuf-0.22.0 from 9.1

Comment 12 Jody Goldberg 2004-08-27 06:31:56 UTC

This patch has a bug that will break compilation of all pacakges that use
gdk-pixbuf-csource with xpm files.  That trailing g_print should not be there.

Comment 13 Federico Mena Quintero 2004-08-27 23:13:14 UTC

I just updated the patch in autobuild.  I'm also attaching it here, for reference.

Comment 14 Federico Mena Quintero 2004-08-27 23:14:20 UTC

Created attachment 22999 [details]
Updated patch without the stray g_print()

Comment 15 Marcus Meissner 2004-08-30 19:44:39 UTC

from vendor-sec: 
CAN-2004-0782/3     gtk+ xpm            Sep 15 1400UTC(*3)                       
*3: These are suggested release dates, if these are problems for anyone, you     
should probably speak up.

Comment 16 Sebastian Krahmer 2004-09-06 16:20:21 UTC

CAN-2004-0804

Comment 17 Sebastian Krahmer 2004-09-06 16:22:37 UTC

Huh, dont believe in my last comment, vendor-sec confused me.
The correct CANs seem to be:

CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm
CAN-2004-0783 Stack-based overflow in xpm_extract_color
CAN-2004-0788 ico loader integer overflow.

These issues go public on September 15.

Comment 18 Marcus Meissner 2004-09-06 17:08:58 UTC

Created attachment 23166 [details]
ico.diff - fix for ico header overflow

Comment 19 Marcus Meissner 2004-09-06 23:39:30 UTC

status: 
- gtk2 fixes checked in for NLD and STABLE. 
- all other not yet checked in. 
 
gdk-pixbuf is also affected, we are polling vendor-sec.

Comment 20 Marcus Meissner 2004-09-06 23:40:51 UTC

Created attachment 23191 [details]
gdk-pixbuf patch (also applies to earlier gdk-pixbuf versions)

from Chris Evans via vendor-sec

Comment 21 Holger Hetterich 2004-09-07 20:43:54 UTC

working on it completing gtk2 packages with the ico.diff patch

Comment 22 Holger Hetterich 2004-09-07 22:23:29 UTC

all packages, gdk-pixbuf and gtk2, are ready to submit, now reworking patchinfo 
files

Comment 23 Holger Hetterich 2004-09-08 19:03:41 UTC

gtk-patchinfo.maintained: 
 
 
DISTRIBUTION: 
sles8-ppc,sles8-s390,sles8-s390x,sles8-slec-i386,sles9-i386,sles9-ia64,sles9-ppc,sles9-s390,sles9-s390x,sles9-x86_64,ul1-i386,ul1-ia64,ul1-x86_64 
PACKAGE: gtk2 gdk-pixbuf 
PACKAGER: hhetter@suse.de 
BUGZILLA: 44100 
CATEGORY: security 
INDICATIONS: All users using GTK based software should update 
CONTRAINDICATIONS: none 
DESCRIPTION: 
This update fixes three vulnerabilites found in the XPM loader code of the 
GTK Library. They are registered as: 
 
CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm 
CAN-2004-0783 Stack-based overflow in xpm_extract_color 
CAN-2004-0788 ico loader integer overflow.

Comment 24 Marcus Meissner 2004-09-08 19:31:50 UTC

the vulnerable code is also in the static libraries, or? 
 
the gtk2-devel should probably inside the patchinfo too.

Comment 25 Holger Hetterich 2004-09-08 20:12:50 UTC

Ok, this should be correct then: 
 
I took gdk-pixbuf-devel and gtk2-devel into account: 
 
Patchinfo for maintained products: 
 
DISTRIBUTION: 
sles8-ppc,sles8-s390,sles8-s390x,sles8-slec-i386,sles9-i386,sles9-ia64,sles9-ppc,sles9-s390,sles9-s390x,sles9-x86_64,ul1-i386,ul1-ia64,ul1-x86_64 
PACKAGE: gtk2 gdk-pixbuf gtk2-devel gdk-pixbuf-devel 
PACKAGER: hhetter@suse.de 
BUGZILLA: 44100 
CATEGORY: security 
INDICATIONS: All users using GTK based software should update 
CONTRAINDICATIONS: none 
DESCRIPTION: 
This update fixes three vulnerabilites found in the XPM loader code of the 
GTK Library. They are registered as: 
 
CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm 
CAN-2004-0783 Stack-based overflow in xpm_extract_color 
CAN-2004-0788 ico loader integer overflow. 
 
----------------------------------------------------------------- 
 
Patchinfo for the boxes: 
 
DISTRIBUTION: 8.1-i386,8.2-i386,9.0-i386,9.0-x86_64,9.1-i386,9.1-x86_64 
PACKAGE: gtk2 gtk2-devel gdk-pixbuf gdk-pixbuf-devel 
PACKAGER: hhetter@suse.de 
BUGZILLA:  44100 
CATEGORY: security 
DESCRIPTION: 
This update fixes three vulnerabilites found in the XPM loader code of the 
GTK Library. They are registered as: 
 
CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm 
CAN-2004-0783 Stack-based overflow in xpm_extract_color 
CAN-2004-0788 ico loader integer overflow. 
 
DESCRIPTION_DE: 
Dieses Update behebt drei Sicherheitslücken im XPM Loader der GTK Library. 
Diese sind registriert als: 
 
CAN-2004-0782 Heap-based overflow in pixbuf_create_from_xpm 
CAN-2004-0783 Stack-based overflow in xpm_extract_color 
CAN-2004-0788 ico loader integer overflow.

Comment 26 Holger Hetterich 2004-09-08 22:34:13 UTC

submitted packages and 
 
/work/src/done/PATCHINFO/patchinfo-gtk2.box 
/work/src/done/PATCHINFO/patchinfo-gtk2.maintained

Comment 27 Holger Hetterich 2004-09-08 23:46:15 UTC

Marcus, thanks for the revision of the patchinfo's. 
 
I now reassign this bug to security-team, to be able track the package release 
state.

Comment 28 Marcus Meissner 2004-09-17 19:28:59 UTC

updates and advisory released.

Comment 29 Stanislav Brabec 2005-10-21 15:17:28 UTC

Reopening. Patch is missing in 9.2, 9.3 and 10.0.

Patch submitted altogether with fix of the bug 129642, which extends this issue.

Comment 30 Ludwig Nussel 2005-11-03 08:42:27 UTC

close as fixed, further tracked in #129642

Comment 31 Thomas Biege 2009-10-13 19:48:02 UTC

CVE-2004-0788: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)