Bug 878345 - (CVE-2014-2977) VUL-0: CVE-2014-2977: DirectFB: Possible RCE through integer signedness vulnerability
(CVE-2014-2977)
VUL-0: CVE-2014-2977: DirectFB: Possible RCE through integer signedness vulne...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other openSUSE 13.1
: P3 - Medium : Critical
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/98851/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2014-05-16 14:05 UTC by Johannes Segitz
Modified: 2016-04-27 19:29 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
patch proposed upstream (550 bytes, patch)
2015-03-24 08:49 UTC, Petr Gajdos
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2014-05-16 14:05:44 UTC
DirectFB is prone to an integer signedness vulnerability since version 1.4.13.

The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB).

openSUSE 12.3: 1.6.2
openSUSE 13.1: 1.6.3
openSUSE Factory: 1.7.4
are affected

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1098528
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2977
Comment 1 Swamp Workflow Management 2014-05-16 22:00:23 UTC
bugbot adjusting priority
Comment 2 Petr Gajdos 2014-05-19 08:33:05 UTC
http://mail.directfb.org/pipermail/directfb-dev/2014-April/006813.html

No upstream commit found so far.
Comment 3 Petr Gajdos 2014-05-19 10:45:33 UTC
Hmm, there is following portion of code (similarly for case 4:):

1734                case 2: {
1735                     if (rect->w > 2048) {
1736                          u16 *buf = D_MALLOC( rect->w * 2 );
1737
1738                          if (buf) {
1739                               rle16_decode( ptr, buf, rect->w );
1740
1741                               real->Write( real, rect, buf, pitch );
1742
1743                               D_FREE( buf );
1744                          }
1745                          else
1746                               D_OOM();
1747                     }
1748                     else {
1749                          u16 buf[2048];
1750
1751                          rle16_decode( ptr, buf, rect->w );
1752
1753                          real->Write( real, rect, buf, pitch );
1754                     }
1755                     break;
1756                }

I can't confirm yet that rect->w can be really lower than zero. But if yes, then the check is obviously wrong. Question is, how DirectFB should react. Is rect->width allowed at all?

http://mail.directfb.org/pipermail/directfb-dev/2014-April/006811.html

If it is allowed, how should it be interpreted by e. g. rle16_decode() (~ which third argument, which is actually unsigned, it should get)?
Comment 4 Petr Gajdos 2014-05-19 10:57:20 UTC
(In reply to comment #3)
> then the check is obviously wrong. Question is, how DirectFB should react. Is
> rect->width allowed at all?

*Is rect->width lower than zero allowed at all?

> http://mail.directfb.org/pipermail/directfb-dev/2014-April/006811.html
Comment 5 Petr Gajdos 2014-05-19 11:27:26 UTC
rect->w * 2 and rect->w * 4 respectively should be probably checked against overflow, too, if rect->w is not limited somewhere.
Comment 6 Petr Gajdos 2015-03-24 08:49:08 UTC
Created attachment 628302 [details]
patch proposed upstream
Comment 7 Bernhard Wiedemann 2015-03-30 07:00:06 UTC
This is an autogenerated message for OBS integration:
This bug (878345) was mentioned in
https://build.opensuse.org/request/show/293665 Factory / DirectFB
Comment 8 Petr Gajdos 2015-04-08 07:03:20 UTC
Upstream still do not react. I have sent proposed patches to them on 2015-03-30

http://mail.directfb.org/pipermail/directfb-dev/2015-March/006879.html

but no reply.

Johannes, could you please review patches so I can submit them to older products?
Comment 9 Johannes Segitz 2015-04-08 09:03:03 UTC
(In reply to Petr Gajdos from comment #8)
Both look fine but are you sure that rect->w is limited somewhere so that the multiplications in the malloc are okay?
Comment 10 Petr Gajdos 2015-04-10 10:55:35 UTC
(In reply to Johannes Segitz from comment #9)
> (In reply to Petr Gajdos from comment #8)
> Both look fine but are you sure that rect->w is limited somewhere so that
> the multiplications in the malloc are okay?

Not sure, but I think it is not related to this CVE ;).
Comment 12 Petr Gajdos 2015-04-23 09:07:38 UTC
Packages submitted.
Comment 14 Swamp Workflow Management 2015-04-30 13:05:03 UTC
openSUSE-SU-2015:0807-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 878345,878349
CVE References: CVE-2014-2977,CVE-2014-2978
Sources used:
openSUSE 13.2 (src):    DirectFB-1.7.5-3.3.1
openSUSE 13.1 (src):    DirectFB-1.6.3-4.3.1
Comment 15 Swamp Workflow Management 2015-05-08 13:05:56 UTC
SUSE-SU-2015:0839-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 878345,878349
CVE References: CVE-2014-2977,CVE-2014-2978
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    DirectFB-1.7.1-4.1
SUSE Linux Enterprise Software Development Kit 12 (src):    DirectFB-1.7.1-4.1
SUSE Linux Enterprise Server 12 (src):    DirectFB-1.7.1-4.1
SUSE Linux Enterprise Desktop 12 (src):    DirectFB-1.7.1-4.1
Comment 16 Johannes Segitz 2015-11-10 12:31:42 UTC
all updates released