Bug 129037

Summary:	[patch] [vuxml] graphics/imlib2: fix CVE-2008-5187
Product:	Ports & Packages	Reporter:	Eygene Ryabinkin <rea-fbsd>
Component:	Individual Port(s)	Assignee:	Stanislav Sedov <stas>
Status:	Closed FIXED
Severity:	Affects Only Me
Priority:	Normal
Version:	Latest
Hardware:	Any
OS:	Any

Description Eygene Ryabinkin 2008-11-21 05:50:01 UTC

Secunia discovered imlib2 vulnerability that can be used to execute
arbitrary code within the application that uses this library:
-----
The vulnerability is caused due to a pointer arithmetic error within the
"load()" function provided by the XPM loader. This can be exploited to
cause a heap-based buffer overflow via a specially crafted XPM file.

Successful exploitation may allow execution of arbitrary code.
-----

Fix: The following patch adds the patch from Debian developers.  It is supposed
to fix the issue.


The following VuXML entry should be validated and added:
  <vuln vid="">
    <topic>imlib2 -- XPM processing buffer overflow vulnerability</topic>
    <affects>
      <package>
	<name>imlib2</name>
	<name>imlib2-nox11</name>
	<range><lt>1.4.1.000_1,2</lt></range>
      </package>
    </affects>
    <description>
      <body xmlns="http://www.w3.org/1999/xhtml">
	<p>Secunia reports:</p>
	<blockquote cite="http://secunia.com/Advisories/32796">
	<p>A vulnerability has been discovered in imlib2, which can
	be exploited by malicious people to potentially compromise
	an application using the library.</p>
	<p>The vulnerability is caused due to a pointer arithmetic
	error within the "load()" function provided by the XPM
	loader. This can be exploited to cause a heap-based buffer
	overflow via a specially crafted XPM file.</p>
	<p>Successful exploitation may allow execution of arbitrary
	code.</p>
	<p>The vulnerability is confirmed in version 1.4.2. Other
	versions may also be affected.</p>
	</blockquote>
      </body>
    </description>
    <references>
      <cvename>CVE-2008-5187</cvename>
      <url>http://secunia.com/Advisories/32796</url>
      <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15</url>
      <url>http://bugzilla.enlightenment.org/show_bug.cgi?id=547</url>
    </references>
    <dates>
      <discovery>2008-11-20</discovery>
    </dates>
  </vuln>
--- vuln.xml ends here ---
I see that XPM loader is built and installed even for the nox11 version,
so I am including it to the vulnerable port.  imlib-1.9.15 seem to be
unaffected: it has the code in question, but it does memory manipulations
properly.--7AR1l9Ydg8ndHIUGPsPulQ9JfDajIegRcghEzsn7acyVl0OB
Content-Type: text/plain; name="fix-imlib2-1.4.1.000.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="fix-imlib2-1.4.1.000.diff"

diff -urN ./Makefile ../imlib2/Makefile
--- ./Makefile	2008-11-20 20:30:31.000000000 +0300
+++ ../imlib2/Makefile	2008-11-21 08:28:40.000000000 +0300
@@ -7,7 +7,7 @@
 
 PORTNAME=	imlib2
 PORTVERSION=	1.4.1.000
-PORTREVISION=	0
+PORTREVISION=	1
 PORTEPOCH=	2
 CATEGORIES=	graphics
 MASTER_SITES=	ftp://ftp.springdaemons.com/pub/snapshots/e17/ \
diff -urN ./files/patch-CVE-2008-5187 ../imlib2/files/patch-CVE-2008-5187
--- ./files/patch-CVE-2008-5187	1970-01-01 03:00:00.000000000 +0300
+++ ../imlib2/files/patch-CVE-2008-5187	2008-11-21 08:24:16.000000000 +0300
@@ -0,0 +1,14 @@
+Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15
+
+--- src/modules/loaders/loader_xpm.c
++++ src/modules/loaders/loader_xpm.c
+@@ -246,8 +246,8 @@
+                                  return 0;
+                               }
+                             ptr = im->data;
+-                            end = ptr + (sizeof(DATA32) * w * h);
+                             pixels = w * h;
++                            end = ptr + pixels;
+                          }
+                        else
+                          {
How-To-Repeat: 
http://secunia.com/Advisories/32796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187

Comment 1 Edwin Groothuis freebsd_committer

2008-11-21 05:50:17 UTC

Responsible Changed
From-To: freebsd-ports-bugs->stas

Over to maintainer (via the GNATS Auto Assign Tool)

Comment 2 dfilter service freebsd_committer

2008-11-24 17:48:09 UTC

stas        2008-11-24 17:47:53 UTC

  FreeBSD ports repository

  Modified files:
    security/vuxml       vuln.xml 
  Log:
  - Document a buffer overflow vulnerability in imlib2.
  
  PR:             ports/129037
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  
  Revision  Changes    Path
  1.1764    +39 -1     ports/security/vuxml/vuln.xml
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"

Comment 3 dfilter service freebsd_committer

2008-11-24 17:50:21 UTC

stas        2008-11-24 17:50:04 UTC

  FreeBSD ports repository

  Modified files:
    graphics/imlib2      Makefile 
  Added files:
    graphics/imlib2/files patch-CVE-2008-5187 
  Log:
  - Fix a buffer overflow vulnerability in imlib2.
  
  PR:             ports/129037
  Submitted by:   Eygene Ryabinkin <rea-fbsd@codelabs.ru>
  Security:       http://www.vuxml.org/freebsd/910486d5-ba4d-11dd-8f23-0019666436c2.html
  
  Revision  Changes    Path
  1.129     +1 -1      ports/graphics/imlib2/Makefile
  1.1       +14 -0     ports/graphics/imlib2/files/patch-CVE-2008-5187 (new)
_______________________________________________
cvs-all@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/cvs-all
To unsubscribe, send any mail to "cvs-all-unsubscribe@freebsd.org"

Comment 4 Stanislav Sedov freebsd_committer

2008-11-24 17:50:36 UTC

State Changed
From-To: open->closed

Committed, with minor changes. Thanks!