Bug 130711

Summary: CAN-2004-0782/3/8 GTK XPM decoder issues
Product: Red Hat Enterprise Linux 3 Reporter: Josh Bressers <bressers>
Component: gtk2Assignee: Matthias Clasen <mclasen>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 3.0CC: security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-09-15 15:10:17 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Josh Bressers 2004-08-23 20:54:32 UTC 
gtk+-2.4.4 XPM image decoder parsing flaws
==========================================
  
Programs:          gtk+, and any programs which use gtk+ to decode XPM
files.
                   For example, Evolution.
Severity:          Compromise of account used to browse malicious XPM
file.
CAN identifier(s): CAN-2004-0782, CAN-2004-0783
  
This advisory lists code flaws discovered by inspection of the XPM parser
within the gtk+ code. Specifically, gtk+-2.4.4 was investigated.
  
Flaw 1. Heap-based overflow in pixbuf_create_from_xpm (io-xpm.c)

CAN-2004-0782
  name_buf = g_new (gchar, n_col * (cpp + 1));
  colors = g_new (XPMColor, n_col);

Here, n_col is an arbitrary integer value from the XPM. cpp is an
integer value
ranging from 1 to 31 from the XPM. By careful choice of values of
n_col and
cpp, integer overflow can occur on integer multiplication. This leads
to heap
buffers being allocated that cannot hold n_col elements, so a
subsequent heap
overflow occurs.

Demo XPM: http://scary.beasts.org/misc/gdk1.xpm                      
                                                                     
                              


Flaw 2. Subtle stack-based overflow in xpm_extract_color (io-xpm.c)
CAN-2004-0783

  gint space = 128;
  gchar word[128], color[128], current_color[128];
...
      if (color[0] != '\0') {
        strcat (color, " ");
[*]     space--;
      }                                                              
                                                                     
                              
      strncat (color, word, space);
      space -= MIN (space, strlen (word));
  
Here, an attempt is actually made to prevent overflow of the stack
buffers.
However, a logic error means one of the buffers can still be made to
overflow.
When "space" reaches 0, "space" can be sent to -1 by the line marked
with [*],
if the color string is broken up by whitespace. When "space" is -1, the
strncat() call is effectively morphed to a strcat() call, allowing
overflow of
the "color" buffer (probably into the "word" buffer, which may cause a
minor
inconvenience to exploitation. Note use of the word "minor" :-)

Demo XPM: http://scary.beasts.org/misc/gdk2.xpm                      
                                                                     
                              

  
CESA-2004-005 - rev 1
Chris Evans
Comment 1 Josh Bressers 2004-08-23 21:07:25 UTC 
No disclosure has been set.

The disclosure date is pending a fix for this issue.

FC is being handled by bug 130703
Comment 2 Josh Bressers 2004-08-30 14:59:25 UTC 
attachment 103251 [details] has the proposed patch.
Comment 3 Josh Bressers 2004-08-30 15:07:20 UTC 
This issue has an embargo date of Sept 15.
Comment 4 Josh Bressers 2004-08-30 16:11:41 UTC 
The patch for this also fixes an ico loader issue (CAN-2004-0788)
Comment 5 Josh Bressers 2004-09-15 14:01:52 UTC 
Removing embargo
Comment 6 Josh Bressers 2004-09-15 15:10:17 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-466.html
Comment 7 Josh Bressers 2004-09-15 15:22:58 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-447.html
Comment 8 Josh Bressers 2004-09-15 21:29:03 UTC 
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2004-447.html