Bug 228013 (CVE-2007-0653, CVE-2007-0654)

Summary:	CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
Product:	[Other] Security Response	Reporter:	Josh Bressers <bressers>
Component:	vulnerability	Assignee:	David Zeuthen <davidz>
Status:	CLOSED WONTFIX	QA Contact:
Severity:	low	Docs Contact:
Priority:	low
Version:	unspecified	CC:	herrold, mclasen, security-response-team
Target Milestone:	---	Keywords:	Security
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2011-08-01 18:46:04 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	233705
Bug Blocks:

Description Josh Bressers 2007-02-09 15:22:51 UTC

Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles
skin files.  Here are the technical details provided by Sven:

--- Details ---

CVE-2007-0654
1) An integer underflow error exists when loading skin bitmap images,
which can be exploited to cause a stack-based buffer overflow via
specially crafted skin images containing manipulated header information.

The vulnerability is caused due to errors within "read_bmp()" in
xmms/bmp.c when loading skin bitmap images.

-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
fseek(file, 8, SEEK_CUR);
read_le_long(file, &offset); <-- [1]
read_le_long(file, &headSize);
[...]
else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
{
gint ncols, i;

ncols = offset - headSize - 14; <-- [2]
if (headSize == 12)
{
ncols = MIN(ncols / 3, 256);
for (i = 0; i < ncols; i++)
fread(&rgb_quads[i], 3, 1, file);
}
else
{
ncols = MIN(ncols / 4, 256);
fread(rgb_quads, 4, ncols, file); <-- [3]
[...]
-----

"offset" [1] is not properly verified before being used to calculate
"ncols" [2]. "bitcount" has to be set to a different value than 24, 16
or 32 (but can also be user controlled).
This can be exploited to cause a integer underflow,
resulting in a stack based buffer overflow, which can be used to
overwrite the return address of "read_bmp()" [3].

Successful exploitation allows execution of arbitrary code.


CVE-2007-0653
2) An integer overflow error exists when loading skin bitmap images.
This can be exploited to cause a memory corruption via specially crafted
skin images containing manipulated header information.

-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
else if (headSize == 40) /* BITMAPINFO */
{
guint16 tmp;

read_le_long(file, &w); <-- [4]
read_le_long(file, &h); <-- [4]
[...]
fseek(file, offset, SEEK_SET);
buffer = g_malloc(imgsize);
fread(buffer, imgsize, 1, file);
fclose(file);
data = g_malloc0((w * 3 * h) + 3); <-- [5]

if (bitcount == 1)
----

Comment 1 Josh Bressers 2007-02-09 15:23:57 UTC

These flaws also affect RHEL2.1 and RHEL3

Comment 2 David Zeuthen 2007-02-09 17:32:49 UTC

Are there patches for these yet?

Comment 3 Josh Bressers 2007-02-09 18:19:06 UTC

There are no patches yet.  I'm still trying to contact someone upstream about
this.  If you have any upstream contacts, please let me know.

Comment 4 Josh Bressers 2007-03-21 13:26:08 UTC

Lifting embargo

Comment 5 Tomas Hoger 2008-04-04 08:27:03 UTC

Patch extracted from Ubuntu security advisory and now used in Fedora packages:

https://bugzilla.redhat.com/show_bug.cgi?id=233705#c2
http://cvs.fedoraproject.org/viewcvs/rpms/xmms/devel/xmms-1.2.10-ubuntu-CVE-2007-0653.patch?rev=1.1&view=log

Comment 6 Josh Bressers 2011-08-01 18:27:30 UTC

Statement:

The Red Hat Security Response Team has rated this issue as having low security impact. There are no longer plans to fix this flaw in Red Hat Enterprise Linux 4.