Bug 511994 (CVE-2009-2688)

Summary: CVE-2009-2688 xemacs: multiple integer overflow flaws
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bressers, loganjerry, petersen, rvokal
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-07-28 17:51:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 511997    
Bug Blocks:    
Attachments:
Description Flags
Gentoo patch from upstream for xemacs 21.4.22
none
Gentoo patch from upstream for xemacs 21.5.29 none

Description Vincent Danen 2009-07-15 21:33:38 UTC 
Tielei Wang has discovered [1] some vulnerabilities in XEmacs, which can
be exploited by malicious people to potentially compromise a user's
system.

1) An integer overflow error within the "tiff_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted TIFF file.

2) An integer overflow error within the "png_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted PNG file.

3) An integer overflow error within the "jpeg_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted JPEG file.

Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.

Gentoo [2] reported this upstream [3], and while upstream's bug is not public, the notes in the Gentoo BZ indicate upstream does not really consider this a security bug.  Gentoo's BZ also indicates this issue does not exist in emacs.

[1] http://secunia.com/advisories/35348/
[2] http://bugs.gentoo.org/show_bug.cgi?id=275397
[3] http://tracker.xemacs.org/XEmacs/its/issue534

Patches taken from Gentoo will be attached to this bug (found in their portage tree; taken from upstream).
Comment 1 Vincent Danen 2009-07-15 21:34:48 UTC 
Created attachment 353914 [details]
Gentoo patch from upstream for xemacs 21.4.22
Comment 2 Vincent Danen 2009-07-15 21:35:34 UTC 
Created attachment 353915 [details]
Gentoo patch from upstream for xemacs 21.5.29
Comment 5 Vincent Danen 2009-08-05 19:27:49 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2688 to
the following vulnerability:

Name: CVE-2009-2688
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2688
Reference: MISC: http://tracker.xemacs.org/XEmacs/its/issue534
Reference: CONFIRM: https://bugs.gentoo.org/show_bug.cgi?id=275397
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=511994
Reference: BID:35473
Reference: URL: http://www.securityfocus.com/bid/35473
Reference: OSVDB:55298
Reference: URL: http://osvdb.org/55298
Reference: SECUNIA:35348
Reference: URL: http://secunia.com/advisories/35348
Reference: VUPEN:ADV-2009-1666
Reference: URL: http://www.vupen.com/english/advisories/2009/1666
Reference: XF:xemacs-jpeg-bo(51334)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51334
Reference: XF:xemacs-png-bo(51333)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51333
Reference: XF:xemacs-tiff-bo(51332)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51332

Multiple integer overflows in glyphs-eimage.c in XEmacs 21.4.22, when
running on Windows, allow remote attackers to cause a denial of
service (crash) or execute arbitrary code via (1) the tiff_instantiate
function processing a crafted TIFF file, (2) the png_instantiate
function processing a crafted PNG file, and (3) the jpeg_instantiate
function processing a crafted JPEG file, all which trigger a
heap-based buffer overflow.  NOTE: the provenance of this information
is unknown; the details are obtained solely from third party
information.
Comment 6 Vincent Danen 2009-08-05 19:34:07 UTC 
The Secunia advisory singles out Windows here, but I don't think this is Windows-specific.

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:

http://www.redhat.com/security/updates/classification/
Comment 7 Jerry James 2009-08-24 17:22:31 UTC 
The Gentoo patch removed any identifying information, but I am the author.  The patch needed some tweaking and a little polish upstream.  We seem to have settled on a generally acceptable patch.  I will apply it to Fedora CVS and kick off new builds today.

With respect to comment 1, Gentoo seems to also have misreported upstream's attitude.  I *am* upstream, so I can tell you that we do consider this a security bug.  It's just that we also believe that any user who uses XEmacs in a security-sensitive setting is out of his/her mind.  I have not seen a single workable exploit for this bug.  On the other hand, since XEmacs (and Emacs) support automatic loading of unverified Elisp, creating a workable Elisp-based exploit is not at all difficult.
Comment 8 Fedora Update System 2009-08-24 21:57:49 UTC 
xemacs-21.5.29-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/xemacs-21.5.29-2.fc11
Comment 9 Fedora Update System 2009-09-04 04:01:04 UTC 
xemacs-21.5.28-10.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-09-04 04:06:47 UTC 
xemacs-21.5.29-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.