Bug 512513 (CVE-2009-3050)

Summary: CVE-2009-3050 HTMLDOC: Stack-based buffer overflow when setting custom page output size
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: adam, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-09-02 17:36:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2009-07-18 11:00:29 UTC 
A stack-based buffer overflow by processing user-supplied input was found
in HTMLDOC's routine, used to set the result page output size for custom
page sizes. A remote attacker could provide a specially-crafted HTML file,
which once opened by an unsuspecting user, would lead to denial of service
(htmldoc crash).

Credit:  Flaw discovered by ANTHRAX666.
-------

References:
----------
http://secunia.com/advisories/35780/2/ (Secunia advisory)
http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt
(proof of concept)
http://bugs.gentoo.org/show_bug.cgi?id=278186 (Gentoo BTS entry)
http://www.openwall.com/lists/oss-security/2009/07/18/1 (CVE request)

Proposed patch from Gentoo:
---------------------------
http://bugs.gentoo.org/attachment.cgi?id=198347&action=view

Note: Please be sure to mention particular CVE identifier in the
      HTMLDOC's Changelog entry while scheduling Fedora updates.
Comment 1 Jan Lieskovsky 2009-07-18 11:14:11 UTC 
This issue affects the versions of the htmldoc package, as shipped with
Fedora releases of 10 and 11.
Comment 2 Adam Goode 2009-07-20 19:50:49 UTC 
This is probably the cause of bug #511520.
Comment 3 Jan Lieskovsky 2009-07-27 13:10:42 UTC 
Upstream bug report:
--------------------
http://www.htmldoc.org/str.php?L214

Nico Golde of Debian pointed out two more occurrences of the same issue
at:

htmllib.cxx:
2142   if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)

ps-pdf.cxx:
12515  if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)

More details in Gentoo's bug:
http://bugs.gentoo.org/show_bug.cgi?id=278186#c6

Relevant occurrences in Fedora's htmldoc (htmldoc-1.8.27-10.fc11.i586):

ps-pdf.cxx:12518:	  if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2)
ps-pdf.cxx:12534:	  if (sscanf(line, "%*s%d%*s%*s%d", &ch, &width) != 2)

htmllib.cxx:2157:          if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2)
htmllib.cxx:2170:          if (sscanf(line, "%*s%d%*s%*s%f", &ch, &width) != 2)

Also the following line looks suspicious:

http-support.c:702:  if (sscanf(s, "%*s%d%15s%d%d:%d:%d", &day, mon, &year, &hour, &min, &sec) < 6)
Comment 4 Adam Goode 2009-08-05 01:06:08 UTC 
This is not the cause of bug #511520.
Comment 5 Fedora Update System 2009-08-14 05:05:12 UTC 
htmldoc-1.8.27-12.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/htmldoc-1.8.27-12.fc11
Comment 6 Fedora Update System 2009-08-14 05:05:22 UTC 
htmldoc-1.8.27-8.fc10 has been submitted as an update for Fedora 10.
http://admin.fedoraproject.org/updates/htmldoc-1.8.27-8.fc10
Comment 7 Fedora Update System 2009-08-30 22:05:48 UTC 
htmldoc-1.8.27-8.el4 has been submitted as an update for Fedora EPEL 4.
http://admin.fedoraproject.org/updates/htmldoc-1.8.27-8.el4
Comment 8 Fedora Update System 2009-08-30 22:05:58 UTC 
htmldoc-1.8.27-8.el5 has been submitted as an update for Fedora EPEL 5.
http://admin.fedoraproject.org/updates/htmldoc-1.8.27-8.el5
Comment 9 Fedora Update System 2009-08-31 23:41:14 UTC 
htmldoc-1.8.27-12.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-08-31 23:44:53 UTC 
htmldoc-1.8.27-8.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Vincent Danen 2009-09-02 17:34:50 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3050 to
the following vulnerability:

Name: CVE-2009-3050
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3050
Reference: MLIST:[oss-security] 20090725 Re: CVE Request -- HTMLDOC
Reference: URL: http://www.openwall.com/lists/oss-security/2009/07/25/3
Reference: MLIST:[oss-security] 20090726 Re: CVE Request -- HTMLDOC
Reference: URL: http://www.openwall.com/lists/oss-security/2009/07/26/2
Reference: MLIST:[oss-security] 20090901 Re: CVE Request -- HTMLDOC
Reference: URL: http://www.openwall.com/lists/oss-security/2009/09/01/1
Reference: MISC: http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt
Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=278186
Reference: CONFIRM: http://www.htmldoc.org/str.php?L214
Reference: SECUNIA:35780
Reference: URL: http://secunia.com/advisories/35780

Buffer overflow in the set_page_size function in util.cxx in HTMLDOC
1.8.27 and earlier allows context-dependent attackers to execute
arbitrary code via a long MEDIA SIZE comment.  NOTE: it was later
reported that there were additional vectors in htmllib.cxx and
ps-pdf.cxx using an AFM font file with a long glyph name, but these
vectors do not cross privilege boundaries.
Comment 12 Vincent Danen 2009-09-02 17:36:21 UTC 
Also fixed in rawhide: htmldoc-1.8.27-12.fc12
Comment 13 Fedora Update System 2009-09-12 17:51:31 UTC 
htmldoc-1.8.27-8.el4 has been pushed to the Fedora EPEL 4 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2009-09-12 17:52:55 UTC 
htmldoc-1.8.27-8.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.