Bug 512513 (CVE-2009-3050)
Summary: | CVE-2009-3050 HTMLDOC: Stack-based buffer overflow when setting custom page output size | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | adam, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2009-09-02 17:36:21 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Jan Lieskovsky
2009-07-18 11:00:29 UTC
This issue affects the versions of the htmldoc package, as shipped with Fedora releases of 10 and 11. This is probably the cause of bug #511520. Upstream bug report: -------------------- http://www.htmldoc.org/str.php?L214 Nico Golde of Debian pointed out two more occurrences of the same issue at: htmllib.cxx: 2142 if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2) ps-pdf.cxx: 12515 if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2) More details in Gentoo's bug: http://bugs.gentoo.org/show_bug.cgi?id=278186#c6 Relevant occurrences in Fedora's htmldoc (htmldoc-1.8.27-10.fc11.i586): ps-pdf.cxx:12518: if (sscanf(line, "%*s%*s%*s%*s%d%*s%*s%s", &width, glyph) != 2) ps-pdf.cxx:12534: if (sscanf(line, "%*s%d%*s%*s%d", &ch, &width) != 2) htmllib.cxx:2157: if (sscanf(line, "%*s%*s%*s%*s%f%*s%*s%s", &width, glyph) != 2) htmllib.cxx:2170: if (sscanf(line, "%*s%d%*s%*s%f", &ch, &width) != 2) Also the following line looks suspicious: http-support.c:702: if (sscanf(s, "%*s%d%15s%d%d:%d:%d", &day, mon, &year, &hour, &min, &sec) < 6) This is not the cause of bug #511520. htmldoc-1.8.27-12.fc11 has been submitted as an update for Fedora 11. http://admin.fedoraproject.org/updates/htmldoc-1.8.27-12.fc11 htmldoc-1.8.27-8.fc10 has been submitted as an update for Fedora 10. http://admin.fedoraproject.org/updates/htmldoc-1.8.27-8.fc10 htmldoc-1.8.27-8.el4 has been submitted as an update for Fedora EPEL 4. http://admin.fedoraproject.org/updates/htmldoc-1.8.27-8.el4 htmldoc-1.8.27-8.el5 has been submitted as an update for Fedora EPEL 5. http://admin.fedoraproject.org/updates/htmldoc-1.8.27-8.el5 htmldoc-1.8.27-12.fc11 has been pushed to the Fedora 11 stable repository. If problems still persist, please make note of it in this bug report. htmldoc-1.8.27-8.fc10 has been pushed to the Fedora 10 stable repository. If problems still persist, please make note of it in this bug report. Common Vulnerabilities and Exposures assigned an identifier CVE-2009-3050 to the following vulnerability: Name: CVE-2009-3050 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3050 Reference: MLIST:[oss-security] 20090725 Re: CVE Request -- HTMLDOC Reference: URL: http://www.openwall.com/lists/oss-security/2009/07/25/3 Reference: MLIST:[oss-security] 20090726 Re: CVE Request -- HTMLDOC Reference: URL: http://www.openwall.com/lists/oss-security/2009/07/26/2 Reference: MLIST:[oss-security] 20090901 Re: CVE Request -- HTMLDOC Reference: URL: http://www.openwall.com/lists/oss-security/2009/09/01/1 Reference: MISC: http://packetstormsecurity.org/0907-exploits/htmldoc-overflow.txt Reference: CONFIRM: http://bugs.gentoo.org/show_bug.cgi?id=278186 Reference: CONFIRM: http://www.htmldoc.org/str.php?L214 Reference: SECUNIA:35780 Reference: URL: http://secunia.com/advisories/35780 Buffer overflow in the set_page_size function in util.cxx in HTMLDOC 1.8.27 and earlier allows context-dependent attackers to execute arbitrary code via a long MEDIA SIZE comment. NOTE: it was later reported that there were additional vectors in htmllib.cxx and ps-pdf.cxx using an AFM font file with a long glyph name, but these vectors do not cross privilege boundaries. Also fixed in rawhide: htmldoc-1.8.27-12.fc12 htmldoc-1.8.27-8.el4 has been pushed to the Fedora EPEL 4 stable repository. If problems still persist, please make note of it in this bug report. htmldoc-1.8.27-8.el5 has been pushed to the Fedora EPEL 5 stable repository. If problems still persist, please make note of it in this bug report. |