Bug 633475 (CVE-2010-0280)

Summary: CVE-2010-0280 lib3ds buffer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jlieskov, lxtnow, rc040203, silvio.cesare, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-30 17:00:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 633477, 646103, 646104, 650786, 651203, 651240    
Bug Blocks:    
Attachments:
Description Flags
Patch to address this issue none

Description Josh Bressers 2010-09-13 19:52:18 UTC
Array index error in Jan Eric Kyprianidis lib3ds 1.x, as used in Google
SketchUp 7.x before 7.1 M2, allows remote attackers to cause a denial of
service (memory corruption) or possibly execute arbitrary code via crafted
structures in a 3DS file, probably related to mesh.c. 

http://www.coresecurity.com/content/google-sketchup-vulnerability

Comment 1 Josh Bressers 2010-09-13 19:53:58 UTC
Created lib3ds tracking bugs for this issue

Affects: fedora-all [bug 633477]

Comment 2 Josh Bressers 2010-09-13 19:55:06 UTC
The core security advisory suggests that version 2 of lib3ds fixes this flaw.

Comment 3 Ralf Corsepius 2010-09-14 05:04:30 UTC
(In reply to comment #2)
> The core security advisory suggests that version 2 of lib3ds fixes this flaw.

This advisory is not applicable.


Rationale:

a) There is no "official lib3ds-2".

- There is an outdated code-blob called 'lib3ds-20080909.zip' 
http://code.google.com/p/lib3ds/downloads/list.
This *zip is known to be broken and problematic. IIRC, it orginates from lib3ds's former upstream @sourceforge and is a relic of a failed attempt to release a lib3ds-2.0 (this *.zip had been labeled "release" candidate, but a such a release hasn't happened, since)

- There is an svn repository at http://code.google.com/p/lib3ds/source/checkout
which so far has not released any "stable package". 
In my understanding, this is what "core security" is referring to.


b) The code in google's SVN is incompatible to lib3ds-1.3.0.
It's impossible to upgrade Fedora to this code at this point in time.

That said, should the google-lib3ds project release a tarball, their code could be considered for parallel installation to lib3ds-1.3.0 to gradually grandfather lib3ds-1.3.0. However due to its incompatibilities it can not be a replacement for lib3ds-1.3.0.


c) So far, all major Linux distros (Fedora, openSUSE, Debian, Ubuntu) ship lib3ds-1.3.0 and don't ship lib3ds-2/google's lib3ds-SVN, likely because of a) and b) (incompatible, no release tarballs)

I'll try to provide a patch, instead.

Comment 4 Ralf Corsepius 2010-09-14 12:52:09 UTC
Created attachment 447208 [details]
Patch to address this issue

This is the patch I am going to apply.

It's a 1:1 back-port to 1.3.0 of what currently is in google's SVN.

Comment 5 Vincent Danen 2010-11-09 00:05:16 UTC
This also looks to affect other packages that contain embedded lib3ds:

mm3d-1.3.8a-1.fc13: (source) ad3dsfilter-0.8.1.tar.gz: plugins/ad3dsfilter/lib3ds/lib3ds/mesh.c
mrpt-0.8.0-0.3.20100102svn1398.fc13: (source) mrpt-0.8.0-20100102svn1398.tar.bz2: mrpt-0.8.0/src/core/opengl/lib3ds/mesh.c


Silvio Cesare reported the mrpt case in bug #650786; I'm going to file a bug for mm3d to get fixed as well.

Comment 6 Vincent Danen 2010-11-09 00:06:30 UTC
Created mm3d tracking bugs for this issue

Affects: fedora-all [bug 651203]

Comment 7 Vincent Danen 2010-11-09 00:06:33 UTC
Created lib3ds tracking bugs for this issue

Affects: fedora-all [bug 633477]

Comment 8 Vincent Danen 2010-11-09 00:06:36 UTC
Created mrpt tracking bugs for this issue

Affects: fedora-all [bug 650786]

Comment 9 Silvio Cesare 2010-11-09 00:47:12 UTC
GLC_lib also embeds lib3ds, but like mm3d has lib3ds as a package dependency so I have assumed that neither are vulnerable.

OpenSceneGraph has had the embedded lib3ds cve fix [1], but mingw32-OpenSceneGraph appears unfixed.

[1] https://bugzilla.redhat.com/show_bug.cgi?id=646104

Comment 10 Vincent Danen 2010-11-09 04:26:20 UTC
Ahh, the filename is different: mingw32-OpenSceneGraph-2.8.2/OpenSceneGraph-2.8.2/src/osgPlugins/3ds/mesh.cpp.  Code inspection shows it is indeed vulnerable.  Thank you!

And you're right about mm3d; the mm3d-ad3dsfilter-make.patch pulls out the building of the embedded lib3ds so that bug was filed incorrectly.  Thank you for the double-check.  I'll close that bug then.

The mingw32-OpenSceneGraph tracking bugs for this issue:

Affects: fedora-all [bug 651240]

Comment 11 Ralf Corsepius 2010-11-09 05:38:55 UTC
(In reply to comment #10)
> Ahh, the filename is different:
> mingw32-OpenSceneGraph-2.8.2/OpenSceneGraph-2.8.2/src/osgPlugins/3ds/mesh.cpp. 
> Code inspection shows it is indeed vulnerable.  Thank you!
c.f. https://bugzilla.redhat.com/show_bug.cgi?id=646104#c2

A patch addressing this issue for OSG-2.8.2 can be found in OpenSceneGraph's f13 branch in git.