Bug 130703 - CAN-2004-0782/3/8 GTK XPM decoder issues
Summary: CAN-2004-0782/3/8 GTK XPM decoder issues
Alias: None
Product: Fedora
Classification: Fedora
Component: gtk2 (Show other bugs)
(Show other bugs)
Version: 2
Hardware: All Linux
Target Milestone: ---
Assignee: Matthias Clasen
QA Contact:
Keywords: Security
Depends On:
TreeView+ depends on / blocked
Reported: 2004-08-23 20:33 UTC by Josh Bressers
Modified: 2007-11-30 22:10 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2004-09-22 06:01:30 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
proposed fixes (2.62 KB, patch)
2004-08-24 13:17 UTC, Matthias Clasen
no flags Details | Diff
Updated patch (3.11 KB, patch)
2004-08-30 14:56 UTC, Josh Bressers
no flags Details | Diff

Description Josh Bressers 2004-08-23 20:34:00 UTC
gtk+-2.4.4 XPM image decoder parsing flaws
Programs:          gtk+, and any programs which use gtk+ to decode XPM
                   For example, Evolution.
Severity:          Compromise of account used to browse malicious XPM
CAN identifier(s): CAN-2004-0782, CAN-2004-0783
This advisory lists code flaws discovered by inspection of the XPM parser
within the gtk+ code. Specifically, gtk+-2.4.4 was investigated.
Flaw 1. Heap-based overflow in pixbuf_create_from_xpm (io-xpm.c)

  name_buf = g_new (gchar, n_col * (cpp + 1));
  colors = g_new (XPMColor, n_col);

Here, n_col is an arbitrary integer value from the XPM. cpp is an
integer value
ranging from 1 to 31 from the XPM. By careful choice of values of
n_col and
cpp, integer overflow can occur on integer multiplication. This leads
to heap
buffers being allocated that cannot hold n_col elements, so a
subsequent heap
overflow occurs.

Demo XPM: http://scary.beasts.org/misc/gdk1.xpm                      

Flaw 2. Subtle stack-based overflow in xpm_extract_color (io-xpm.c)

  gint space = 128;
  gchar word[128], color[128], current_color[128];
      if (color[0] != '\0') {
        strcat (color, " ");
[*]     space--;
      strncat (color, word, space);
      space -= MIN (space, strlen (word));
Here, an attempt is actually made to prevent overflow of the stack
However, a logic error means one of the buffers can still be made to
When "space" reaches 0, "space" can be sent to -1 by the line marked
with [*],
if the color string is broken up by whitespace. When "space" is -1, the
strncat() call is effectively morphed to a strcat() call, allowing
overflow of
the "color" buffer (probably into the "word" buffer, which may cause a
inconvenience to exploitation. Note use of the word "minor" :-)

Demo XPM: http://scary.beasts.org/misc/gdk2.xpm                      

CESA-2004-005 - rev 1
Chris Evans

Comment 1 Josh Bressers 2004-08-23 20:36:02 UTC
No disclosure has been set.

The disclosure date is pending a fix for this issue.

This issue should also affect FC1

Comment 2 Matthias Clasen 2004-08-24 13:17:29 UTC
Created attachment 103024 [details]
proposed fixes

Comment 3 Josh Bressers 2004-08-30 14:56:54 UTC
Created attachment 103251 [details]
Updated patch

Comment 4 Josh Bressers 2004-08-30 16:08:02 UTC
The patch also fixes an integer overflow in the ico loader.

Comment 5 Josh Bressers 2004-09-15 14:02:27 UTC
Removing embargo

Note You need to log in before you can comment on or make changes to this bug.