509921 – (CVE-2009-2294) CVE-2009-2294 dillo: PNG-related integer overflow

Bug 509921 (CVE-2009-2294) - CVE-2009-2294 dillo: PNG-related integer overflow

Summary: CVE-2009-2294 dillo: PNG-related integer overflow

Keywords:
Status:	CLOSED CANTFIX
Alias:	CVE-2009-2294
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:	http://web.nvd.nist.gov/view/vuln/det...
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-07-06 21:12 UTC by Vincent Danen
Modified:	2019-09-29 12:30 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2010-12-20 22:32:28 UTC
Embargoed:

Attachments	(Terms of Use)

Description Vincent Danen 2009-07-06 21:12:48 UTC

Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2294 to
the following vulnerability:

Name: CVE-2009-2294
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2294
Assigned: 20090702
Reference: MISC: http://www.ocert.org/advisories/ocert-2009-008.html

Integer overflow in the Png_datainfo_callback function in Dillo 2.1
and earlier allows remote attackers to cause a denial of service
(crash) and possibly execute arbitrary code via a PNG image with
crafted (1) width or (2) height values.

Comment 1 Vincent Danen 2009-07-06 22:03:38 UTC

Upstream patches to correct the issue:

http://hg.dillo.org/dillo/rev/81c2d1c2e0f0
http://hg.dillo.org/dillo/rev/f77f7973534e
http://hg.dillo.org/dillo/rev/35b44dd22e08
http://hg.dillo.org/dillo/rev/ca1015d98f7a
http://hg.dillo.org/dillo/rev/481a979a9d1f
http://hg.dillo.org/dillo/rev/ace4f2a5a8be

Comment 2 Vincent Danen 2009-12-02 21:10:32 UTC

It looks as though dillo 0.8.6 doesn't do any image size checks, or at least not in the same way newer dillo does, and the above patches definitely do not apply clean.

Is there a particular reason why we are still shipping dillo 0.8.6 when 2.1 is available?  It doesn't look like dillo has really been touched in 2 years (last real update was Dec 6, 2007).

I can't determine whether or not the dillo packages we ship in Fedora are affected by this problem.

Andreas, is dillo still being maintained?  Even now, if I use the menu item to launch dillo, it crashes on startup.  The i18n version works, so there are definitely problems with this old version of dillo altogether.

Comment 3 Andreas Bierfert 2009-12-02 21:33:26 UTC

It is maintained. The problem with the newer dillo is that it requires fltk2 which for a lot of reasons is not in fedora right now (and probably will not be). However there are movements in dillo to change the usage of fltk2. Until then we are stuck with the old release.

As to the crash I will try to look into the issues asap.

Comment 4 Vincent Danen 2009-12-02 23:14:08 UTC

Thanks, Andreas.  I wasn't aware of the fltk2 issues.  Unfortunately, I don't have a reproducer for the security issue noted, so I have nothing to verify that dillo is for sure affected (or not).  Perhaps you can examine the patches and code and see if you can tell?

Comment 5 Vincent Danen 2010-04-09 17:02:24 UTC

Any followup on this?  It's been a few months now.  Thanks.

Comment 6 Vincent Danen 2010-12-20 22:32:28 UTC

I'm going to close this.  It's been a year.  Nothing exciting is happening with dillo in Fedora, so it looks unmaintained to me.  As I cannot reproduce this crash, I have no way to know whether dillo 0.8.6 is affected or not.  There doesn't seem to be much point in keeping this bug open as a result; if someone cares to investigate this further and finds that dillo is affected, feel free to re-open and work towards a resolution.

Note You need to log in before you can comment on or make changes to this bug.