Bug 511994 (CVE-2009-2688) - CVE-2009-2688 xemacs: multiple integer overflow flaws
Summary: CVE-2009-2688 xemacs: multiple integer overflow flaws
Status: CLOSED WONTFIX
Alias: CVE-2009-2688
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: public=20090625,reported=20090626,sou...
Keywords: Security
Depends On: 511997
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-07-15 21:33 UTC by Vincent Danen
Modified: 2019-06-08 12:47 UTC (History)
4 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2011-07-28 17:51:10 UTC


Attachments (Terms of Use)
Gentoo patch from upstream for xemacs 21.4.22 (4.58 KB, patch)
2009-07-15 21:34 UTC, Vincent Danen
no flags Details | Diff
Gentoo patch from upstream for xemacs 21.5.29 (3.65 KB, patch)
2009-07-15 21:35 UTC, Vincent Danen
no flags Details | Diff

Description Vincent Danen 2009-07-15 21:33:38 UTC
Tielei Wang has discovered [1] some vulnerabilities in XEmacs, which can
be exploited by malicious people to potentially compromise a user's
system.

1) An integer overflow error within the "tiff_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted TIFF file.

2) An integer overflow error within the "png_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted PNG file.

3) An integer overflow error within the "jpeg_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted JPEG file.

Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.

Gentoo [2] reported this upstream [3], and while upstream's bug is not public, the notes in the Gentoo BZ indicate upstream does not really consider this a security bug.  Gentoo's BZ also indicates this issue does not exist in emacs.

[1] http://secunia.com/advisories/35348/
[2] http://bugs.gentoo.org/show_bug.cgi?id=275397
[3] http://tracker.xemacs.org/XEmacs/its/issue534

Patches taken from Gentoo will be attached to this bug (found in their portage tree; taken from upstream).

Comment 1 Vincent Danen 2009-07-15 21:34:48 UTC
Created attachment 353914 [details]
Gentoo patch from upstream for xemacs 21.4.22

Comment 2 Vincent Danen 2009-07-15 21:35:34 UTC
Created attachment 353915 [details]
Gentoo patch from upstream for xemacs 21.5.29

Comment 5 Vincent Danen 2009-08-05 19:27:49 UTC
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2688 to
the following vulnerability:

Name: CVE-2009-2688
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2688
Reference: MISC: http://tracker.xemacs.org/XEmacs/its/issue534
Reference: CONFIRM: https://bugs.gentoo.org/show_bug.cgi?id=275397
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=511994
Reference: BID:35473
Reference: URL: http://www.securityfocus.com/bid/35473
Reference: OSVDB:55298
Reference: URL: http://osvdb.org/55298
Reference: SECUNIA:35348
Reference: URL: http://secunia.com/advisories/35348
Reference: VUPEN:ADV-2009-1666
Reference: URL: http://www.vupen.com/english/advisories/2009/1666
Reference: XF:xemacs-jpeg-bo(51334)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51334
Reference: XF:xemacs-png-bo(51333)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51333
Reference: XF:xemacs-tiff-bo(51332)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51332

Multiple integer overflows in glyphs-eimage.c in XEmacs 21.4.22, when
running on Windows, allow remote attackers to cause a denial of
service (crash) or execute arbitrary code via (1) the tiff_instantiate
function processing a crafted TIFF file, (2) the png_instantiate
function processing a crafted PNG file, and (3) the jpeg_instantiate
function processing a crafted JPEG file, all which trigger a
heap-based buffer overflow.  NOTE: the provenance of this information
is unknown; the details are obtained solely from third party
information.

Comment 6 Vincent Danen 2009-08-05 19:34:07 UTC
The Secunia advisory singles out Windows here, but I don't think this is Windows-specific.

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:

http://www.redhat.com/security/updates/classification/

Comment 7 Jerry James 2009-08-24 17:22:31 UTC
The Gentoo patch removed any identifying information, but I am the author.  The patch needed some tweaking and a little polish upstream.  We seem to have settled on a generally acceptable patch.  I will apply it to Fedora CVS and kick off new builds today.

With respect to comment 1, Gentoo seems to also have misreported upstream's attitude.  I *am* upstream, so I can tell you that we do consider this a security bug.  It's just that we also believe that any user who uses XEmacs in a security-sensitive setting is out of his/her mind.  I have not seen a single workable exploit for this bug.  On the other hand, since XEmacs (and Emacs) support automatic loading of unverified Elisp, creating a workable Elisp-based exploit is not at all difficult.

Comment 8 Fedora Update System 2009-08-24 21:57:49 UTC
xemacs-21.5.29-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/xemacs-21.5.29-2.fc11

Comment 9 Fedora Update System 2009-09-04 04:01:04 UTC
xemacs-21.5.28-10.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2009-09-04 04:06:47 UTC
xemacs-21.5.29-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.