Bug 511994 - (CVE-2009-2688) CVE-2009-2688 xemacs: multiple integer overflow flaws
CVE-2009-2688 xemacs: multiple integer overflow flaws
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20090625,reported=20090626,sou...
: Security
Depends On: 511997
Blocks:
  Show dependency treegraph
 
Reported: 2009-07-15 17:33 EDT by Vincent Danen
Modified: 2016-03-04 07:17 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-07-28 13:51:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Gentoo patch from upstream for xemacs 21.4.22 (4.58 KB, patch)
2009-07-15 17:34 EDT, Vincent Danen
no flags Details | Diff
Gentoo patch from upstream for xemacs 21.5.29 (3.65 KB, patch)
2009-07-15 17:35 EDT, Vincent Danen
no flags Details | Diff

  None (edit)
Description Vincent Danen 2009-07-15 17:33:38 EDT
Tielei Wang has discovered [1] some vulnerabilities in XEmacs, which can
be exploited by malicious people to potentially compromise a user's
system.

1) An integer overflow error within the "tiff_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted TIFF file.

2) An integer overflow error within the "png_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted PNG file.

3) An integer overflow error within the "jpeg_instantiate()" function
in glyphs-eimage.c can be exploited to cause a heap-based buffer
overflow via a specially crafted JPEG file.

Successful exploitation of the vulnerabilities may allow execution of
arbitrary code.

Gentoo [2] reported this upstream [3], and while upstream's bug is not public, the notes in the Gentoo BZ indicate upstream does not really consider this a security bug.  Gentoo's BZ also indicates this issue does not exist in emacs.

[1] http://secunia.com/advisories/35348/
[2] http://bugs.gentoo.org/show_bug.cgi?id=275397
[3] http://tracker.xemacs.org/XEmacs/its/issue534

Patches taken from Gentoo will be attached to this bug (found in their portage tree; taken from upstream).
Comment 1 Vincent Danen 2009-07-15 17:34:48 EDT
Created attachment 353914 [details]
Gentoo patch from upstream for xemacs 21.4.22
Comment 2 Vincent Danen 2009-07-15 17:35:34 EDT
Created attachment 353915 [details]
Gentoo patch from upstream for xemacs 21.5.29
Comment 5 Vincent Danen 2009-08-05 15:27:49 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-2688 to
the following vulnerability:

Name: CVE-2009-2688
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2688
Reference: MISC: http://tracker.xemacs.org/XEmacs/its/issue534
Reference: CONFIRM: https://bugs.gentoo.org/show_bug.cgi?id=275397
Reference: CONFIRM: https://bugzilla.redhat.com/show_bug.cgi?id=511994
Reference: BID:35473
Reference: URL: http://www.securityfocus.com/bid/35473
Reference: OSVDB:55298
Reference: URL: http://osvdb.org/55298
Reference: SECUNIA:35348
Reference: URL: http://secunia.com/advisories/35348
Reference: VUPEN:ADV-2009-1666
Reference: URL: http://www.vupen.com/english/advisories/2009/1666
Reference: XF:xemacs-jpeg-bo(51334)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51334
Reference: XF:xemacs-png-bo(51333)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51333
Reference: XF:xemacs-tiff-bo(51332)
Reference: URL: http://xforce.iss.net/xforce/xfdb/51332

Multiple integer overflows in glyphs-eimage.c in XEmacs 21.4.22, when
running on Windows, allow remote attackers to cause a denial of
service (crash) or execute arbitrary code via (1) the tiff_instantiate
function processing a crafted TIFF file, (2) the png_instantiate
function processing a crafted PNG file, and (3) the jpeg_instantiate
function processing a crafted JPEG file, all which trigger a
heap-based buffer overflow.  NOTE: the provenance of this information
is unknown; the details are obtained solely from third party
information.
Comment 6 Vincent Danen 2009-08-05 15:34:07 EDT
The Secunia advisory singles out Windows here, but I don't think this is Windows-specific.

The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here:

http://www.redhat.com/security/updates/classification/
Comment 7 Jerry James 2009-08-24 13:22:31 EDT
The Gentoo patch removed any identifying information, but I am the author.  The patch needed some tweaking and a little polish upstream.  We seem to have settled on a generally acceptable patch.  I will apply it to Fedora CVS and kick off new builds today.

With respect to comment 1, Gentoo seems to also have misreported upstream's attitude.  I *am* upstream, so I can tell you that we do consider this a security bug.  It's just that we also believe that any user who uses XEmacs in a security-sensitive setting is out of his/her mind.  I have not seen a single workable exploit for this bug.  On the other hand, since XEmacs (and Emacs) support automatic loading of unverified Elisp, creating a workable Elisp-based exploit is not at all difficult.
Comment 8 Fedora Update System 2009-08-24 17:57:49 EDT
xemacs-21.5.29-2.fc11 has been submitted as an update for Fedora 11.
http://admin.fedoraproject.org/updates/xemacs-21.5.29-2.fc11
Comment 9 Fedora Update System 2009-09-04 00:01:04 EDT
xemacs-21.5.28-10.fc10 has been pushed to the Fedora 10 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 10 Fedora Update System 2009-09-04 00:06:47 EDT
xemacs-21.5.29-2.fc11 has been pushed to the Fedora 11 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.