Eygene Ryabinkin
2008-Nov-20 21:50 UTC
ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187
>Number: 129037 >Category: ports >Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 21 05:50:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization:Code Labs>Environment:System: FreeBSD 7.1-PRERELEASE i386>Description:Secunia discovered imlib2 vulnerability that can be used to execute arbitrary code within the application that uses this library: ----- The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file. Successful exploitation may allow execution of arbitrary code. ----->How-To-Repeat:http://secunia.com/Advisories/32796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187>Fix:The following patch adds the patch from Debian developers. It is supposed to fix the issue. --- fix-imlib2-1.4.1.000.diff begins here --- diff -urN ./Makefile ../imlib2/Makefile --- ./Makefile 2008-11-20 20:30:31.000000000 +0300 +++ ../imlib2/Makefile 2008-11-21 08:28:40.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= imlib2 PORTVERSION= 1.4.1.000 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 2 CATEGORIES= graphics MASTER_SITES= ftp://ftp.springdaemons.com/pub/snapshots/e17/ \ diff -urN ./files/patch-CVE-2008-5187 ../imlib2/files/patch-CVE-2008-5187 --- ./files/patch-CVE-2008-5187 1970-01-01 03:00:00.000000000 +0300 +++ ../imlib2/files/patch-CVE-2008-5187 2008-11-21 08:24:16.000000000 +0300 @@ -0,0 +1,14 @@ +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15 + +--- src/modules/loaders/loader_xpm.c ++++ src/modules/loaders/loader_xpm.c +@@ -246,8 +246,8 @@ + return 0; + } + ptr = im->data; +- end = ptr + (sizeof(DATA32) * w * h); + pixels = w * h; ++ end = ptr + pixels; + } + else + { --- fix-imlib2-1.4.1.000.diff ends here --- The following VuXML entry should be validated and added: --- vuln.xml begins here --- <vuln vid=""> <topic>imlib2 -- XPM processing buffer overflow vulnerability</topic> <affects> <package> <name>imlib2</name> <name>imlib2-nox11</name> <range><lt>1.4.1.000_1,2</lt></range> </package> </affects> <description> <body xmlns="http://www.w3.org/1999/xhtml"> <p>Secunia reports:</p> <blockquote cite="http://secunia.com/Advisories/32796"> <p>A vulnerability has been discovered in imlib2, which can be exploited by malicious people to potentially compromise an application using the library.</p> <p>The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file.</p> <p>Successful exploitation may allow execution of arbitrary code.</p> <p>The vulnerability is confirmed in version 1.4.2. Other versions may also be affected.</p> </blockquote> </body> </description> <references> <cvename>CVE-2008-5187</cvename> <url>http://secunia.com/Advisories/32796</url> <url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15</url> <url>http://bugzilla.enlightenment.org/show_bug.cgi?id=547</url> </references> <dates> <discovery>2008-11-20</discovery> </dates> </vuln> --- vuln.xml ends here --- I see that XPM loader is built and installed even for the nox11 version, so I am including it to the vulnerable port. imlib-1.9.15 seem to be unaffected: it has the code in question, but it does memory manipulations properly.>Release-Note: >Audit-Trail: >Unformatted:
edwin@FreeBSD.org
2008-Nov-20 21:56 UTC
ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187
Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 Responsible-Changed-From-To: freebsd-ports-bugs->stas Responsible-Changed-By: edwin Responsible-Changed-When: Fri Nov 21 05:50:17 UTC 2008 Responsible-Changed-Why: Over to maintainer (via the GNATS Auto Assign Tool) http://www.freebsd.org/cgi/query-pr.cgi?pr=129037
stas@FreeBSD.org
2008-Nov-24 09:50 UTC
ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187
Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 State-Changed-From-To: open->closed State-Changed-By: stas State-Changed-When: Mon Nov 24 17:50:36 UTC 2008 State-Changed-Why: Committed, with minor changes. Thanks! http://www.freebsd.org/cgi/query-pr.cgi?pr=129037
William Palfreman
2008-Nov-24 11:11 UTC
ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187
2008/11/24 <stas@freebsd.org>:> Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 > > State-Changed-From-To: open->closed > State-Changed-By: stas > State-Changed-When: Mon Nov 24 17:50:36 UTC 2008 > State-Changed-Why: > Committed, with minor changes. Thanks!I can see no need for this on the Freebsd-security mailinglist. It amounts to spam.
Stanislav Sedov
2008-Nov-24 14:17 UTC
ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Mon, 24 Nov 2008 20:05:26 +0100 "William Palfreman" <william@palfreman.com> mentioned:> 2008/11/24 <stas@freebsd.org>: > > Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 > > > > State-Changed-From-To: open->closed > > State-Changed-By: stas > > State-Changed-When: Mon Nov 24 17:50:36 UTC 2008 > > State-Changed-Why: > > Committed, with minor changes. Thanks! > > I can see no need for this on the Freebsd-security mailinglist. It > amounts to spam.This is generated automatically as this PR fixes a security issue. - -- Stanislav Sedov ST4096-RIPE -----BEGIN PGP SIGNATURE----- iEYEARECAAYFAkkrI5sACgkQK/VZk+smlYEQugCggWHZ+sROzYS9lZLRNpJ652hl +XcAniWPSlgdZKmyoY0fhtd2OuOCKJ8f =noDe -----END PGP SIGNATURE-----