ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Fri Nov 21 05:50:02 UTC 2008
>Number: 129037
>Category: ports
>Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-ports-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Fri Nov 21 05:50:01 UTC 2008
>Closed-Date:
>Last-Modified:
>Originator: Eygene Ryabinkin
>Release: FreeBSD 7.1-PRERELEASE i386
>Organization:
Code Labs
>Environment:
System: FreeBSD 7.1-PRERELEASE i386
>Description:
Secunia discovered imlib2 vulnerability that can be used to execute
arbitrary code within the application that uses this library:
-----
The vulnerability is caused due to a pointer arithmetic error within the
"load()" function provided by the XPM loader. This can be exploited to
cause a heap-based buffer overflow via a specially crafted XPM file.
Successful exploitation may allow execution of arbitrary code.
-----
>How-To-Repeat:
http://secunia.com/Advisories/32796
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187
>Fix:
The following patch adds the patch from Debian developers. It is supposed
to fix the issue.
--- fix-imlib2-1.4.1.000.diff begins here ---
diff -urN ./Makefile ../imlib2/Makefile
--- ./Makefile 2008-11-20 20:30:31.000000000 +0300
+++ ../imlib2/Makefile 2008-11-21 08:28:40.000000000 +0300
@@ -7,7 +7,7 @@
PORTNAME= imlib2
PORTVERSION= 1.4.1.000
-PORTREVISION= 0
+PORTREVISION= 1
PORTEPOCH= 2
CATEGORIES= graphics
MASTER_SITES= ftp://ftp.springdaemons.com/pub/snapshots/e17/ \
diff -urN ./files/patch-CVE-2008-5187 ../imlib2/files/patch-CVE-2008-5187
--- ./files/patch-CVE-2008-5187 1970-01-01 03:00:00.000000000 +0300
+++ ../imlib2/files/patch-CVE-2008-5187 2008-11-21 08:24:16.000000000 +0300
@@ -0,0 +1,14 @@
+Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15
+
+--- src/modules/loaders/loader_xpm.c
++++ src/modules/loaders/loader_xpm.c
+@@ -246,8 +246,8 @@
+ return 0;
+ }
+ ptr = im->data;
+- end = ptr + (sizeof(DATA32) * w * h);
+ pixels = w * h;
++ end = ptr + pixels;
+ }
+ else
+ {
--- fix-imlib2-1.4.1.000.diff ends here ---
The following VuXML entry should be validated and added:
--- vuln.xml begins here ---
<vuln vid="">
<topic>imlib2 -- XPM processing buffer overflow vulnerability</topic>
<affects>
<package>
<name>imlib2</name>
<name>imlib2-nox11</name>
<range><lt>1.4.1.000_1,2</lt></range>
</package>
</affects>
<description>
<body xmlns="http://www.w3.org/1999/xhtml">
<p>Secunia reports:</p>
<blockquote cite="http://secunia.com/Advisories/32796">
<p>A vulnerability has been discovered in imlib2, which can
be exploited by malicious people to potentially compromise
an application using the library.</p>
<p>The vulnerability is caused due to a pointer arithmetic
error within the "load()" function provided by the XPM
loader. This can be exploited to cause a heap-based buffer
overflow via a specially crafted XPM file.</p>
<p>Successful exploitation may allow execution of arbitrary
code.</p>
<p>The vulnerability is confirmed in version 1.4.2. Other
versions may also be affected.</p>
</blockquote>
</body>
</description>
<references>
<cvename>CVE-2008-5187</cvename>
<url>http://secunia.com/Advisories/32796</url>
<url>http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15</url>
<url>http://bugzilla.enlightenment.org/show_bug.cgi?id=547</url>
</references>
<dates>
<discovery>2008-11-20</discovery>
</dates>
</vuln>
--- vuln.xml ends here ---
I see that XPM loader is built and installed even for the nox11 version,
so I am including it to the vulnerable port. imlib-1.9.15 seem to be
unaffected: it has the code in question, but it does memory manipulations
properly.
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-ports-bugs
mailing list