Image handling vulnerabilities
By Jake Edge
April 23, 2008
Bugs that linger for eight years without a fix are probably annoying to
whoever reported them; perhaps others as well. When those bugs have
possible security implications, it is hard to see how they can remain
unfixed for even eight months, let alone years, but that appears to be the case
with some GTK image handling bugs. Code to handle image formats has been
the source of numerous vulnerabilities along the way, which makes it even
harder to see why these have languished so long.
A call for ideas for a hackfest on the GNOME foundation mailing list seems
like a bit of a strange place to find information about vulnerabilities,
but in the ensuing thread, Michael Chudobiak brought up some bugs that he would like to see addressed,
perhaps as part of a hackfest:
I'd like to suggest one possible topic: The pixbuf loaders. They're slow
and memory intensive, and this drags down anything that needs thumbnails
(Nautilus, etc). There is a lot of opportunity to improve the
responsiveness of the desktop here.
The bugs he listed were from 2002 (80925), 2004 (142428), and
2008 (522803), but
Alan Cox mentioned that he reported one of them as a GNOME
security bug "about eight years ago". In his opinion all of the bugs were
of the "well known, never fixed" variety. Because the code in question
lives in GTK—used by many GNOME applications—"quite a few gnome
apps fed small compressed images explode".
The basic problem is that the routines handling images create the
full-resolution image in memory regardless of the size requested. In
addition, various memory-intensive techniques are used to scale the image
to the requested size. This impacts Nautilus and other GNOME programs
that create thumbnails of large images.
Presumably, a denial of service, at a minimum, can result from these
operations, though there may be other ways to exploit any program crashes
that result. Cox has a plan to see them get fixed:
Unfortunately they are well known but nobody seems to care. I'll forward
your message to the vendor security list and we'll see what happens.
Probably the bug just needs to be made *very* public to incentivise
people to fix it 8)
The vendor security list, often abbreviated vendor-sec, is a closed mailing
list for distribution security teams to exchange information about vulnerabilities in
various programs. It is closed so that bugs that are not publicly known
can be freely discussed. Whether Cox's posting to that list spurs any
action remains to be seen.
It is a rare week where LWN does not report some kind of image handling
botch as a new vulnerability. This week, a cups vulnerability in handling
PNG files could lead to a denial of service; last week we reported an Opera
vulnerability in handling images in HTML canvas elements that could
possibly lead to arbitrary code execution. Image handling
is an area where all bugs need to be scrutinized carefully for potential
security issues.
Hopefully, part of the problem is that the GNOME hackers did not realize
the security implications of the bugs. There does seem to be ample
complaint about performance problems, though, to get some kind of action
over the last six or eight years. This is a set of related bugs that have
seemingly been overlooked for a long time. Perhaps that time is now coming
to an end.
Comments (2 posted)
New vulnerabilities
clamav: buffer overflows
| Package(s): | clamav |
CVE #(s): | CVE-2008-0314
CVE-2008-1100
|
| Created: | April 18, 2008 |
Updated: | July 17, 2008 |
| Description: |
Several remote vulnerabilities have been discovered in the Clam anti-virus
toolkit. |
| Alerts: |
|
Comments (none posted)
clamav: multiple vulnerabilities
| Package(s): | clamav |
CVE #(s): | CVE-2008-1387
CVE-2008-1833
CVE-2008-1835
CVE-2008-1836
CVE-2008-1837
|
| Created: | April 18, 2008 |
Updated: | July 17, 2008 |
| Description: |
From the CVE entries:
ClamAV before 0.93 allows remote attackers to cause a denial of service (CPU consumption) via a crafted ARJ archive, as demonstrated by the PROTOS GENOME test suite for Archive Formats. (CVE-2008-1387)
Heap-based buffer overflow in libclamav in ClamAV 0.92.1 allows remote attackers to execute arbitrary code via a crafted WWPack compressed PE binary. (CVE-2008-1833)
ClamAV before 0.93 allows remote attackers to bypass the scanning enging via a RAR file with an invalid version number, which cannot be parsed by ClamAV but can be extracted by Winrar. (CVE-2008-1835)
The rfc2231 function in message.c in libclamav in ClamAV before 0.93 allows remote attackers to cause a denial of service (crash) via a crafted message that produces a string that is not null terminated, which triggers a buffer over-read. (CVE-2008-1836)
libclamunrar in ClamAV before 0.93 allows remote attackers to cause a denial of service (crash) via crafted RAR files that trigger "memory problems," as demonstrated by the PROTOS GENOME test suite for Archive Formats. (CVE-2008-1837) |
| Alerts: |
|
Comments (none posted)
cups: arbitrary code execution
| Package(s): | cups |
CVE #(s): | CVE-2008-1722
|
| Created: | April 21, 2008 |
Updated: | December 22, 2008 |
| Description: |
From the Gentoo advisory:
Thomas Pollet reported a possible integer overflow vulnerability in the
PNG image handling in the file filter/image-png.c.
A malicious user might be able to execute arbitrary code with the
privileges of the user running CUPS (usually lp), or cause a Denial of
Service by sending a specially crafted PNG image to the print server.
The vulnerability is exploitable via the network if CUPS is sharing
printers remotely.
|
| Alerts: |
|
Comments (none posted)
dbmail: authentication bypass
| Package(s): | dbmail |
CVE #(s): | CVE-2007-6714
|
| Created: | April 21, 2008 |
Updated: | May 21, 2008 |
| Description: |
From the Gentoo advisory:
A vulnerability in DBMail's authldap module when used in conjunction
with an Active Directory server has been reported by vugluskr. When
passing a zero length password to the module, it tries to bind
anonymously to the LDAP server. If the LDAP server allows anonymous
binds, this bind succeeds and results in a successful authentication to
DBMail.
By passing an empty password string to the server, an attacker could be
able to log in to any account.
|
| Alerts: |
|
Comments (none posted)
fedora-ds-admin: privilege escalation and arbitrary command execution
| Package(s): | fedora-ds-admin |
CVE #(s): | CVE-2008-0892
CVE-2008-0893
|
| Created: | April 22, 2008 |
Updated: | April 23, 2008 |
| Description: |
From the CVE entries:
The replication monitor CGI script (repl-monitor-cgi.pl) in Red Hat
Administration Server, as used by Red Hat Directory Server 8.0 EL4 and EL5,
allows remote attackers to execute arbitrary commands.
Red Hat Administration Server, as used by Red Hat Directory Server 8.0 EL4
and EL5, does not properly restrict access to CGI scripts, which allows
remote attackers to perform administrative actions.
|
| Alerts: |
|
Comments (none posted)
feh: shell command injection
| Package(s): | feh |
CVE #(s): | |
| Created: | April 17, 2008 |
Updated: | April 23, 2008 |
| Description: |
feh has a vulnerability involving shell command injection
using specially crafted file names. |
| Alerts: |
|
Comments (none posted)
firefox: denial of service
| Package(s): | firefox |
CVE #(s): | CVE-2008-1380
|
| Created: | April 17, 2008 |
Updated: | January 8, 2009 |
| Description: |
From the Red Hat alert:
A flaw was found in the processing of malformed JavaScript content. A web
page containing such malicious content could cause Firefox to crash or,
potentially, execute arbitrary code as the user running Firefox. |
| Alerts: |
|
Comments (none posted)
ikiwiki: cross-site request forgery
| Package(s): | ikiwiki |
CVE #(s): | CVE-2008-0165
|
| Created: | April 21, 2008 |
Updated: | June 2, 2008 |
| Description: |
From the Debian advisory:
It has been discovered that ikiwiki, a Wiki implementation, does not
guard password and content changes against cross-site request forgery
(CSRF) attacks.
|
| Alerts: |
|
Comments (none posted)
mplayer: arbitrary code execution
| Package(s): | mplayer |
CVE #(s): | CVE-2008-1558
|
| Created: | April 21, 2008 |
Updated: | September 16, 2008 |
| Description: |
From the Debian advisory:
It was discovered that the MPlayer movie player performs insufficient
input sanitising on SDP session data, leading to potential execution
of arbitrary code through a malformed multimedia stream.
|
| Alerts: |
|
Comments (none posted)
mt-daapd: integer overflow
| Package(s): | mt-daapd |
CVE #(s): | CVE-2008-1771
|
| Created: | April 23, 2008 |
Updated: | September 1, 2008 |
| Description: |
The mt-daapd music server suffers from an integer overflow enabling remote denial of service attacks and possibly code execution. |
| Alerts: |
|
Comments (none posted)
openfire: denial of service
| Package(s): | openfire |
CVE #(s): | CVE-2008-1728
|
| Created: | April 23, 2008 |
Updated: | April 23, 2008 |
| Description: |
The openfire (formerly wildfire) Jabber server cannot cope with clients which fail to read messages, leading to a denial of service vulnerability. |
| Alerts: |
|
Comments (none posted)
openoffice.org: multiple vulnerabilities
| Package(s): | openoffice.org |
CVE #(s): | CVE-2007-5745
CVE-2007-5746
CVE-2007-5747
CVE-2008-0320
|
| Created: | April 17, 2008 |
Updated: | September 10, 2008 |
| Description: |
From the Debian alert:
CVE-2007-5745, CVE-2007-5747:
Several bugs have been discovered in the way OpenOffice.org parses
Quattro Pro files that may lead to a overflow in the heap
potentially leading to the execution of arbitrary code.
CVE-2007-5746:
Specially crafted EMF files can trigger a buffer overflow in the
heap that may lead to the execution of arbitrary code.
CVE-2008-0320:
A bug has been discovered in the processing of OLE files that can
cause a buffer overflow in the heap potentially leading to the
execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
php-toolkit: denial of service
| Package(s): | php-toolkit |
CVE #(s): | CVE-2008-1734
|
| Created: | April 18, 2008 |
Updated: | April 23, 2008 |
| Description: |
From the Gentoo advisory: Toni Arnold, David Sveningsson, Michal Bartoszkiewicz, and Joseph reported that php-select does not quote parameters passed to the "tr" command, which could convert the "-D PHP5" argument in the
"APACHE2_OPTS" setting in the file /etc/conf.d/apache2 to lower case. |
| Alerts: |
|
Comments (none posted)
poppler: arbitrary code execution
| Package(s): | poppler |
CVE #(s): | CVE-2008-1693
|
| Created: | April 17, 2008 |
Updated: | September 17, 2008 |
| Description: |
From the Gentoo alert:
Poppler does not handle fonts inside PDF files safely, allowing for
execution of arbitrary code. |
| Alerts: |
|
Comments (none posted)
python2.4: arbitrary code execution
| Package(s): | python2.4 |
CVE #(s): | CVE-2008-1887
|
| Created: | April 21, 2008 |
Updated: | August 29, 2008 |
| Description: |
From the Debian advisory:
CVE-2008-1887:
Justin Ferguson discovered that insufficient input validation in
PyString_FromStringAndSize() may lead to the execution of arbitrary
code.
|
| Alerts: |
|
Comments (none posted)
speex: insufficient boundary checks
| Package(s): | speex |
CVE #(s): | CVE-2008-1686
|
| Created: | April 17, 2008 |
Updated: | August 7, 2008 |
| Description: |
The speex speech codec has insufficient boundary checking in
speex_packet_to_header(). |
| Alerts: |
|
Comments (none posted)
sun java: multiple vulnerabilities
| Package(s): | sun-jre, sun-jdk |
CVE #(s): | CVE-2007-5689
CVE-2007-5237
CVE-2008-0628
|
| Created: | April 18, 2008 |
Updated: | April 28, 2008 |
| Description: |
From the CVE entries:
The Java Virtual Machine (JVM) in Sun Java Runtime Environment (JRE) in SDK and JRE 1.3.x through 1.3.1_20 and 1.4.x through 1.4.2_15, and JDK and JRE 5.x through 5.0 Update 12 and 6.x through 6 Update 2, allows remote attackers to execute arbitrary programs, or read or modify arbitrary files, via applets that grant privileges to themselves. (CVE-2007-5689)
Java Web Start in Sun JDK and JRE 6 Update 2 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to read and modify local files via an untrusted application, aka "two vulnerabilities." (CVE-2007-5237)
The XML parsing code in Sun Java Runtime Environment JDK and JRE 6 Update 3 and earlier processes external entity references even when the "external general entities" property is false, which allows remote attackers to conduct XML external entity (XXE) attacks and cause a denial of service or access restricted resources. (CVE-2008-0628) |
| Alerts: |
|
Comments (none posted)
suphp: privilege escalation
| Package(s): | suphp |
CVE #(s): | CVE-2008-1614
|
| Created: | April 18, 2008 |
Updated: | April 23, 2008 |
| Description: |
suPHP before 0.6.3 allows local users to gain privileges via (1) a race condition that involves multiple symlink changes to point a file owned by a different user, or (2) a symlink to the directory of a different user, which is used to determine privileges. |
| Alerts: |
|
Comments (none posted)
vlc: multiple vulnerabilities
| Package(s): | vlc |
CVE #(s): | CVE-2008-1881
CVE-2008-1489
CVE-2008-1768
CVE-2008-1769
|
| Created: | April 23, 2008 |
Updated: | April 23, 2008 |
| Description: |
The latest set of vulnerabilities in vlc include a stack-based buffer overflow in the subtitle code (CVE-2008-1881),
an integer overflow vulnerability in the MP4 code leading to a heap overflow (CVE-2008-1489),
more integer overflows (CVE-2008-1768),
and a "boundary error" in Cinepak leading to memory corruption (CVE-2008-1769). |
| Alerts: |
|
Comments (none posted)
WebKit: cross-site scripting and code execution
| Package(s): | WebKit |
CVE #(s): | CVE-2008-1010
CVE-2008-1011
|
| Created: | April 23, 2008 |
Updated: | April 30, 2008 |
| Description: |
The WebKit browser engine suffers from a buffer overflow leading to arbitrary code execution and a cross-site scripting vulnerability; some more information is available from this summary. |
| Alerts: |
|
Comments (none posted)
Page editor: Jake Edge
Next page: Kernel development>>
