From owner-freebsd-ports-bugs@FreeBSD.ORG Fri Nov 21 05:50:02 2008 Return-Path: Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 602551065670; Fri, 21 Nov 2008 05:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 371378FC18; Fri, 21 Nov 2008 05:50:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id mAL5o1qd085687; Fri, 21 Nov 2008 05:50:01 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id mAL5o1wM085686; Fri, 21 Nov 2008 05:50:01 GMT (envelope-from gnats) Resent-Date: Fri, 21 Nov 2008 05:50:01 GMT Resent-Message-Id: <200811210550.mAL5o1wM085686@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@freebsd.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Cc: freebsd-security@freebsd.org, stas@freebsd.org Resent-Reply-To: FreeBSD-gnats-submit@freebsd.org, Eygene Ryabinkin Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 7341B1065672 for ; Fri, 21 Nov 2008 05:41:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from 0.mx.codelabs.ru (0.mx.codelabs.ru [144.206.177.45]) by mx1.freebsd.org (Postfix) with ESMTP id 23E858FC16 for ; Fri, 21 Nov 2008 05:41:26 +0000 (UTC) (envelope-from rea-fbsd@codelabs.ru) Received: from void.codelabs.ru (void.codelabs.ru [144.206.177.25]) by 0.mx.codelabs.ru with esmtps (TLSv1:CAMELLIA256-SHA:256) id 1L3Olg-0002qz-Uf for FreeBSD-gnats-submit@freebsd.org; Fri, 21 Nov 2008 08:41:25 +0300 Message-Id: <20081121054124.C219F1AF41B@void.codelabs.ru> Date: Fri, 21 Nov 2008 08:41:24 +0300 (MSK) From: Eygene Ryabinkin To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 X-GNATS-Notify: freebsd-security@freebsd.org, stas@freebsd.org Cc: Subject: ports/129037: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Eygene Ryabinkin List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Nov 2008 05:50:02 -0000 >Number: 129037 >Category: ports >Synopsis: [patch] [vuxml] graphics/imlib2: fix CVE-2008-5187 >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Fri Nov 21 05:50:01 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Eygene Ryabinkin >Release: FreeBSD 7.1-PRERELEASE i386 >Organization: Code Labs >Environment: System: FreeBSD 7.1-PRERELEASE i386 >Description: Secunia discovered imlib2 vulnerability that can be used to execute arbitrary code within the application that uses this library: ----- The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file. Successful exploitation may allow execution of arbitrary code. ----- >How-To-Repeat: http://secunia.com/Advisories/32796 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5187 >Fix: The following patch adds the patch from Debian developers. It is supposed to fix the issue. --- fix-imlib2-1.4.1.000.diff begins here --- diff -urN ./Makefile ../imlib2/Makefile --- ./Makefile 2008-11-20 20:30:31.000000000 +0300 +++ ../imlib2/Makefile 2008-11-21 08:28:40.000000000 +0300 @@ -7,7 +7,7 @@ PORTNAME= imlib2 PORTVERSION= 1.4.1.000 -PORTREVISION= 0 +PORTREVISION= 1 PORTEPOCH= 2 CATEGORIES= graphics MASTER_SITES= ftp://ftp.springdaemons.com/pub/snapshots/e17/ \ diff -urN ./files/patch-CVE-2008-5187 ../imlib2/files/patch-CVE-2008-5187 --- ./files/patch-CVE-2008-5187 1970-01-01 03:00:00.000000000 +0300 +++ ../imlib2/files/patch-CVE-2008-5187 2008-11-21 08:24:16.000000000 +0300 @@ -0,0 +1,14 @@ +Obtained from: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15 + +--- src/modules/loaders/loader_xpm.c ++++ src/modules/loaders/loader_xpm.c +@@ -246,8 +246,8 @@ + return 0; + } + ptr = im->data; +- end = ptr + (sizeof(DATA32) * w * h); + pixels = w * h; ++ end = ptr + pixels; + } + else + { --- fix-imlib2-1.4.1.000.diff ends here --- The following VuXML entry should be validated and added: --- vuln.xml begins here --- imlib2 -- XPM processing buffer overflow vulnerability imlib2 imlib2-nox11 1.4.1.000_1,2

Secunia reports:

A vulnerability has been discovered in imlib2, which can be exploited by malicious people to potentially compromise an application using the library.

The vulnerability is caused due to a pointer arithmetic error within the "load()" function provided by the XPM loader. This can be exploited to cause a heap-based buffer overflow via a specially crafted XPM file.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is confirmed in version 1.4.2. Other versions may also be affected.

 CVE-2008-5187 http://secunia.com/Advisories/32796 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505714#15 http://bugzilla.enlightenment.org/show_bug.cgi?id=547 2008-11-20 --- vuln.xml ends here --- I see that XPM loader is built and installed even for the nox11 version, so I am including it to the vulnerable port. imlib-1.9.15 seem to be unaffected: it has the code in question, but it does memory manipulations properly. >Release-Note: >Audit-Trail: >Unformatted: