Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705
Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
Product: Fedora Extras
Version: fc6
Platform: All
OS/Version: Linux
Status: NEW
Severity: low
Priority: normal
Component: xmms
AssignedTo: paul(a)all-the-johnsons.co.uk
ReportedBy: ville.skytta(a)iki.fi
QAContact: extras-qa(a)fedoraproject.org
CC: fedora-security-list(a)redhat.com
Cloning RHEL bug for FE[56].
+++ This bug was initially created as a clone of Bug #228013 +++
Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles
skin files. Here are the technical details provided by Sven:
--- Details ---
CVE-2007-0654
1) An integer underflow error exists when loading skin bitmap images,
which can be exploited to cause a stack-based buffer overflow via
specially crafted skin images containing manipulated header information.
The vulnerability is caused due to errors within "read_bmp()" in
xmms/bmp.c when loading skin bitmap images.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
fseek(file, 8, SEEK_CUR);
read_le_long(file, &offset); <-- [1]
read_le_long(file, &headSize);
[...]
else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
{
gint ncols, i;
ncols = offset - headSize - 14; <-- [2]
if (headSize == 12)
{
ncols = MIN(ncols / 3, 256);
for (i = 0; i < ncols; i++)
fread(&rgb_quads[i], 3, 1, file);
}
else
{
ncols = MIN(ncols / 4, 256);
fread(rgb_quads, 4, ncols, file); <-- [3]
[...]
-----
"offset" [1] is not properly verified before being used to calculate
"ncols" [2]. "bitcount" has to be set to a different value than 24,
16
or 32 (but can also be user controlled).
This can be exploited to cause a integer underflow,
resulting in a stack based buffer overflow, which can be used to
overwrite the return address of "read_bmp()" [3].
Successful exploitation allows execution of arbitrary code.
CVE-2007-0653
2) An integer overflow error exists when loading skin bitmap images.
This can be exploited to cause a memory corruption via specially crafted
skin images containing manipulated header information.
-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
else if (headSize == 40) /* BITMAPINFO */
{
guint16 tmp;
read_le_long(file, &w); <-- [4]
read_le_long(file, &h); <-- [4]
[...]
fseek(file, offset, SEEK_SET);
buffer = g_malloc(imgsize);
fread(buffer, imgsize, 1, file);
fclose(file);
data = g_malloc0((w * 3 * h) + 3); <-- [5]
if (bitcount == 1)
----
-- Additional comment from bressers(a)redhat.com on 2007-02-09 10:23 EST --
These flaws also affect RHEL2.1 and RHEL3
-- Additional comment from davidz(a)redhat.com on 2007-02-09 12:32 EST --
Are there patches for these yet?
-- Additional comment from bressers(a)redhat.com on 2007-02-09 13:19 EST --
There are no patches yet. I'm still trying to contact someone upstream about
this. If you have any upstream contacts, please let me know.
-- Additional comment from bressers(a)redhat.com on 2007-03-21 09:26 EST --
Lifting embargo
--
Configure bugmail:
https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.