Bug#416423: marked as done (BMP loader integer overflows)

Wed, 28 Mar 2007 11:09:26 -0800 

Your message dated Wed, 28 Mar 2007 19:02:02 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#416423: fixed in xmms 1:1.2.10+20061101-1etch1
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: xmms
Version: 1:1.2.10+20070301-1
Severity: grave
Tags: patch, security

Two CVEs against XMMS exist:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0653
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0654

"Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly 
other versions, allows user-assisted remote attackers to execute 
arbitrary code via crafted header information in a skin bitmap image, 
which triggers memory corruption."

Attached is the patch being used in Ubuntu.

-- 
Kees Cook                                            @outflux.net

#! /bin/sh /usr/share/dpatch/dpatch-run
## 50-bmp-loader-overflows.dpatch by Kees Cook <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Patch to address integer underflow (CVE-2007-0654) and overflow
## DP: (CVE-2007-0653) in BMP loader.

@DPATCH@
diff -urNad xmms-1.2.10+20061201~/xmms/bmp.c xmms-1.2.10+20061201/xmms/bmp.c
--- xmms-1.2.10+20061201~/xmms/bmp.c    2006-07-10 07:59:36.000000000 -0700
+++ xmms-1.2.10+20061201/xmms/bmp.c     2007-03-26 18:57:33.893403289 -0700
@@ -19,6 +19,12 @@
  */
 #include "xmms.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 struct rgb_quad
 {
        guchar rgbBlue;
@@ -183,7 +189,7 @@
        }
        else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
        {
-               gint ncols, i;
+               guint32 ncols, i;
 
                ncols = offset - headSize - 14;
                if (headSize == 12)
@@ -201,9 +207,16 @@
                }
        }
        fseek(file, offset, SEEK_SET);
+       /* verify buffer size */
+       if (!h || !w ||
+           w > (((UINT32_MAX - 3) / 3) / h) ||
+           h > (((UINT32_MAX - 3) / 3) / w)) {
+               g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
+               goto failure;
+       }
+       data = g_malloc0((w * 3 * h) + 3);      /* +3 is just for safety */
        buffer = g_malloc(imgsize);
        fread(buffer, imgsize, 1, file);
-       data = g_malloc0((w * 3 * h) + 3);      /* +3 is just for safety */
 
        if (bitcount == 1)
                read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);

--- End Message ---
--- Begin Message --- 
Source: xmms
Source-Version: 1:1.2.10+20061101-1etch1

We believe that the bug you reported is fixed in the latest version of
xmms, which is due to be installed in the Debian FTP archive:

xmms-dev_1.2.10+20061101-1etch1_i386.deb
  to pool/main/x/xmms/xmms-dev_1.2.10+20061101-1etch1_i386.deb
xmms_1.2.10+20061101-1etch1.diff.gz
  to pool/main/x/xmms/xmms_1.2.10+20061101-1etch1.diff.gz
xmms_1.2.10+20061101-1etch1.dsc
  to pool/main/x/xmms/xmms_1.2.10+20061101-1etch1.dsc
xmms_1.2.10+20061101-1etch1_i386.deb
  to pool/main/x/xmms/xmms_1.2.10+20061101-1etch1_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <[EMAIL PROTECTED]> (supplier of updated xmms package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Mar 2007 09:03:00 +0200
Source: xmms
Binary: xmms-dev xmms
Architecture: source i386
Version: 1:1.2.10+20061101-1etch1
Distribution: testing-security
Urgency: high
Maintainer: Daniel Baumann <[EMAIL PROTECTED]>
Changed-By: Daniel Baumann <[EMAIL PROTECTED]>
Description: 
 xmms       - Versatile X audio player
 xmms-dev   - XMMS development static library and header files
Closes: 416423
Changes: 
 xmms (1:1.2.10+20061101-1etch1) testing-security; urgency=high
 .
   * Added patch from Kees Cook <[EMAIL PROTECTED]> to address integer underflow
     CVE-2007-0654 and overflow CVE-2007-0653 in BMP loader (Closes: #416423).
Files: 
 53f8f076ec0cf1d6885e54abfbcf8977 1015 sound optional 
xmms_1.2.10+20061101-1etch1.dsc
 6e9e688169b3544558982479c44b213d 3565455 sound optional 
xmms_1.2.10+20061101.orig.tar.gz
 c111f08ee57b9130c7ce74169bae1a53 118018 sound optional 
xmms_1.2.10+20061101-1etch1.diff.gz
 32d090355f079b7865baa1929fe6631b 2159502 sound optional 
xmms_1.2.10+20061101-1etch1_i386.deb
 73df76232bc6795b5fb7792ec403c8ad 448102 devel optional 
xmms-dev_1.2.10+20061101-1etch1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGCriF+C5cwEsrK54RAh1kAJ0cPvlqmtilRVx8y1qiVoNPyBLUaACfftBm
YmUHS2kjvhVGoCfIwzHnYrU=
=YviZ
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to