Date: Thu, 12 Mar 2009 11:07:54 -0500
Subject: [oCERT-2008-015] glib and glib-predecessor heap overflows
From: Will Drewry <redpig@ocert.org.>
To: [email protected], [email protected],
[email protected]
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: antivirus-gw at tyumen.ru
#2008-015 glib and glib-predecessors heap overflows
Description:
Base64 encoding and decoding functions in glib suffer from
vulnerabilities during memory allocation which may result in arbitrary
code execution when processing large strings. A number of other
GNOME-related applications which predate glib are vulnerable due to the
commonality of this flawed code.
In all cases, heap memory is allocated using a length calculated with a
user-supplied, platform-specifc value. It follows the pattern below:
g_malloc(user_supplied_length * 3 / 4 + some_small_num)
Due to the evaluation order of arithmetic operations, the length is
multiplied by 3 prior to division by 4. This will allow the calculated
argument used for allocation length to overflow resulting in a region
which is smaller than expected.
Patches:
glib
http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff
gst-plugins-base
http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff
evolution-data-server
http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diffhttp://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff
libsoup
http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff
Affected version:
(actively affected)
glib >=3D 2.11 unstable
glib >=3D 2.12 stable
gstreamer-plugins-base < 0.10.23
(older versions affected only)
libsoup < 2.2.x
libsoup < 2.24
evolution-data-server < 2.24.5
Fixed version:
glib >=3D 2.20 (svn revision >=3D 7973)
gstreamer-plugins-base >=3D 0.10.23
(Other identified packages are unaffected in current versions.)
Credit: vulnerability report and initial analysis received from
Diego Petten=F2 <flameeyes (at) gmail.com> with
extended analysis, vulnerabilities, and patches for libsoup,
gst-plugins-base, and evolution-data-server from
Tomas Hoger <thoger (at) redhat.com>.
CVE: CVE-2008-4316 (glib),
CVE-2009-0585 (libsoup),
CVE-2009-0586 (gstreamer-plugins-base),
CVE-2009-0587 (evolution-data-server)
Timeline:
2008-10-22: vulnerability report received
2008-11-11: failed to contact gnome-upstream privately (ml, bugs)
2008-11-27: contacted vendor-sec as gnome-upstream
2008-11-28: thoger confirms and assigns initial CVE
2008-11-29: flameeyes notes other potentially affected libraries
2008-12-05: thoger supplies glib patch expands scope to include eds, gst
2009-01-14: patch review by mclasen; thoger analysis eds, soup
2009-01-26: gst-plugins-base detailed analysis by thoger
2009-02-22: gstreamer upstream contacted
2009-03-03: gst-plugins-base patch from upstream
2009-03-04: evolution data server lead contacted
2009-03-05: final embargo lift date settled
2009-03-12: glib. gst upstream patches public; advisory published
References:
glib update
http://svn.gnome.org/viewvc/glib?view=3Drevision&revision=3D7973
gst-plugins-base update
http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=3D56658=
3e87147f774e7fc4c78b5f7e61d427e40a9
http://www.gtk.org/
http://www.gstreamer.net/
http://www.go-evolution.org/Main_Page
http://live.gnome.org/LibSoup
http://www.go-evolution.org/Camel
Permalink:
http://www.ocert.org/advisories/ocert-2008-015.html
--
Will Drewry <redpig@ocert.org.>
oCERT Team :: http://ocert.org