The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[oCERT-2008-015] glib and glib-predecessor heap overflows


<< Previous INDEX Search src / Print Next >>
Date: Thu, 12 Mar 2009 11:07:54 -0500
Subject: [oCERT-2008-015] glib and glib-predecessor heap overflows
From: Will Drewry <redpig@ocert.org.>
To: [email protected], [email protected],
        [email protected]
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
X-Virus-Scanned: antivirus-gw at tyumen.ru

#2008-015 glib and glib-predecessors heap overflows

Description:

Base64 encoding and decoding functions in glib suffer from
vulnerabilities during memory allocation which may result in arbitrary
code execution when processing large strings.  A number of other
GNOME-related applications which predate glib are vulnerable due to the
commonality of this flawed code.

In all cases, heap memory is allocated using a length calculated with a
user-supplied, platform-specifc value.  It follows the pattern below:

  g_malloc(user_supplied_length * 3 / 4 + some_small_num)

Due to the evaluation order of arithmetic operations, the length is
multiplied by 3 prior to division by 4.  This will allow the calculated
argument used for allocation length to overflow resulting in a region
which is smaller than expected.


Patches:
glib
  http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff
gst-plugins-base
  http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff
evolution-data-server
  http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff
  http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff
libsoup
  http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff


Affected version:

(actively affected)
glib >=3D 2.11 unstable
glib >=3D 2.12 stable
gstreamer-plugins-base < 0.10.23

(older versions affected only)
libsoup < 2.2.x
libsoup < 2.24
evolution-data-server < 2.24.5


Fixed version:

glib >=3D 2.20 (svn revision >=3D 7973)
gstreamer-plugins-base >=3D 0.10.23

(Other identified packages are unaffected in current versions.)


Credit: vulnerability report and initial analysis received from
        Diego Petten=F2 <flameeyes (at) gmail.com> with
        extended analysis, vulnerabilities, and patches for libsoup,
        gst-plugins-base, and evolution-data-server from
        Tomas Hoger <thoger (at) redhat.com>.


CVE: CVE-2008-4316 (glib),
     CVE-2009-0585 (libsoup),
     CVE-2009-0586 (gstreamer-plugins-base),
     CVE-2009-0587 (evolution-data-server)


Timeline:

2008-10-22: vulnerability report received
2008-11-11: failed to contact gnome-upstream privately (ml, bugs)
2008-11-27: contacted vendor-sec as gnome-upstream
2008-11-28: thoger confirms and assigns initial CVE
2008-11-29: flameeyes notes other potentially affected libraries
2008-12-05: thoger supplies glib patch expands scope to include eds, gst
2009-01-14: patch review by mclasen; thoger analysis eds, soup
2009-01-26: gst-plugins-base detailed analysis by thoger
2009-02-22: gstreamer upstream contacted
2009-03-03: gst-plugins-base patch from upstream
2009-03-04: evolution data server lead contacted
2009-03-05: final embargo lift date settled
2009-03-12: glib. gst upstream patches public; advisory published

References:
glib update
  http://svn.gnome.org/viewvc/glib?view=3Drevision&revision=3D7973
gst-plugins-base update
  http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=3D56658=
3e87147f774e7fc4c78b5f7e61d427e40a9
http://www.gtk.org/
http://www.gstreamer.net/
http://www.go-evolution.org/Main_Page
http://live.gnome.org/LibSoup
http://www.go-evolution.org/Camel

Permalink:
http://www.ocert.org/advisories/ocert-2008-015.html

--
Will Drewry <redpig@ocert.org.>
oCERT Team :: http://ocert.org


<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2024 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру