Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Thu, 12 Mar 2009 11:07:54 -0500
From: Will Drewry <redpig@...rt.org>
To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org, 
	bugtraq@...urityfocus.com
Subject: [oCERT-2008-015] glib and glib-predecessor heap overflows

#2008-015 glib and glib-predecessors heap overflows

Description:

Base64 encoding and decoding functions in glib suffer from
vulnerabilities during memory allocation which may result in arbitrary
code execution when processing large strings.  A number of other
GNOME-related applications which predate glib are vulnerable due to the
commonality of this flawed code.

In all cases, heap memory is allocated using a length calculated with a
user-supplied, platform-specifc value.  It follows the pattern below:

  g_malloc(user_supplied_length * 3 / 4 + some_small_num)

Due to the evaluation order of arithmetic operations, the length is
multiplied by 3 prior to division by 4.  This will allow the calculated
argument used for allocation length to overflow resulting in a region
which is smaller than expected.


Patches:
glib
  http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff
gst-plugins-base
  http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff
evolution-data-server
  http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff
  http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff
libsoup
  http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff


Affected version:

(actively affected)
glib >= 2.11 unstable
glib >= 2.12 stable
gstreamer-plugins-base < 0.10.23

(older versions affected only)
libsoup < 2.2.x
libsoup < 2.24
evolution-data-server < 2.24.5


Fixed version:

glib >= 2.20 (svn revision >= 7973)
gstreamer-plugins-base >= 0.10.23

(Other identified packages are unaffected in current versions.)


Credit: vulnerability report and initial analysis received from
        Diego Pettenò <flameeyes (at) gmail.com> with
        extended analysis, vulnerabilities, and patches for libsoup,
        gst-plugins-base, and evolution-data-server from
        Tomas Hoger <thoger (at) redhat.com>.


CVE: CVE-2008-4316 (glib),
     CVE-2009-0585 (libsoup),
     CVE-2009-0586 (gstreamer-plugins-base),
     CVE-2009-0587 (evolution-data-server)


Timeline:

2008-10-22: vulnerability report received
2008-11-11: failed to contact gnome-upstream privately (ml, bugs)
2008-11-27: contacted vendor-sec as gnome-upstream
2008-11-28: thoger confirms and assigns initial CVE
2008-11-29: flameeyes notes other potentially affected libraries
2008-12-05: thoger supplies glib patch expands scope to include eds, gst
2009-01-14: patch review by mclasen; thoger analysis eds, soup
2009-01-26: gst-plugins-base detailed analysis by thoger
2009-02-22: gstreamer upstream contacted
2009-03-03: gst-plugins-base patch from upstream
2009-03-04: evolution data server lead contacted
2009-03-05: final embargo lift date settled
2009-03-12: glib. gst upstream patches public; advisory published

References:
glib update
  http://svn.gnome.org/viewvc/glib?view=revision&revision=7973
gst-plugins-base update
  http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=566583e87147f774e7fc4c78b5f7e61d427e40a9
http://www.gtk.org/
http://www.gstreamer.net/
http://www.go-evolution.org/Main_Page
http://live.gnome.org/LibSoup
http://www.go-evolution.org/Camel

Permalink:
http://www.ocert.org/advisories/ocert-2008-015.html

--
Will Drewry <redpig@...rt.org>
oCERT Team :: http://ocert.org

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ