Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <2359eed20903120907w1dc963e9yc21cdb29049a7dca@mail.gmail.com>
Date: Thu, 12 Mar 2009 11:07:54 -0500
From: Will Drewry <redpig@...rt.org>
To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org, 
	bugtraq@...urityfocus.com
Subject: [oCERT-2008-015] glib and glib-predecessor heap overflows

#2008-015 glib and glib-predecessors heap overflows

Description:

Base64 encoding and decoding functions in glib suffer from
vulnerabilities during memory allocation which may result in arbitrary
code execution when processing large strings.  A number of other
GNOME-related applications which predate glib are vulnerable due to the
commonality of this flawed code.

In all cases, heap memory is allocated using a length calculated with a
user-supplied, platform-specifc value.  It follows the pattern below:

  g_malloc(user_supplied_length * 3 / 4 + some_small_num)

Due to the evaluation order of arithmetic operations, the length is
multiplied by 3 prior to division by 4.  This will allow the calculated
argument used for allocation length to overflow resulting in a region
which is smaller than expected.


Patches:
glib
  http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff
gst-plugins-base
  http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff
evolution-data-server
  http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff
  http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff
libsoup
  http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff


Affected version:

(actively affected)
glib >= 2.11 unstable
glib >= 2.12 stable
gstreamer-plugins-base < 0.10.23

(older versions affected only)
libsoup < 2.2.x
libsoup < 2.24
evolution-data-server < 2.24.5


Fixed version:

glib >= 2.20 (svn revision >= 7973)
gstreamer-plugins-base >= 0.10.23

(Other identified packages are unaffected in current versions.)


Credit: vulnerability report and initial analysis received from
        Diego Pettenò <flameeyes (at) gmail.com> with
        extended analysis, vulnerabilities, and patches for libsoup,
        gst-plugins-base, and evolution-data-server from
        Tomas Hoger <thoger (at) redhat.com>.


CVE: CVE-2008-4316 (glib),
     CVE-2009-0585 (libsoup),
     CVE-2009-0586 (gstreamer-plugins-base),
     CVE-2009-0587 (evolution-data-server)


Timeline:

2008-10-22: vulnerability report received
2008-11-11: failed to contact gnome-upstream privately (ml, bugs)
2008-11-27: contacted vendor-sec as gnome-upstream
2008-11-28: thoger confirms and assigns initial CVE
2008-11-29: flameeyes notes other potentially affected libraries
2008-12-05: thoger supplies glib patch expands scope to include eds, gst
2009-01-14: patch review by mclasen; thoger analysis eds, soup
2009-01-26: gst-plugins-base detailed analysis by thoger
2009-02-22: gstreamer upstream contacted
2009-03-03: gst-plugins-base patch from upstream
2009-03-04: evolution data server lead contacted
2009-03-05: final embargo lift date settled
2009-03-12: glib. gst upstream patches public; advisory published

References:
glib update
  http://svn.gnome.org/viewvc/glib?view=revision&revision=7973
gst-plugins-base update
  http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=566583e87147f774e7fc4c78b5f7e61d427e40a9
http://www.gtk.org/
http://www.gstreamer.net/
http://www.go-evolution.org/Main_Page
http://live.gnome.org/LibSoup
http://www.go-evolution.org/Camel

Permalink:
http://www.ocert.org/advisories/ocert-2008-015.html

--
Will Drewry <redpig@...rt.org>
oCERT Team :: http://ocert.org

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.