Date: Thu, 12 Mar 2009 11:07:54 -0500 From: Will Drewry <redpig@...rt.org> To: oss-security@...ts.openwall.com, ocert-announce@...ts.ocert.org, bugtraq@...urityfocus.com Subject: [oCERT-2008-015] glib and glib-predecessor heap overflows #2008-015 glib and glib-predecessors heap overflows Description: Base64 encoding and decoding functions in glib suffer from vulnerabilities during memory allocation which may result in arbitrary code execution when processing large strings. A number of other GNOME-related applications which predate glib are vulnerable due to the commonality of this flawed code. In all cases, heap memory is allocated using a length calculated with a user-supplied, platform-specifc value. It follows the pattern below: g_malloc(user_supplied_length * 3 / 4 + some_small_num) Due to the evaluation order of arithmetic operations, the length is multiplied by 3 prior to division by 4. This will allow the calculated argument used for allocation length to overflow resulting in a region which is smaller than expected. Patches: glib http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff gst-plugins-base http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff evolution-data-server http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff libsoup http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff Affected version: (actively affected) glib >= 2.11 unstable glib >= 2.12 stable gstreamer-plugins-base < 0.10.23 (older versions affected only) libsoup < 2.2.x libsoup < 2.24 evolution-data-server < 2.24.5 Fixed version: glib >= 2.20 (svn revision >= 7973) gstreamer-plugins-base >= 0.10.23 (Other identified packages are unaffected in current versions.) Credit: vulnerability report and initial analysis received from Diego Pettenò <flameeyes (at) gmail.com> with extended analysis, vulnerabilities, and patches for libsoup, gst-plugins-base, and evolution-data-server from Tomas Hoger <thoger (at) redhat.com>. CVE: CVE-2008-4316 (glib), CVE-2009-0585 (libsoup), CVE-2009-0586 (gstreamer-plugins-base), CVE-2009-0587 (evolution-data-server) Timeline: 2008-10-22: vulnerability report received 2008-11-11: failed to contact gnome-upstream privately (ml, bugs) 2008-11-27: contacted vendor-sec as gnome-upstream 2008-11-28: thoger confirms and assigns initial CVE 2008-11-29: flameeyes notes other potentially affected libraries 2008-12-05: thoger supplies glib patch expands scope to include eds, gst 2009-01-14: patch review by mclasen; thoger analysis eds, soup 2009-01-26: gst-plugins-base detailed analysis by thoger 2009-02-22: gstreamer upstream contacted 2009-03-03: gst-plugins-base patch from upstream 2009-03-04: evolution data server lead contacted 2009-03-05: final embargo lift date settled 2009-03-12: glib. gst upstream patches public; advisory published References: glib update http://svn.gnome.org/viewvc/glib?view=revision&revision=7973 gst-plugins-base update http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=566583e87147f774e7fc4c78b5f7e61d427e40a9 http://www.gtk.org/ http://www.gstreamer.net/ http://www.go-evolution.org/Main_Page http://live.gnome.org/LibSoup http://www.go-evolution.org/Camel Permalink: http://www.ocert.org/advisories/ocert-2008-015.html -- Will Drewry <redpig@...rt.org> oCERT Team :: http://ocert.org
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.