Package: xmms
Version: 1:1.2.10+20070301-1
Severity: grave
Tags: patch, security
Two CVEs against XMMS exist:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0653
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0654
"Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly
other versions, allows user-assisted remote attackers to execute
arbitrary code via crafted header information in a skin bitmap image,
which triggers memory corruption."
Attached is the patch being used in Ubuntu.
--
Kees Cook @outflux.net
#! /bin/sh /usr/share/dpatch/dpatch-run
## 50-bmp-loader-overflows.dpatch by Kees Cook <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Patch to address integer underflow (CVE-2007-0654) and overflow
## DP: (CVE-2007-0653) in BMP loader.
@DPATCH@
diff -urNad xmms-1.2.10+20061201~/xmms/bmp.c xmms-1.2.10+20061201/xmms/bmp.c
--- xmms-1.2.10+20061201~/xmms/bmp.c 2006-07-10 07:59:36.000000000 -0700
+++ xmms-1.2.10+20061201/xmms/bmp.c 2007-03-26 18:57:33.893403289 -0700
@@ -19,6 +19,12 @@
*/
#include "xmms.h"
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
struct rgb_quad
{
guchar rgbBlue;
@@ -183,7 +189,7 @@
}
else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
{
- gint ncols, i;
+ guint32 ncols, i;
ncols = offset - headSize - 14;
if (headSize == 12)
@@ -201,9 +207,16 @@
}
}
fseek(file, offset, SEEK_SET);
+ /* verify buffer size */
+ if (!h || !w ||
+ w > (((UINT32_MAX - 3) / 3) / h) ||
+ h > (((UINT32_MAX - 3) / 3) / w)) {
+ g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
+ goto failure;
+ }
+ data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */
buffer = g_malloc(imgsize);
fread(buffer, imgsize, 1, file);
- data = g_malloc0((w * 3 * h) + 3); /* +3 is just for safety */
if (bitcount == 1)
read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);
