Bug#416423: marked as done (BMP loader integer overflows)

Tue, 27 Mar 2007 23:44:04 -0800 

Your message dated Wed, 28 Mar 2007 07:32:03 +0000
with message-id <[EMAIL PROTECTED]>
and subject line Bug#416423: fixed in xmms 1:1.2.10+20070301-2
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: xmms
Version: 1:1.2.10+20070301-1
Severity: grave
Tags: patch, security

Two CVEs against XMMS exist:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0653
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0654

"Integer overflow in X MultiMedia System (xmms) 1.2.10, and possibly 
other versions, allows user-assisted remote attackers to execute 
arbitrary code via crafted header information in a skin bitmap image, 
which triggers memory corruption."

Attached is the patch being used in Ubuntu.

-- 
Kees Cook                                            @outflux.net

#! /bin/sh /usr/share/dpatch/dpatch-run
## 50-bmp-loader-overflows.dpatch by Kees Cook <[EMAIL PROTECTED]>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Patch to address integer underflow (CVE-2007-0654) and overflow
## DP: (CVE-2007-0653) in BMP loader.

@DPATCH@
diff -urNad xmms-1.2.10+20061201~/xmms/bmp.c xmms-1.2.10+20061201/xmms/bmp.c
--- xmms-1.2.10+20061201~/xmms/bmp.c    2006-07-10 07:59:36.000000000 -0700
+++ xmms-1.2.10+20061201/xmms/bmp.c     2007-03-26 18:57:33.893403289 -0700
@@ -19,6 +19,12 @@
  */
 #include "xmms.h"
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(UINT32_MAX)
+#define UINT32_MAX 0xffffffffU
+#endif
+
 struct rgb_quad
 {
        guchar rgbBlue;
@@ -183,7 +189,7 @@
        }
        else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
        {
-               gint ncols, i;
+               guint32 ncols, i;
 
                ncols = offset - headSize - 14;
                if (headSize == 12)
@@ -201,9 +207,16 @@
                }
        }
        fseek(file, offset, SEEK_SET);
+       /* verify buffer size */
+       if (!h || !w ||
+           w > (((UINT32_MAX - 3) / 3) / h) ||
+           h > (((UINT32_MAX - 3) / 3) / w)) {
+               g_warning("read_bmp(): width(%u)*height(%u) too large", w, h);
+               goto failure;
+       }
+       data = g_malloc0((w * 3 * h) + 3);      /* +3 is just for safety */
        buffer = g_malloc(imgsize);
        fread(buffer, imgsize, 1, file);
-       data = g_malloc0((w * 3 * h) + 3);      /* +3 is just for safety */
 
        if (bitcount == 1)
                read_1b_rgb(buffer, imgsize, data, w, h, rgb_quads);

--- End Message ---
--- Begin Message --- 
Source: xmms
Source-Version: 1:1.2.10+20070301-2

We believe that the bug you reported is fixed in the latest version of
xmms, which is due to be installed in the Debian FTP archive:

xmms-dev_1.2.10+20070301-2_i386.deb
  to pool/main/x/xmms/xmms-dev_1.2.10+20070301-2_i386.deb
xmms_1.2.10+20070301-2.diff.gz
  to pool/main/x/xmms/xmms_1.2.10+20070301-2.diff.gz
xmms_1.2.10+20070301-2.dsc
  to pool/main/x/xmms/xmms_1.2.10+20070301-2.dsc
xmms_1.2.10+20070301-2_i386.deb
  to pool/main/x/xmms/xmms_1.2.10+20070301-2_i386.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Daniel Baumann <[EMAIL PROTECTED]> (supplier of updated xmms package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Wed, 28 Mar 2007 09:03:00 +0200
Source: xmms
Binary: xmms-dev xmms
Architecture: source i386
Version: 1:1.2.10+20070301-2
Distribution: unstable
Urgency: high
Maintainer: Daniel Baumann <[EMAIL PROTECTED]>
Changed-By: Daniel Baumann <[EMAIL PROTECTED]>
Description: 
 xmms       - Versatile X audio player
 xmms-dev   - XMMS development static library and header files
Closes: 416423
Changes: 
 xmms (1:1.2.10+20070301-2) unstable; urgency=high
 .
   * Added patch from Daniel T Chen <[EMAIL PROTECTED]> to not break if
     composite extension is enabled.
   * Added patch from Kees Cook <[EMAIL PROTECTED]> to address integer underflow
     CVE-2007-0654 and overflow CVE-2007-0653 in BMP loader (Closes: #416423).
Files: 
 8d85627585c5e8acdcd649da99d3bc4a 1002 sound optional xmms_1.2.10+20070301-2.dsc
 69a0b2f9aa684219d120c01e8c76509b 118138 sound optional 
xmms_1.2.10+20070301-2.diff.gz
 12080b17e23171a481f1b84113eba3eb 2153996 sound optional 
xmms_1.2.10+20070301-2_i386.deb
 aa253a9021f944f83b1ee9563739565d 448204 devel optional 
xmms-dev_1.2.10+20070301-2_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGChXz+C5cwEsrK54RAlzeAJ9VgskcOIHnZSGzt6NIDYDrldlazQCePp5u
xnS3d+xIdIrJA//R3dDrtZw=
=mFK1
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to