BugTraq
[oCERT-2008-015] glib and glib-predecessor heap overflows Mar 12 2009 04:07PM
Will Drewry (redpig ocert org)
#2008-015 glib and glib-predecessors heap overflows

Description:

Base64 encoding and decoding functions in glib suffer from
vulnerabilities during memory allocation which may result in arbitrary
code execution when processing large strings. A number of other
GNOME-related applications which predate glib are vulnerable due to the
commonality of this flawed code.

In all cases, heap memory is allocated using a length calculated with a
user-supplied, platform-specifc value. It follows the pattern below:

g_malloc(user_supplied_length * 3 / 4 + some_small_num)

Due to the evaluation order of arithmetic operations, the length is
multiplied by 3 prior to division by 4. This will allow the calculated
argument used for allocation length to overflow resulting in a region
which is smaller than expected.

Patches:
glib
http://ocert.org/patches/2008-015/glib-CVE-2008-4316.diff
gst-plugins-base
http://ocert.org/patches/2008-015/gst-plugins-base-CVE-2009-0586.diff
evolution-data-server
http://ocert.org/patches/2008-015/camel-CVE-2009-0587.diff
http://ocert.org/patches/2008-015/evc-CVE-2009-0587.diff
libsoup
http://ocert.org/patches/2008-015/libsoup-base64-CVE-2009-0585.diff

Affected version:

(actively affected)
glib >= 2.11 unstable
glib >= 2.12 stable
gstreamer-plugins-base < 0.10.23

(older versions affected only)
libsoup < 2.2.x
libsoup < 2.24
evolution-data-server < 2.24.5

Fixed version:

glib >= 2.20 (svn revision >= 7973)
gstreamer-plugins-base >= 0.10.23

(Other identified packages are unaffected in current versions.)

Credit: vulnerability report and initial analysis received from
Diego Pettenò <flameeyes (at) gmail.com> with
extended analysis, vulnerabilities, and patches for libsoup,
gst-plugins-base, and evolution-data-server from
Tomas Hoger <thoger (at) redhat.com>.

CVE: CVE-2008-4316 (glib),
CVE-2009-0585 (libsoup),
CVE-2009-0586 (gstreamer-plugins-base),
CVE-2009-0587 (evolution-data-server)

Timeline:

2008-10-22: vulnerability report received
2008-11-11: failed to contact gnome-upstream privately (ml, bugs)
2008-11-27: contacted vendor-sec as gnome-upstream
2008-11-28: thoger confirms and assigns initial CVE
2008-11-29: flameeyes notes other potentially affected libraries
2008-12-05: thoger supplies glib patch expands scope to include eds, gst
2009-01-14: patch review by mclasen; thoger analysis eds, soup
2009-01-26: gst-plugins-base detailed analysis by thoger
2009-02-22: gstreamer upstream contacted
2009-03-03: gst-plugins-base patch from upstream
2009-03-04: evolution data server lead contacted
2009-03-05: final embargo lift date settled
2009-03-12: glib. gst upstream patches public; advisory published

References:
glib update
http://svn.gnome.org/viewvc/glib?view=revision&revision=7973
gst-plugins-base update
http://cgit.freedesktop.org/gstreamer/gst-plugins-base/commit/?id=566583
e87147f774e7fc4c78b5f7e61d427e40a9
http://www.gtk.org/
http://www.gstreamer.net/
http://www.go-evolution.org/Main_Page
http://live.gnome.org/LibSoup
http://www.go-evolution.org/Camel

Permalink:
http://www.ocert.org/advisories/ocert-2008-015.html

--
Will Drewry <redpig (at) ocert (dot) org [email concealed]>
oCERT Team :: http://ocert.org

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus