CVE-2004-0782
CVSS7.5
发布时间 :2004-10-20 00:00:00
修订时间 :2016-10-17 22:48:56
NMCOP    

[原文]Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22, allows remote attackers to execute arbitrary code via certain n_col and cpp values that enable a heap-based buffer overflow. NOTE: this identifier is ONLY for gtk+. It was incorrectly referenced in an advisory for a different issue (CVE-2004-0687).


[CNNVD]GDK-Pixbuf多个安全漏洞(CNNVD-200410-047)

        
        gdk-pixbuf是Gtk使用的一个库。
        gdk-pixbuf存在多个问题,远程攻击者可以利用这个漏洞进行拒绝服务或缓冲区溢出攻击。
        第一个问题(CAN-2004-0753)是在尝试对BMP图象进行解码时,在部分条件下,库会进入无限循环,消耗大量CPU资源。
        第二和第三个问题是当库对XPM图象进行解码时,特殊构建的图象文件可导致使用此库的应用程序崩溃或可能执行用户提供的代码。
        第四个和最后一个漏洞是在尝试解析ICO图象时,特殊的ICO文件可导致应用程序崩溃。
        

- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)

cpe:/a:gtk:gtk%2b:2.2.1
cpe:/a:gnome:gdkpixbuf:0.22
cpe:/a:gtk:gtk%2b:2.2.3
cpe:/a:gtk:gtk%2b:2.0.2
cpe:/a:gnome:gdkpixbuf:0.18
cpe:/a:gnome:gdkpixbuf:0.17
cpe:/a:gtk:gtk%2b:2.0.6
cpe:/a:gtk:gtk%2b:2.2.4
cpe:/a:gnome:gdkpixbuf:0.20

- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:1617XPM Image Decoder Buffer Overflow
oval:org.mitre.oval:def:11539Integer overflow in pixbuf_create_from_xpm (io-xpm.c) in the XPM image decoder for gtk+ 2.4.4 (gtk2) and earlier, and gdk-pixbuf before 0.22...
*OVAL详细的描述了检测该漏洞的方法,你可以从相关的OVAL定义中找到更多检测该漏洞的技术细节。

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0782
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2004-0782
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200410-047
(官方数据源) CNNVD

- 其它链接及资源

http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000875
(UNKNOWN)  CONECTIVA  CLA-2004:875
http://marc.info/?l=bugtraq&m=109528994916275&w=2
(UNKNOWN)  BUGTRAQ  20040915 CESA-2004-005: gtk+ XPM decoder
http://scary.beasts.org/security/CESA-2004-005.txt
(UNKNOWN)  MISC  http://scary.beasts.org/security/CESA-2004-005.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-26-101776-1
(UNKNOWN)  SUNALERT  101776
http://www.debian.org/security/2004/dsa-546
(UNKNOWN)  DEBIAN  DSA-546
http://www.kb.cert.org/vuls/id/729894
(UNKNOWN)  CERT-VN  VU#729894
http://www.mandrakesecure.net/en/advisories/advisory.php?name=MDKSA-2004:095
(UNKNOWN)  MANDRAKE  MDKSA-2004:095
http://www.mandriva.com/security/advisories?name=MDKSA-2005:214
(UNKNOWN)  MANDRIVA  MDKSA-2005:214
http://www.redhat.com/support/errata/RHSA-2004-447.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:447
http://www.redhat.com/support/errata/RHSA-2004-466.html
(VENDOR_ADVISORY)  REDHAT  RHSA-2004:466
http://www.securityfocus.com/archive/1/archive/1/419771/100/0/threaded
(UNKNOWN)  FEDORA  FLSA-2005:155510
http://www.securityfocus.com/bid/11195
(UNKNOWN)  BID  11195
http://xforce.iss.net/xforce/xfdb/17386
(UNKNOWN)  XF  gtk-xpm-pixbufcreatefromxpm-bo(17386)
https://bugzilla.fedora.us/show_bug.cgi?id=2005
(UNKNOWN)  FEDORA  FLSA:2005

- 漏洞信息

GDK-Pixbuf多个安全漏洞
高危 设计错误
2004-10-20 00:00:00 2010-04-02 00:00:00
远程※本地  
        
        gdk-pixbuf是Gtk使用的一个库。
        gdk-pixbuf存在多个问题,远程攻击者可以利用这个漏洞进行拒绝服务或缓冲区溢出攻击。
        第一个问题(CAN-2004-0753)是在尝试对BMP图象进行解码时,在部分条件下,库会进入无限循环,消耗大量CPU资源。
        第二和第三个问题是当库对XPM图象进行解码时,特殊构建的图象文件可导致使用此库的应用程序崩溃或可能执行用户提供的代码。
        第四个和最后一个漏洞是在尝试解析ICO图象时,特殊的ICO文件可导致应用程序崩溃。
        

- 公告与补丁

        厂商补丁:
        Debian
        ------
        Debian已经为此发布了安全公告(DSA-549-1、DSA-546-1)以及相应补丁:
        DSA-549-1:New gtk+2.0 packages fix several vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-549

        DSA-546-1:New gdk-pixbuf packages fix several vulnerabilities
        链接:
        http://www.debian.org/security/2002/dsa-546

        补丁下载:
        Source archives:
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk+2.0_2.0.2-5woody2.dsc

        Size/MD5 checksum: 863 e1fb1114b9e8a2a41696f9ce87e63695
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk+2.0_2.0.2-5woody2.diff.gz

        Size/MD5 checksum: 46831 2efce3a3481974044c1a6a1011954f18
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk+2.0_2.0.2.orig.tar.gz

        Size/MD5 checksum: 7835836 dc80381b84458d944c5300a1672c099c
        Architecture independent components:
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-doc_2.0.2-5woody2_all.deb

        Size/MD5 checksum: 1378706 d2d6f488c0a77c93ed5a8fd151741543
        Alpha architecture:
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_alpha.deb

        Size/MD5 checksum: 220806 d754d0cecc3f82d64be319c55dff5c8e
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_alpha.deb

        Size/MD5 checksum: 1102 d3ccf8d6e3b666f6dc71c35f20a6cb77
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_alpha.deb

        Size/MD5 checksum: 1585238 13f238596d197ad27933c3f3e27269f7
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_alpha.deb

        Size/MD5 checksum: 595896 57264f5be6eb488ea9607cd2f7058e08
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_alpha.deb

        Size/MD5 checksum: 5878498 0ffc094ffe8ef6fdd11b38484ea90477
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_alpha.deb

        Size/MD5 checksum: 178322 14de2746abdb546a703aeec243e28a12
        ARM architecture:
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_arm.deb

        Size/MD5 checksum: 214610 c2a2b4874321a68a912afcac8efe4432
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_arm.deb

        Size/MD5 checksum: 1106 d78aba4e1a787ac217dc055dc8e5d77a
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_arm.deb

        Size/MD5 checksum: 1419902 92ed65acd376e565968d534df0e56b4f
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_arm.deb

        Size/MD5 checksum: 595286 a8f465878ea70bb232fc4fc7d460462d
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_arm.deb

        Size/MD5 checksum: 2904044 843cba67b1831b001b9186c11d7d5c72
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_arm.deb

        Size/MD5 checksum: 177272 f02861b5aa96ea782f041db0ba00fe11
        Intel IA-32 architecture:
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_i386.deb

        Size/MD5 checksum: 214932 abd81a3388a82c15364189b0321c931a
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_i386.deb

        Size/MD5 checksum: 1102 6a63e94e140d45afd8d30f1a6aeaf4fa
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_i386.deb

        Size/MD5 checksum: 1289428 a1f0196674f1556a9700a29912ed4b77
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_i386.deb

        Size/MD5 checksum: 595384 485b9ec09c0ddfa5564b25c2fcec58f7
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dbg_2.0.2-5woody2_i386.deb

        Size/MD5 checksum: 2722306 a59b27568500db9dcd8a2ffbf2866f2b
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-dev_2.0.2-5woody2_i386.deb

        Size/MD5 checksum: 177140 245e88cb2addad57e7273b76fb145930
        Intel IA-64 architecture:
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/gtk2.0-examples_2.0.2-5woody2_ia64.deb

        Size/MD5 checksum: 230652 df3f392fc1d8f749134f03413e6b07b3
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk-common_2.0.2-5woody2_ia64.deb

        Size/MD5 checksum: 1098 9f692a19e0d16699852bf7c16de2a05b
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-0_2.0.2-5woody2_ia64.deb

        Size/MD5 checksum: 2076782 8b4e1e4a232881916a2da1f39f3bff18
        
        http://security.debian.org/pool/updates/main/g/gtk+2.0/libgtk2.0-common_2.0.2-5woody2_ia64.deb

        Size/MD5 checksum: 596736 fbaedfd29974d78a92de77666be3ca6a
        

- 漏洞信息 (F34380)

Chris Evans Security Advisory 2004.5 (PacketStormID:F34380)
2004-09-17 00:00:00
Chris Evans  
advisory,overflow
CVE-2004-0782,CVE-2004-0783
[点击下载]

gtk+ version 2.4.4 has heap and stack-based overflows that can allow for the compromise of an account used to browse a malicious XPM file.

CESA-2004-005 - rev 1

http://scary.beasts.org/security/CESA-2004-005.txt

gtk+-2.4.4 XPM image decoder parsing flaws
==========================================

Programs:          gtk+, and any programs which use gtk+ to decode XPM files.
                   For example, Evolution.
Severity:          Compromise of account used to browse malicious XPM file.
CAN identifier(s): CAN-2004-0782, CAN-2004-0783

This advisory lists code flaws discovered by inspection of the XPM parser
within the gtk+ code. Specifically, gtk+-2.4.4 was investigated.

Flaw 1. Heap-based overflow in pixbuf_create_from_xpm (io-xpm.c)
CAN-2004-0782

  name_buf = g_new (gchar, n_col * (cpp + 1));
  colors = g_new (XPMColor, n_col);

Here, n_col is an arbitrary integer value from the XPM. cpp is an integer value
ranging from 1 to 31 from the XPM. By careful choice of values of n_col and
cpp, integer overflow can occur on integer multiplication. This leads to heap
buffers being allocated that cannot hold n_col elements, so a subsequent heap
overflow occurs.

Demo XPM: http://scary.beasts.org/misc/gdk1.xpm


Flaw 2. Subtle stack-based overflow in xpm_extract_color (io-xpm.c)
CAN-2004-0783

  gint space = 128;
  gchar word[128], color[128], current_color[128];
...
      if (color[0] != '\0') {
        strcat (color, " ");
[*]     space--;
      }
      strncat (color, word, space);
      space -= MIN (space, strlen (word));

Here, an attempt is actually made to prevent overflow of the stack buffers.
However, a logic error means one of the buffers can still be made to overflow.
When "space" reaches 0, "space" can be sent to -1 by the line marked with [*],
if the color string is broken up by whitespace. When "space" is -1, the
strncat() call is effectively morphed to a strcat() call, allowing overflow of
the "color" buffer (probably into the "word" buffer, which may cause a minor
inconvenience to exploitation. Note use of the word "minor" :-)

Demo XPM: http://scary.beasts.org/misc/gdk2.xpm


CESA-2004-005 - rev 1
Chris Evans
chris@scary.beasts.org
    

- 漏洞信息 (F34379)

Chris Evans Security Advisory 2004.3 (PacketStormID:F34379)
2004-09-17 00:00:00
Chris Evans  
advisory,overflow
CVE-2004-0782,CVE-2004-0783
[点击下载]

libXpm versions below 6.8.1 suffer from multiple stack and integer overflows.

CESA-2004-003 - rev 2

http://scary.beasts.org/security/CESA-2004-003.txt

libXpm multiple image parsing flaws
===================================

Programs affected: libXpm, and any programs which use libXpm to decode XPM
files. For example, the GIMP seems to use libXpm.
Severity: Compromise of account used to browse malicious XPM file.
CAN identifier(s): CAN-2004-0782 and CAN-2004-0783
Fixed: X.ORG release 6.8.1 contains fixes.

This advisory lists code flaws discovered by inspection of the libXpm code.
The specific version of libXpm discussed is the release that comes with the
initial X.ORG X11 system source code release. However, these flaws seem to
exist in older versions.


Flaw 1. Stack-based overflow in xpmParseColors (parse.c).
This is CAN-2004-0782

Careless use of strcat() in both the XPMv1 and XPMv2/3 parsing code leads to
a stack based overflow that should be exploitable. There are minor
complications due to stack layout; the buffer being overflowed in fact
typically overflows into another buffer that is used to populate the overflowed
buffer. This should not prevent exploitation, however.
Demo XPM: http://scary.beasts.org/misc/doom.xpm


Flaw 2. Integer overflow allocating colorTable in xpmParseColors (parse.c) -
probably a crashable but not exploitable offence. Here:
This is CAN-2004-0783

    colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));

ncolors would seem to come from the (untrusted) XPM file.
In fact, multiple integer overflow problems seem to exist. Some may well be
exploitable. Note that the following may not be an exhaustive list:
a) XpmCreateImageFromXpmImage: multiple possible overflow, e.g.:
    image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
(ncolors is user-supplied)
b) CreateXImage:
    *image_return = XCreateImage(display, visual, depth, format, 0, 0,
         width, height, bitmap_pad, 0);
(width and height are user-supplied, possibly other variables too)
c) ParsePixels:
    iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
(width and height are user-supplied)
d) ParseAndPutPixels and ParsePixels:
    cidx[char1][(unsigned char)colorTable[a].string[1]] = a + 1;
(possibly, char1 might be negative, and access the cidx array out of bounds)


Flaw 3. Stack overflow reading pixel values in ParseAndPutPixels (create.c) as
well as ParsePixels (parse.c). Should be exploitable.
This is CAN-2004-0782

A user-supplied number of bytes are stuffed into a fixed-size buffer (typically
8192 bytes). The user gets to choose how many bytes to put into this buffer
via the "number of bytes per pixel" XPM value.
Demo XPM: http://scary.beasts.org/misc/doom2.xpm


CESA-2004-003 - rev 2
Chris Evans
chris@scary.beasts.org
    

- 漏洞信息

9997
GdkPixbuf pixbuf_create_from_xpm Local Overflow
Local Access Required Input Manipulation
Loss of Integrity
Exploit Public

- 漏洞描述

A remote overflow exists in GdkPixbuf. The pixbuf_create_from_xpm (in io-xpm.c) fails to sanitise input from the .xpm resulting in a heap overflow. With a specially crafted request, an attacker can cause execution of arbitrary code resulting in a loss of integrity.

- 时间线

2004-09-15 2004-03-16
2004-09-15 Unknow

- 解决方案

Upgrade to the packages not affected for your operating system or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站