[Bug 233705] New: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)

Fri Mar 23 21:24:45 UTC 2007

Please do not reply directly to this email. All additional
comments should be made in the comments box of this bug report.

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=233705

           Summary: CVE-2007-0653 XMMS multiple issues (CVE-2007-0654)
           Product: Fedora Extras
           Version: fc6
          Platform: All
        OS/Version: Linux
            Status: NEW
          Severity: low
          Priority: normal
         Component: xmms
        AssignedTo: paul at all-the-johnsons.co.uk
        ReportedBy: ville.skytta at iki.fi
         QAContact: extras-qa at fedoraproject.org
                CC: fedora-security-list at redhat.com

Cloning RHEL bug for FE[56].

+++ This bug was initially created as a clone of Bug #228013 +++

Sven Krewitt of Secunia reported two flaws he discovered in the way XMMS handles
skin files.  Here are the technical details provided by Sven:

--- Details ---

CVE-2007-0654
1) An integer underflow error exists when loading skin bitmap images,
which can be exploited to cause a stack-based buffer overflow via
specially crafted skin images containing manipulated header information.

The vulnerability is caused due to errors within "read_bmp()" in
xmms/bmp.c when loading skin bitmap images.

-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
fseek(file, 8, SEEK_CUR);
read_le_long(file, &offset); <-- [1]
read_le_long(file, &headSize);
[...]
else if (bitcount != 24 && bitcount != 16 && bitcount != 32)
{
gint ncols, i;

ncols = offset - headSize - 14; <-- [2]
if (headSize == 12)
{
ncols = MIN(ncols / 3, 256);
for (i = 0; i < ncols; i++)
fread(&rgb_quads[i], 3, 1, file);
}
else
{
ncols = MIN(ncols / 4, 256);
fread(rgb_quads, 4, ncols, file); <-- [3]
[...]
-----

"offset" [1] is not properly verified before being used to calculate
"ncols" [2]. "bitcount" has to be set to a different value than 24, 16
or 32 (but can also be user controlled).
This can be exploited to cause a integer underflow,
resulting in a stack based buffer overflow, which can be used to
overwrite the return address of "read_bmp()" [3].

Successful exploitation allows execution of arbitrary code.

CVE-2007-0653
2) An integer overflow error exists when loading skin bitmap images.
This can be exploited to cause a memory corruption via specially crafted
skin images containing manipulated header information.

-- xmms/bmp.c --
GdkPixmap *read_bmp(gchar * filename)
[...]
else if (headSize == 40) /* BITMAPINFO */
{
guint16 tmp;

read_le_long(file, &w); <-- [4]
read_le_long(file, &h); <-- [4]
[...]
fseek(file, offset, SEEK_SET);
buffer = g_malloc(imgsize);
fread(buffer, imgsize, 1, file);
fclose(file);
data = g_malloc0((w * 3 * h) + 3); <-- [5]

if (bitcount == 1)
----

-- Additional comment from bressers at redhat.com on 2007-02-09 10:23 EST --
These flaws also affect RHEL2.1 and RHEL3

-- Additional comment from davidz at redhat.com on 2007-02-09 12:32 EST --
Are there patches for these yet?

-- Additional comment from bressers at redhat.com on 2007-02-09 13:19 EST --
There are no patches yet.  I'm still trying to contact someone upstream about
this.  If you have any upstream contacts, please let me know.

-- Additional comment from bressers at redhat.com on 2007-03-21 09:26 EST --
Lifting embargo

-- 
Configure bugmail: https://bugzilla.redhat.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.