libxpm4: Three exploitable overflows in XPM handling

Automatically imported from Debian bug report #272493 http://bugs.debian.org/272493

Message-Id: <20040920120211.70B09B7731@anton>
Date: Mon, 20 Sep 2004 14:02:11 +0200
From: =?iso-8859-15?q?Moritz_M=C3=BChlenhoff?= <email address hidden>
To: Debian Bug Tracking System <email address hidden>
Subject: libxpm4: Three exploitable overflows in XPM handling

Package: libxpm4
Version: 4.3.0-0pre1v5.49.200406160839
Severity: grave
Tags: security
Justification: user security hole

There are three exploitable stack and integer overflows in the
XPM handling code shipped with XFree: Full details can be found
in this advisory from Chris Evans which I copied at the end of
this mail for archival purposes.

Cheers,
         Moritz

http://scary.beasts.org/security/CESA-2004-003.txt

libXpm multiple image parsing flaws
===================================

Programs affected: libXpm, and any programs which use libXpm to decode XPM
files. For example, the GIMP seems to use libXpm.
Severity: Compromise of account used to browse malicious XPM file.
CAN identifier(s): CAN-2004-0687 and CAN-2004-0688
Fixed: X.ORG release 6.8.1 contains fixes.

This advisory lists code flaws discovered by inspection of the libXpm code.
The specific version of libXpm discussed is the release that comes with the
initial X.ORG X11 system source code release. However, these flaws seem to
exist in older versions.

Flaw 1. Stack-based overflow in xpmParseColors (parse.c).
This is CAN-2004-0687

Careless use of strcat() in both the XPMv1 and XPMv2/3 parsing code leads to
a stack based overflow that should be exploitable. There are minor
complications due to stack layout; the buffer being overflowed in fact
typically overflows into another buffer that is used to populate the overflowed
buffer. This should not prevent exploitation, however.
Demo XPM: http://scary.beasts.org/misc/doom.xpm

Flaw 2. Integer overflow allocating colorTable in xpmParseColors (parse.c) -
probably a crashable but not exploitable offence. Here:
This is CAN-2004-0688

    colorTable = (XpmColor *) XpmCalloc(ncolors, sizeof(XpmColor));

ncolors would seem to come from the (untrusted) XPM file.
In fact, multiple integer overflow problems seem to exist. Some may well be
exploitable. Note that the following may not be an exhaustive list:
a) XpmCreateImageFromXpmImage: multiple possible overflow, e.g.:
    image_pixels = (Pixel *) XpmMalloc(sizeof(Pixel) * image->ncolors);
(ncolors is user-supplied)
b) CreateXImage:
    *image_return = XCreateImage(display, visual, depth, format, 0, 0,
         width, height, bitmap_pad, 0);
(width and height are user-supplied, possibly other variables too)
c) ParsePixels:
    iptr2 = (unsigned int *) XpmMalloc(sizeof(unsigned int) * width * height);
(width and height are user-supplied)
d) ParseAndPutPixels and ParsePixels:
    cidx[char1][(unsigned char)colorTable[a].string[1]] = a + 1;
(possibly, char1 might be negative, and access the cidx array out of bounds)

Flaw 3. Stack overflow reading pixel values in ParseAndPutPixels (create.c) as
well as ParsePixels (parse.c). Should be exploitable.
This is CAN-2004-0687

A user-supplied number of bytes are stuffed into a fixed-size buffer (typically
8192 bytes). The user gets to choose how many bytes to put into this...

We already fixed this problem.

Message-ID: <email address hidden>
Date: Mon, 20 Sep 2004 06:48:28 -0700
From: Daniel Stone <email address hidden>
To: Moritz M??hlenhoff <email address hidden>,
 <email address hidden>
Cc: Debian Bug Tracking System <email address hidden>
Subject: DSA and sid uploads needed (was: Re: Bug#272493: libxpm4: Three exploitable overflows in
 XPM handling)

--WetXT0Y5FME7H56p
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 20, 2004 at 02:02:11PM +0200, Moritz M??hlenhoff wrote:
> There are three exploitable stack and integer overflows in the
> XPM handling code shipped with XFree: Full details can be found
> in this advisory from Chris Evans which I copied at the end of
> this mail for archival purposes.

Branden Robinson has the patch and is handling the DSA for woody; I
understnad he is also handling the 4.3 upload for sid. Branden?

--=20
Daniel Stone <daniels@debian=
=2Eorg>
Debian: the universal operating system http://www.debia=
n.org

--WetXT0Y5FME7H56p
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBTt+scPClnTztfv0RAqoPAKCB72SLR0DXlEQhXlIV08+xKl/IIACeJY4s
ojv4ali2Ih3HtrJWCsHKqWo=
=FCdx
-----END PGP SIGNATURE-----

--WetXT0Y5FME7H56p--

Message-ID: <email address hidden>
Date: Mon, 20 Sep 2004 15:14:18 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Cc: <email address hidden>
Subject: libxpm4 security problem

--9JSHP372f+2dzJ8X
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Daniel Stone's "understanding" about who is "handling 4.3" is wrong -- I'm
not sure where he got it, as I've discussed this issue with Martin Schulze
=66rom the Debian Security Team and Fabio Massimo Di Nitto, the XFree86
package release manager.

Fabio is handling 4.3.0.dfsg.1-8, as he has handled all but one of the
recent XFree86 uploads to unstable.

I have handled 4.1.0-16woody4 by delivering security-fixed packages to the
Debian Security Team on Saturday, 18 September.

(In the future, please don't file bugs against unsupported or unreleased
versions of Debian packages. I have no idea what libxpm4
"4.3.0-0pre1v5.49.200406160839" is. Whoever shipped that package is the
proper recipient of your bug report.)

--=20
G. Branden Robinson | Religious bondage shackles and
Debian GNU/Linux | debilitates the mind and unfits it
<email address hidden> | for every noble enterprise.
http://people.debian.org/~branden/ | -- James Madison

--9JSHP372f+2dzJ8X
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iEYEARECAAYFAkFPOhoACgkQ6kxmHytGonwAsACgmAXBI3Pw7QuXbiPtP0WiR2kx
G3IAn3q5cjxU6VZs46HyQACY8jQmawWN
=ksHV
-----END PGP SIGNATURE-----

--9JSHP372f+2dzJ8X--

Message-Id: <email address hidden>
Date: Tue, 21 Sep 2004 08:44:10 +0200
From: Moritz =?ISO-8859-1?Q?M=FChlenhoff?= <email address hidden>
To: Branden Robinson <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#272493: libxpm4 security problem

Branden Robinson wrote:
> (In the future, please don't file bugs against unsupported or unreleased
> versions of Debian packages. I have no idea what libxpm4
> "4.3.0-0pre1v5.49.200406160839" is. Whoever shipped that package is the
> proper recipient of your bug report.)

It's an internal versioning scheme, sorry for the confusion. I checked
it against sid, although it has been sent off a machine running the
above version.

Cheers,
        Moritz

Message-ID: <email address hidden>
Date: Sat, 25 Sep 2004 21:35:47 -0700
From: Daniel Stone <email address hidden>
To: Branden Robinson <email address hidden>,
 <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#272493: libxpm4 security problem

--it/zdz3K1bH9Y8/E
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Mon, Sep 20, 2004 at 03:14:18PM -0500, Branden Robinson wrote:
> Daniel Stone's "understanding" about who is "handling 4.3" is wrong -- I'm
> not sure where he got it, as I've discussed this issue with Martin Schulze
> from the Debian Security Team and Fabio Massimo Di Nitto, the XFree86
> package release manager.

Apologies for the misunderstanding.

> [...]
>=20
> (In the future, please don't file bugs against unsupported or unreleased
> versions of Debian packages. I have no idea what libxpm4
> "4.3.0-0pre1v5.49.200406160839" is. Whoever shipped that package is the
> proper recipient of your bug report.)

Ehm, while it's a decent general rule, the bug here clearly applies to
all versions of XFree86, so there's no reason to tell them to go file
a bug report somewhere else. Both you and I know that the version
header is irrelevant in this case.

--=20
Daniel Stone <daniels@debian=
=2Eorg>
Debian: the universal operating system http://www.debia=
n.org

--it/zdz3K1bH9Y8/E
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFBVkcjcPClnTztfv0RAo0aAJ9lRmW2NB870c5YYGs/hg4lwRFuVwCfcxt0
ajhqCH5E1W+Aw4DF3Snp5MA=
=cQbq
-----END PGP SIGNATURE-----

--it/zdz3K1bH9Y8/E--

Message-ID: <email address hidden>
Date: Mon, 27 Sep 2004 08:44:04 +0200
From: Fabio Massimo Di Nitto <email address hidden>
To: <email address hidden>
Subject: Tagging

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

tag 272493 pending
stop

- --
<user> fajita: step one
<fajita> Whatever the problem, step one is always to look in the error log.
<user> fajita: step two
<fajita> When in danger or in doubt, step two is to scream and shout.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBV7ayhCzbekR3nhgRAuDPAJ9LC64wBFiohAKRWD5qpjMG+FfKrQCcDoNB
q78yH86cj21LTIM4qQr+EOg=
=u+SL
-----END PGP SIGNATURE-----

Message-ID: <email address hidden>
Date: Mon, 27 Sep 2004 17:26:06 -0500
From: Branden Robinson <email address hidden>
To: <email address hidden>
Subject: Re: Bug#272493: libxpm4 security problem

--n2Pv11Ogg/Ox8ay5
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Sep 21, 2004 at 08:44:10AM +0200, Moritz M=FChlenhoff wrote:
> Branden Robinson wrote:
> > (In the future, please don't file bugs against unsupported or unreleased
> > versions of Debian packages. I have no idea what libxpm4
> > "4.3.0-0pre1v5.49.200406160839" is. Whoever shipped that package is the
> > proper recipient of your bug report.)
>=20
> It's an internal versioning scheme, sorry for the confusion. I checked
> it against sid, although it has been sent off a machine running the
> above version.

You can edit the reported version number, of course.

I'm just trying to reinforce a good habit -- I'm aware that pretty much
every version of libXpm ever released has this flaw.

However, many bugs reported against XFree86 don't have such universal
applicability, so I attempt to reinforce sound bug-reporting practices. :)

--=20
G. Branden Robinson | It may be difficult to to determine
Debian GNU/Linux | where religious beliefs end and
<email address hidden> | mental illness begins.
http://people.debian.org/~branden/ | -- Elaine Cassel

--n2Pv11Ogg/Ox8ay5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iEYEARECAAYFAkFYk34ACgkQ6kxmHytGonyHFgCfbSm55pgFIBnSIWtalGRL9NuH
EzQAoIqDoyi3Zh0hpcaEXDuLZmH7KJBN
=1s6T
-----END PGP SIGNATURE-----

--n2Pv11Ogg/Ox8ay5--