inkscape: Arbitrary code execution when opening a malicious file
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
inkscape (Debian) |
Fix Released
|
Unknown
|
|||
inkscape (Ubuntu) |
Fix Released
|
High
|
Martin Pitt |
Bug Description
Automatically imported from Debian bug report #330894 http://
CVE References
Debian Bug Importer (debzilla) wrote : | #1 |
In Debian Bug tracker #330894, Wolfram Quester (wolfi) wrote : Re: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file | #2 |
forwarded 330894 <email address hidden>
Thanks
Hi Joxean!
On Fri, Sep 30, 2005 at 12:51:04PM +0200, Joxean Koret wrote:
> Subject: inkscape: Arbitrary code execution opening a file
> Package: inkscape
> Version: 0.41-4.99.sarge0
> Severity: grave
> Justification: user security hole
>
> Inkscape is vulnerable to, almost, one buffer overflow that may allow
> arbitrary code execution. I contacted the Inkscape team but, at the
> moment, there is no patch for the issue.
>
> Attached goes a Proof Of Concept.
>
> NOTE: I think the problem may not be exploitable because you need to
> write a shellcode using only valid XML characters.
>
> Regards,
> Joxean Koret
>
>
[...snip...]
Thanks for your report. I forwarded it to the developer's mailing list.
On my PowerBook inkscape simply crashed when opening your file, I don't
know what it should do on a i386 box. I tried to open it in vim, but
there it causes troubles too, at least for the syntax highlighter.
I also tried it with sodipodi, but could not see an effect. It seems to
open cleanly.
With best wishes,
Wolfi
Debian Bug Importer (debzilla) wrote : | #3 |
Message-ID: <email address hidden>
Date: Fri, 30 Sep 2005 17:58:16 +0200
From: Wolfram Quester <email address hidden>
To: Joxean Koret <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file
--JgQwtEuHJzHdouWu
Content-Type: text/plain; charset=us-ascii
Content-
Content-
forwarded 330894 <email address hidden>
Thanks
Hi Joxean!
On Fri, Sep 30, 2005 at 12:51:04PM +0200, Joxean Koret wrote:
> Subject: inkscape: Arbitrary code execution opening a file
> Package: inkscape
> Version: 0.41-4.99.sarge0
> Severity: grave
> Justification: user security hole
>=20
> Inkscape is vulnerable to, almost, one buffer overflow that may allow
> arbitrary code execution. I contacted the Inkscape team but, at the
> moment, there is no patch for the issue.
>=20
> Attached goes a Proof Of Concept.
>=20
> NOTE: I think the problem may not be exploitable because you need to
> write a shellcode using only valid XML characters.
>=20
> Regards,
> Joxean Koret
>=20
>=20
[...snip...]
Thanks for your report. I forwarded it to the developer's mailing list.
On my PowerBook inkscape simply crashed when opening your file, I don't
know what it should do on a i386 box. I tried to open it in vim, but
there it causes troubles too, at least for the syntax highlighter.=20
I also tried it with sodipodi, but could not see an effect. It seems to
open cleanly.
With best wishes,
Wolfi
--JgQwtEuHJzHdouWu
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDPWCYH0o
z+96QHECAtAeM6z
=vDLI
-----END PGP SIGNATURE-----
--JgQwtEuHJzHdo
In Debian Bug tracker #330894, Joxean Koret (joxeankoret) wrote : Re: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file | #4 |
> Hi Joxean!
> [...snip...]
>
> Thanks for your report. I forwarded it to the developer's mailing list.
> On my PowerBook inkscape simply crashed when opening your file, I don't
> know what it should do on a i386 box. I tried to open it in vim, but
> there it causes troubles too, at least for the syntax highlighter.
>
This is only a P.O.C. I have no working exploit at the moment for the
issue.
> I also tried it with sodipodi, but could not see an effect. It seems to
> open cleanly.
>
> With best wishes,
>
> Wolfi
Regards,
Joxean Koret
Debian Bug Importer (debzilla) wrote : | #5 |
Message-Id: <email address hidden>
Date: Fri, 30 Sep 2005 20:30:20 +0200
From: Joxean Koret <email address hidden>
To: Wolfram Quester <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#330894: inkscape: Arbitrary code execution when opening a
malicious file
--=-2CR4F/
Content-Type: text/plain
Content-
> Hi Joxean!
> [...snip...]
>=20
> Thanks for your report. I forwarded it to the developer's mailing list.
> On my PowerBook inkscape simply crashed when opening your file, I don't
> know what it should do on a i386 box. I tried to open it in vim, but
> there it causes troubles too, at least for the syntax highlighter.=20
>=20
This is only a P.O.C. I have no working exploit at the moment for the
issue.
> I also tried it with sodipodi, but could not see an effect. It seems to
> open cleanly.
>=20
> With best wishes,
>=20
> Wolfi
Regards,
Joxean Koret
--=-2CR4F/
Content-Type: application/
Content-
digitalmente
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQBDPYQ8U6r
UeerxnuShj6aJ+
=mtF9
-----END PGP SIGNATURE-----
--=-2CR4F/
In Debian Bug tracker #330894, MenTaLguY (mental-deactivatedaccount) wrote : Re: Inkscape SVG parser buffer overflows | #6 |
On Sun, 2005-11-20 at 15:54 +0100, Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > | October 9, 2005
> > |
> > | Mentalguy has released new point releases of the past two versions of Inkscape
> > | to correct two issues with arbitrary code execution when opening malicious
> > | files. There are no known exploits for this issue, but if you use Inkscape
> > | on a production machine in a manner that invokes files from arbitrary sources,
> > | you may wish to upgrade.
>
> Hi,
>
> could you provide some assistance? The above note about arbitrary
> code execution may originate in our Bug#330894 <bugs.debian.
> I'd like to see the correction for this/these particular issue(s) so
> that Debian can correct the older version of Inkscape in its stable
> release, where no new upstream versions are installed.
Yes, I believe that's the bug that prompted the new point release. I've
attached the patch for the 0.42 branch.
It's worth noting that (except for incrementing the version number in
the about dialog, etc, and some changes to the distributed Windows
makefiles) this is the only difference between 0.42.2 and 0.42.3.
I believe the patch can also be applied to the 0.41 line as well (the
same change is present in 0.41.1). I don't believe it's relevent to
0.40.
-mental
Debian Bug Importer (debzilla) wrote : | #7 |
Message-Id: <email address hidden>
Date: Sun, 20 Nov 2005 14:54:53 -0500
From: MenTaLguY <email address hidden>
To: <email address hidden>
Subject: Re: Inkscape SVG parser buffer overflows
--=-Mt93FD92lCm
Content-Type: multipart/mixed; boundary=
--=-dBr6peDTdah
Content-Type: text/plain
Content-
On Sun, 2005-11-20 at 15:54 +0100, Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > | October 9, 2005
> > |
> > | Mentalguy has released new point releases of the past two versions o=
f Inkscape
> > | to correct two issues with arbitrary code execution when opening ma=
licious=20
> > | files. There are no known exploits for this issue, but if you u=
se Inkscape
> > | on a production machine in a manner that invokes files from arbitrary=
sources,
> > | you may wish to upgrade.
>=20
> Hi,
>=20
> could you provide some assistance? The above note about arbitrary
> code execution may originate in our Bug#330894 <bugs.debian.
> I'd like to see the correction for this/these particular issue(s) so
> that Debian can correct the older version of Inkscape in its stable
> release, where no new upstream versions are installed.
Yes, I believe that's the bug that prompted the new point release. I've
attached the patch for the 0.42 branch.
It's worth noting that (except for incrementing the version number in
the about dialog, etc, and some changes to the distributed Windows
makefiles) this is the only difference between 0.42.2 and 0.42.3.
I believe the patch can also be applied to the 0.41 line as well (the
same change is present in 0.41.1). I don't believe it's relevent to
0.40.
-mental
--=-dBr6peDTdah
Content-
Content-Type: text/x-patch; name=fix.diff; charset=UTF-8
Content-
SW5kZXg6IHNyYy9
PT09PT09PT09PT0
Y2FwZS9pbmtzY2F
CnJldHJpZXZpbmc
MC4yLjENCi0tLSB
DQorKysgc3JjL3N
QEAgLTI4LDYgKzI
Y2x1ZGUgPGdsaWI
ZGUgImxpYmNyb2N
ZW5nLmgiDQpAQCA
aWdub3JlIHRoZSB
cmRzPykgKi8NCiA
ZSBbQk1BWF07DQo
CiAgICAgICAgIGl
dmFsdWVfZW5kKSB
YWx1ZV9lbmQgLSB
Y2hhciAqKSBnX21
Martin Pitt (pitti) wrote : | #8 |
warty, hoary, dapper are not affected. breezy fixed in USN-217-1.
In Debian Bug tracker #330894, Guido Trotter (ultrotter) wrote : Isn't this fixed in the unstable version of inkscape? | #9 |
Hi!
You wrote two times in the changelog that this issue is resolved:
Changes:
inkscape (0.43-1) unstable; urgency=high
* urgency=high since this version fixes the buffer overflow discovered by
Joxean Koret (see CVE-2005-3737, debian bug 330894).
Changes:
inkscape (0.42.2+0.43pre1-1) unstable; urgency=low
* Just for the record: inkscape version 0.42 and newer is not vulnerable to
the security bug mentioned in Bug #321501.
So I'm wondering: why can't this bug be closed, with the appropriate version tag?
This would also help migrating inkscape into testing, which it cannot do till this bug remains open...
Thanks,
Guido
In Debian Bug tracker #330894, Steve Langasek (vorlon) wrote : Re: Bug#330894: Isn't this fixed in the unstable version of inkscape? | #10 |
Version: 0.43-1
On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
> You wrote two times in the changelog that this issue is resolved:
> Changes:
> inkscape (0.43-1) unstable; urgency=high
> * urgency=high since this version fixes the buffer overflow discovered by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).
> Changes:
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=low
> * Just for the record: inkscape version 0.42 and newer is not vulnerable to
> the security bug mentioned in Bug #321501.
> So I'm wondering: why can't this bug be closed, with the appropriate version tag?
> This would also help migrating inkscape into testing, which it cannot do till this bug remains open...
These are not the same bug; 321501 is a tempfile bug, and 330894 is a buffer
overflow. But you're right, based on the available information this bug
should be marked as closed in unstable.
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
Debian Bug Importer (debzilla) wrote : | #11 |
Message-ID: <20051125095543
Date: Fri, 25 Nov 2005 10:55:48 +0100
From: Guido Trotter <email address hidden>
To: <email address hidden>
Subject: Isn't this fixed in the unstable version of inkscape?
--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi!
You wrote two times in the changelog that this issue is resolved:
Changes:=20
inkscape (0.43-1) unstable; urgency=3Dhigh
* urgency=3Dhigh since this version fixes the buffer overflow discovered=
by
Joxean Koret (see CVE-2005-3737, debian bug 330894).
Changes:=20
inkscape (0.42.2+0.43pre1-1) unstable; urgency=3Dlow
* Just for the record: inkscape version 0.42 and newer is not vulnerable=
to
the security bug mentioned in Bug #321501.
So I'm wondering: why can't this bug be closed, with the appropriate versio=
n tag?
This would also help migrating inkscape into testing, which it cannot do ti=
ll this bug remains open...
Thanks,
Guido
--Nq2Wo0NMKNjxTN9z
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDht+
YP3atToP9MdiOvB
=WLP1
-----END PGP SIGNATURE-----
--Nq2Wo0NMKNjxT
Debian Bug Importer (debzilla) wrote : | #12 |
Message-ID: <email address hidden>
Date: Fri, 25 Nov 2005 02:12:04 -0800
From: Steve Langasek <email address hidden>
To: Guido Trotter <email address hidden>, <email address hidden>
Subject: Re: Bug#330894: Isn't this fixed in the unstable version of inkscape?
--L+ofChggJdETEG3Y
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Version: 0.43-1
On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
> You wrote two times in the changelog that this issue is resolved:
> Changes:=20
> inkscape (0.43-1) unstable; urgency=3Dhigh
> * urgency=3Dhigh since this version fixes the buffer overflow discover=
ed by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).
> Changes:=20
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=3Dlow
> * Just for the record: inkscape version 0.42 and newer is not vulnerab=
le to
> the security bug mentioned in Bug #321501.
> So I'm wondering: why can't this bug be closed, with the appropriate vers=
ion tag?
> This would also help migrating inkscape into testing, which it cannot do =
till this bug remains open...
These are not the same bug; 321501 is a tempfile bug, and 330894 is a buffer
overflow. But you're right, based on the available information this bug
should be marked as closed in unstable.
Cheers,
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://
--L+ofChggJdETEG3Y
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)
iD8DBQFDhuN0KN6
0ZfM3fQEycG5VcN
=uuLl
-----END PGP SIGNATURE-----
--L+ofChggJdETE
In Debian Bug tracker #330894, Wolfram Quester (wolfi) wrote : | #13 |
Hi Guido,
On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
>
> Hi!
>
> You wrote two times in the changelog that this issue is resolved:
>
> Changes:
> inkscape (0.43-1) unstable; urgency=high
>
> * urgency=high since this version fixes the buffer overflow discovered by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).
>
> Changes:
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=low
>
> * Just for the record: inkscape version 0.42 and newer is not vulnerable to
> the security bug mentioned in Bug #321501.
>
>
> So I'm wondering: why can't this bug be closed, with the appropriate version tag?
> This would also help migrating inkscape into testing, which it cannot do till this bug remains open...
Yes, you are right. My thinking was that I close this bug when it is
fixed in stable, too. But I see that this was wrong.
Thanks Steve for closing, I hope the security team will upload the fixed
version I sent them to sarge.
>
> Thanks,
>
> Guido
>
With best wishes,
Wolfi
Debian Bug Importer (debzilla) wrote : | #14 |
Message-ID: <email address hidden>
Date: Fri, 25 Nov 2005 14:17:49 +0100
From: Wolfram Quester <email address hidden>
To: Guido Trotter <email address hidden>, <email address hidden>
Subject: Re: Bug#330894: Isn't this fixed in the unstable version of inkscape?
--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=us-ascii
Content-
Content-
Hi Guido,
On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
>=20
> Hi!
>=20
> You wrote two times in the changelog that this issue is resolved:
>=20
> Changes:=20
> inkscape (0.43-1) unstable; urgency=3Dhigh
>=20
> * urgency=3Dhigh since this version fixes the buffer overflow discover=
ed by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).
>=20
> Changes:=20
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=3Dlow
>=20
> * Just for the record: inkscape version 0.42 and newer is not vulnerab=
le to
> the security bug mentioned in Bug #321501.
>=20
>=20
> So I'm wondering: why can't this bug be closed, with the appropriate vers=
ion tag?
> This would also help migrating inkscape into testing, which it cannot do =
till this bug remains open...
Yes, you are right. My thinking was that I close this bug when it is
fixed in stable, too. But I see that this was wrong.
Thanks Steve for closing, I hope the security team will upload the fixed
version I sent them to sarge.
>=20
> Thanks,
>=20
> Guido
>=20
With best wishes,
Wolfi
--/04w6evG8XlLl3ft
Content-Type: application/
Content-
Content-
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDhw78H0o
yAsUOYurBAJohJv
=ua2K
-----END PGP SIGNATURE-----
--/04w6evG8XlLl
Automatically imported from Debian bug report #330894 http:// bugs.debian. org/330894