inkscape: Arbitrary code execution when opening a malicious file

Bug #22882 reported by Debian Bug Importer
4
Affects Status Importance Assigned to Milestone
inkscape (Debian)
Fix Released
Unknown
inkscape (Ubuntu)
Fix Released
High
Martin Pitt

Bug Description

Automatically imported from Debian bug report #330894 http://bugs.debian.org/330894

CVE References

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Automatically imported from Debian bug report #330894 http://bugs.debian.org/330894

Revision history for this message
In , Wolfram Quester (wolfi) wrote : Re: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file

forwarded 330894 <email address hidden>
Thanks

Hi Joxean!

On Fri, Sep 30, 2005 at 12:51:04PM +0200, Joxean Koret wrote:
> Subject: inkscape: Arbitrary code execution opening a file
> Package: inkscape
> Version: 0.41-4.99.sarge0
> Severity: grave
> Justification: user security hole
>
> Inkscape is vulnerable to, almost, one buffer overflow that may allow
> arbitrary code execution. I contacted the Inkscape team but, at the
> moment, there is no patch for the issue.
>
> Attached goes a Proof Of Concept.
>
> NOTE: I think the problem may not be exploitable because you need to
> write a shellcode using only valid XML characters.
>
> Regards,
> Joxean Koret
>
>
[...snip...]

Thanks for your report. I forwarded it to the developer's mailing list.
On my PowerBook inkscape simply crashed when opening your file, I don't
know what it should do on a i386 box. I tried to open it in vim, but
there it causes troubles too, at least for the syntax highlighter.

I also tried it with sodipodi, but could not see an effect. It seems to
open cleanly.

With best wishes,

Wolfi

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 30 Sep 2005 17:58:16 +0200
From: Wolfram Quester <email address hidden>
To: Joxean Koret <email address hidden>, <email address hidden>
Cc: <email address hidden>
Subject: Re: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file

--JgQwtEuHJzHdouWu
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

forwarded 330894 <email address hidden>
Thanks

Hi Joxean!

On Fri, Sep 30, 2005 at 12:51:04PM +0200, Joxean Koret wrote:
> Subject: inkscape: Arbitrary code execution opening a file
> Package: inkscape
> Version: 0.41-4.99.sarge0
> Severity: grave
> Justification: user security hole
>=20
> Inkscape is vulnerable to, almost, one buffer overflow that may allow
> arbitrary code execution. I contacted the Inkscape team but, at the
> moment, there is no patch for the issue.
>=20
> Attached goes a Proof Of Concept.
>=20
> NOTE: I think the problem may not be exploitable because you need to
> write a shellcode using only valid XML characters.
>=20
> Regards,
> Joxean Koret
>=20
>=20
[...snip...]

Thanks for your report. I forwarded it to the developer's mailing list.
On my PowerBook inkscape simply crashed when opening your file, I don't
know what it should do on a i386 box. I tried to open it in vim, but
there it causes troubles too, at least for the syntax highlighter.=20

I also tried it with sodipodi, but could not see an effect. It seems to
open cleanly.

With best wishes,

Wolfi

--JgQwtEuHJzHdouWu
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDPWCYH0o2mefAfsQRAjU6AJ9paUGZmkxg9ns3epQnBtGETwvRnwCcCQ5Y
z+96QHECAtAeM6zE2LfYdK8=
=vDLI
-----END PGP SIGNATURE-----

--JgQwtEuHJzHdouWu--

Revision history for this message
In , Joxean Koret (joxeankoret) wrote : Re: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file

> Hi Joxean!
> [...snip...]
>
> Thanks for your report. I forwarded it to the developer's mailing list.
> On my PowerBook inkscape simply crashed when opening your file, I don't
> know what it should do on a i386 box. I tried to open it in vim, but
> there it causes troubles too, at least for the syntax highlighter.
>

This is only a P.O.C. I have no working exploit at the moment for the
issue.

> I also tried it with sodipodi, but could not see an effect. It seems to
> open cleanly.
>
> With best wishes,
>
> Wolfi

Regards,
Joxean Koret

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-Id: <email address hidden>
Date: Fri, 30 Sep 2005 20:30:20 +0200
From: Joxean Koret <email address hidden>
To: Wolfram Quester <email address hidden>
Cc: <email address hidden>, <email address hidden>
Subject: Re: Bug#330894: inkscape: Arbitrary code execution when opening a
 malicious file

--=-2CR4F/nQcRgqX4lb7c22
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

> Hi Joxean!
> [...snip...]
>=20
> Thanks for your report. I forwarded it to the developer's mailing list.
> On my PowerBook inkscape simply crashed when opening your file, I don't
> know what it should do on a i386 box. I tried to open it in vim, but
> there it causes troubles too, at least for the syntax highlighter.=20
>=20

This is only a P.O.C. I have no working exploit at the moment for the
issue.

> I also tried it with sodipodi, but could not see an effect. It seems to
> open cleanly.
>=20
> With best wishes,
>=20
> Wolfi

Regards,
Joxean Koret

--=-2CR4F/nQcRgqX4lb7c22
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada
 digitalmente

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBDPYQ8U6rFMEYDrlERAhoEAJ4vSzidp1JdMLo/Ums7Axz1Ya10zgCggBEk
UeerxnuShj6aJ+Z434z0aBI=
=mtF9
-----END PGP SIGNATURE-----

--=-2CR4F/nQcRgqX4lb7c22--

Revision history for this message
In , MenTaLguY (mental-deactivatedaccount) wrote : Re: Inkscape SVG parser buffer overflows

On Sun, 2005-11-20 at 15:54 +0100, Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > | October 9, 2005
> > |
> > | Mentalguy has released new point releases of the past two versions of Inkscape
> > | to correct two issues with arbitrary code execution when opening malicious
> > | files. There are no known exploits for this issue, but if you use Inkscape
> > | on a production machine in a manner that invokes files from arbitrary sources,
> > | you may wish to upgrade.
>
> Hi,
>
> could you provide some assistance? The above note about arbitrary
> code execution may originate in our Bug#330894 <bugs.debian.org/330894>.
> I'd like to see the correction for this/these particular issue(s) so
> that Debian can correct the older version of Inkscape in its stable
> release, where no new upstream versions are installed.

Yes, I believe that's the bug that prompted the new point release. I've
attached the patch for the 0.42 branch.

It's worth noting that (except for incrementing the version number in
the about dialog, etc, and some changes to the distributed Windows
makefiles) this is the only difference between 0.42.2 and 0.42.3.

I believe the patch can also be applied to the 0.41 line as well (the
same change is present in 0.41.1). I don't believe it's relevent to
0.40.

-mental

Revision history for this message
Debian Bug Importer (debzilla) wrote :
Download full text (4.0 KiB)

Message-Id: <email address hidden>
Date: Sun, 20 Nov 2005 14:54:53 -0500
From: MenTaLguY <email address hidden>
To: <email address hidden>
Subject: Re: Inkscape SVG parser buffer overflows

--=-Mt93FD92lCmXzhApq6zN
Content-Type: multipart/mixed; boundary="=-dBr6peDTdahODI9srQaI"

--=-dBr6peDTdahODI9srQaI
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sun, 2005-11-20 at 15:54 +0100, Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > | October 9, 2005
> > |
> > | Mentalguy has released new point releases of the past two versions o=
f Inkscape
> > | to correct two issues with arbitrary code execution when opening ma=
licious=20
> > | files. There are no known exploits for this issue, but if you u=
se Inkscape
> > | on a production machine in a manner that invokes files from arbitrary=
 sources,
> > | you may wish to upgrade.
>=20
> Hi,
>=20
> could you provide some assistance? The above note about arbitrary
> code execution may originate in our Bug#330894 <bugs.debian.org/330894>.
> I'd like to see the correction for this/these particular issue(s) so
> that Debian can correct the older version of Inkscape in its stable
> release, where no new upstream versions are installed.

Yes, I believe that's the bug that prompted the new point release. I've
attached the patch for the 0.42 branch.

It's worth noting that (except for incrementing the version number in
the about dialog, etc, and some changes to the distributed Windows
makefiles) this is the only difference between 0.42.2 and 0.42.3.

I believe the patch can also be applied to the 0.41 line as well (the
same change is present in 0.41.1). I don't believe it's relevent to
0.40.

-mental

--=-dBr6peDTdahODI9srQaI
Content-Disposition: attachment; filename=fix.diff
Content-Type: text/x-patch; name=fix.diff; charset=UTF-8
Content-Transfer-Encoding: base64

SW5kZXg6IHNyYy9zdHlsZS5jcHANCj09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09
PT09PT09PT09PT09PT09PT09PT09PT09PT09PT09PT0NClJDUyBmaWxlOiAvY3Zzcm9vdC9pbmtz
Y2FwZS9pbmtzY2FwZS9zcmMvc3R5bGUuY3BwLHYNCnJldHJpZXZpbmcgcmV2aXNpb24gMS4xMTAN
CnJldHJpZXZpbmcgcmV2aXNpb24gMS4xMTAuMi4xDQpkaWZmIC11IC0zIC1yMS4xMTAgLXIxLjEx
MC4yLjENCi0tLSBzcmMvc3R5bGUuY3BwCTE0IEp1bCAyMDA1IDAxOjQ4OjU3IC0wMDAwCTEuMTEw
DQorKysgc3JjL3N0eWxlLmNwcAkzIE9jdCAyMDA1IDA1OjQwOjEyIC0wMDAwCTEuMTEwLjIuMQ0K
QEAgLTI4LDYgKzI4LDcgQEANCiAjaW5jbHVkZSA8c3RkbGliLmg+DQogI2VuZGlmDQogDQorI2lu
Y2x1ZGUgPGdsaWIvZ21lbS5oPg0KICNpbmNsdWRlIDxndGsvZ3Rrc2lnbmFsLmg+DQogI2luY2x1
ZGUgImxpYmNyb2NvL2NyLXByb3AtbGlzdC5oIg0KICNpbmNsdWRlICJsaWJjcm9jby9jci1zZWwt
ZW5nLmgiDQpAQCAtMTE3NSw3ICsxMTc2LDYgQEANCiAgICAgICogc3RyaW5nOiBzaG91bGQgd2Ug
aWdub3JlIHRoZSB3aG9sZSBzdHJpbmcgb3IganVzdCBmcm9tIHRoZSBmaXJzdCBlcnJvciBvbndh
cmRzPykgKi8NCiANCiAgICAgZ2NoYXIgcHJvcGVydHkgW0JNQVhdOw0KLSAgICBnY2hhciB2YWx1
ZSBbQk1BWF07DQogDQogICAgIGZvciAoOzspIHsNCiANCkBAIC0xMjM1LDkgKzEyMzUsMTEgQEAN
CiAgICAgICAgIGlmIChpZHggPiAwKSB7DQogICAgICAgICAgICAgaWYgKHZhbHVlX2JlZ2luIDwg
dmFsdWVfZW5kKSB7DQogICAgICAgICAgICAgICAgIHNpemVfdCBjb25zdCB2YWx1ZV9sZW4gPSB2
YWx1ZV9lbmQgLSB2YWx1ZV9iZWdpbjsNCisgICAgICAgICAgICAgICAgY2hhciAqdmFsdWUgPSAo
Y2hhciAqKSBnX21hbGxvYyh2YWx1ZV9sZW4gKyAxKTsNCiAgICAgICAgICAgICAgICAgbWVt...

Read more...

Revision history for this message
Martin Pitt (pitti) wrote :

warty, hoary, dapper are not affected. breezy fixed in USN-217-1.

Revision history for this message
In , Guido Trotter (ultrotter) wrote : Isn't this fixed in the unstable version of inkscape?

Hi!

You wrote two times in the changelog that this issue is resolved:

Changes:
 inkscape (0.43-1) unstable; urgency=high

   * urgency=high since this version fixes the buffer overflow discovered by
     Joxean Koret (see CVE-2005-3737, debian bug 330894).

Changes:
 inkscape (0.42.2+0.43pre1-1) unstable; urgency=low

   * Just for the record: inkscape version 0.42 and newer is not vulnerable to
     the security bug mentioned in Bug #321501.

So I'm wondering: why can't this bug be closed, with the appropriate version tag?
This would also help migrating inkscape into testing, which it cannot do till this bug remains open...

Thanks,

Guido

Revision history for this message
In , Steve Langasek (vorlon) wrote : Re: Bug#330894: Isn't this fixed in the unstable version of inkscape?

Version: 0.43-1

On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:

> You wrote two times in the changelog that this issue is resolved:

> Changes:
> inkscape (0.43-1) unstable; urgency=high

> * urgency=high since this version fixes the buffer overflow discovered by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).

> Changes:
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=low

> * Just for the record: inkscape version 0.42 and newer is not vulnerable to
> the security bug mentioned in Bug #321501.

> So I'm wondering: why can't this bug be closed, with the appropriate version tag?
> This would also help migrating inkscape into testing, which it cannot do till this bug remains open...

These are not the same bug; 321501 is a tempfile bug, and 330894 is a buffer
overflow. But you're right, based on the available information this bug
should be marked as closed in unstable.

Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <20051125095543.GA4924@tie>
Date: Fri, 25 Nov 2005 10:55:48 +0100
From: Guido Trotter <email address hidden>
To: <email address hidden>
Subject: Isn't this fixed in the unstable version of inkscape?

--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

You wrote two times in the changelog that this issue is resolved:

Changes:=20
 inkscape (0.43-1) unstable; urgency=3Dhigh

   * urgency=3Dhigh since this version fixes the buffer overflow discovered=
 by
     Joxean Koret (see CVE-2005-3737, debian bug 330894).

Changes:=20
 inkscape (0.42.2+0.43pre1-1) unstable; urgency=3Dlow

   * Just for the record: inkscape version 0.42 and newer is not vulnerable=
 to
     the security bug mentioned in Bug #321501.

So I'm wondering: why can't this bug be closed, with the appropriate versio=
n tag?
This would also help migrating inkscape into testing, which it cannot do ti=
ll this bug remains open...

Thanks,

Guido

--Nq2Wo0NMKNjxTN9z
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDht+fhImxTYgHUpsRAnRXAJ99gviL0keHyXPWS3/RjPrmx8abswCZATln
YP3atToP9MdiOvBVgRz6aDg=
=WLP1
-----END PGP SIGNATURE-----

--Nq2Wo0NMKNjxTN9z--

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 25 Nov 2005 02:12:04 -0800
From: Steve Langasek <email address hidden>
To: Guido Trotter <email address hidden>, <email address hidden>
Subject: Re: Bug#330894: Isn't this fixed in the unstable version of inkscape?

--L+ofChggJdETEG3Y
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Version: 0.43-1

On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:

> You wrote two times in the changelog that this issue is resolved:

> Changes:=20
> inkscape (0.43-1) unstable; urgency=3Dhigh

> * urgency=3Dhigh since this version fixes the buffer overflow discover=
ed by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).

> Changes:=20
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=3Dlow

> * Just for the record: inkscape version 0.42 and newer is not vulnerab=
le to
> the security bug mentioned in Bug #321501.

> So I'm wondering: why can't this bug be closed, with the appropriate vers=
ion tag?
> This would also help migrating inkscape into testing, which it cannot do =
till this bug remains open...

These are not the same bug; 321501 is a tempfile bug, and 330894 is a buffer
overflow. But you're right, based on the available information this bug
should be marked as closed in unstable.

Cheers,
--=20
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
<email address hidden> http://www.debian.org/

--L+ofChggJdETEG3Y
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQFDhuN0KN6ufymYLloRAjHgAKDA1Vvl+KHttpIkBkMcNHZCOxkW2ACdEhz/
0ZfM3fQEycG5VcNlhHWBcYU=
=uuLl
-----END PGP SIGNATURE-----

--L+ofChggJdETEG3Y--

Revision history for this message
In , Wolfram Quester (wolfi) wrote :

Hi Guido,

On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
>
> Hi!
>
> You wrote two times in the changelog that this issue is resolved:
>
> Changes:
> inkscape (0.43-1) unstable; urgency=high
>
> * urgency=high since this version fixes the buffer overflow discovered by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).
>
> Changes:
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=low
>
> * Just for the record: inkscape version 0.42 and newer is not vulnerable to
> the security bug mentioned in Bug #321501.
>
>
> So I'm wondering: why can't this bug be closed, with the appropriate version tag?
> This would also help migrating inkscape into testing, which it cannot do till this bug remains open...
Yes, you are right. My thinking was that I close this bug when it is
fixed in stable, too. But I see that this was wrong.

Thanks Steve for closing, I hope the security team will upload the fixed
version I sent them to sarge.
>
> Thanks,
>
> Guido
>

With best wishes,

Wolfi

Revision history for this message
Debian Bug Importer (debzilla) wrote :

Message-ID: <email address hidden>
Date: Fri, 25 Nov 2005 14:17:49 +0100
From: Wolfram Quester <email address hidden>
To: Guido Trotter <email address hidden>, <email address hidden>
Subject: Re: Bug#330894: Isn't this fixed in the unstable version of inkscape?

--/04w6evG8XlLl3ft
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi Guido,

On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
>=20
> Hi!
>=20
> You wrote two times in the changelog that this issue is resolved:
>=20
> Changes:=20
> inkscape (0.43-1) unstable; urgency=3Dhigh
>=20
> * urgency=3Dhigh since this version fixes the buffer overflow discover=
ed by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).
>=20
> Changes:=20
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=3Dlow
>=20
> * Just for the record: inkscape version 0.42 and newer is not vulnerab=
le to
> the security bug mentioned in Bug #321501.
>=20
>=20
> So I'm wondering: why can't this bug be closed, with the appropriate vers=
ion tag?
> This would also help migrating inkscape into testing, which it cannot do =
till this bug remains open...
Yes, you are right. My thinking was that I close this bug when it is
fixed in stable, too. But I see that this was wrong.

Thanks Steve for closing, I hope the security team will upload the fixed
version I sent them to sarge.
>=20
> Thanks,
>=20
> Guido
>=20

With best wishes,

Wolfi

--/04w6evG8XlLl3ft
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: Digital signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iD8DBQFDhw78H0o2mefAfsQRAnQPAJ999l65MfWm/1CL6IPl0OVHv0hpVgCglSBK
yAsUOYurBAJohJvw2cSOYrQ=
=ua2K
-----END PGP SIGNATURE-----

--/04w6evG8XlLl3ft--

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.