Bug 22652

Summary: xv new DoS security issue
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: marja11, mhrambo3501, sysadmin-bugs
Version: 6Keywords: advisory, has_procedure, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: mga6-64-ok
Source RPM: xv-3.10a-16.mga6.nonfree.src.rpm CVE:
Status comment: Patch available from openSUSE

Description David Walser 2018-02-24 23:41:28 CET 
openSUSE has issued an advisory on February 21:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00088.html

Mageia 5 and Mageia 6 are also affected.
David Walser 2018-02-24 23:41:42 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patch available from openSUSE

Comment 1 Marja Van Waes 2018-02-25 09:08:46 CET 
Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Mike Rambo 2018-03-02 17:50:55 CET 
Someone who knows C better than I will need to evaluate this.

The openSUSE patch has:
--- xv-3.10a/xvpng.c    2017-06-08 14:45:30.462632457 -0500
+++ xvt/xvpng.c 2017-06-08 15:13:32.422848106 -0500
@@ -1149,7 +1149,7 @@ int LoadPNG(fname, pinfo)

     for (i = 0; i < _num_text; i++)
       commentsize += strlen(_text[i].key) + 1 +
-                     _text[i].text_length + 2;
+                     strlen(_text[i].text) + 2;

     if ((pinfo->comment = malloc(commentsize)) == NULL) {
       png_warning(png_ptr,"can't allocate comment string");


The code has:

    for(i = 0; i < info_ptr->num_text; i++)
      commentsize += strlen(info_ptr->text[i].key) + 1 +
                     info_ptr->text[i].text_length + 2;

    if((pinfo->comment = malloc(commentsize)) == NULL) {
      png_warning(png_ptr,"can't allocate comment string");

I can't tell whether the patch is not valid for this version, is already applied, needs to be rediffed, or is simply not needed.

CC: (none) => mrambo

Comment 3 David Walser 2018-03-02 18:02:48 CET 
The change from the patch needs to be applied.  It should use strlen(info_ptr->text[i].text) instead of info_ptr->text[i].text_length
Comment 4 Mike Rambo 2018-03-02 19:31:44 CET 
Patched package built for cauldron and Mageia 6.

Advisory:
========================

Updated xv package fixes DoS security vulnerability:

It was discovered that png images created in gimp would crash xv.

References:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00088.html
========================

Updated packages in core/updates_testing:
========================
xv-3.10a-16.1.mga6

from xv-3.10a-16.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 5 claire robinson 2018-03-04 14:40:28 CET 
Testing complete mga6 64

Didn't find a PoC image so created a simple png image in gimp.
Saw no evidence of DoS but no regression when updated either.

$ xv Gimp-PNG.png

Whiteboard: (none) => mga6-64-ok
Keywords: (none) => has_procedure

Comment 6 claire robinson 2018-03-04 14:52:47 CET 
Advisory uploaded. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-04 19:05:37 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0157.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED