22652 – xv new DoS security issue

Bug 22652 - xv new DoS security issue

Summary: xv new DoS security issue

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	6
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	mga6-64-ok
Keywords:	advisory, has_procedure, validated_update

Depends on:
Blocks:

Reported:	2018-02-24 23:41 CET by David Walser
Modified:	2018-03-04 19:05 CET (History)
CC List:	3 users (show)

See Also:
Source RPM:	xv-3.10a-16.mga6.nonfree.src.rpm
CVE:
Status comment:	Patch available from openSUSE

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2018-02-24 23:41:28 CET

openSUSE has issued an advisory on February 21:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00088.html

Mageia 5 and Mageia 6 are also affected.

David Walser 2018-02-24 23:41:42 CET

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patch available from openSUSE

Comment 1 Marja Van Waes 2018-02-25 09:08:46 CET

Assigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Mike Rambo 2018-03-02 17:50:55 CET

Someone who knows C better than I will need to evaluate this.

The openSUSE patch has:
--- xv-3.10a/xvpng.c    2017-06-08 14:45:30.462632457 -0500
+++ xvt/xvpng.c 2017-06-08 15:13:32.422848106 -0500
@@ -1149,7 +1149,7 @@ int LoadPNG(fname, pinfo)

     for (i = 0; i < _num_text; i++)
       commentsize += strlen(_text[i].key) + 1 +
-                     _text[i].text_length + 2;
+                     strlen(_text[i].text) + 2;

     if ((pinfo->comment = malloc(commentsize)) == NULL) {
       png_warning(png_ptr,"can't allocate comment string");


The code has:

    for(i = 0; i < info_ptr->num_text; i++)
      commentsize += strlen(info_ptr->text[i].key) + 1 +
                     info_ptr->text[i].text_length + 2;

    if((pinfo->comment = malloc(commentsize)) == NULL) {
      png_warning(png_ptr,"can't allocate comment string");

I can't tell whether the patch is not valid for this version, is already applied, needs to be rediffed, or is simply not needed.

CC: (none) => mrambo

Comment 3 David Walser 2018-03-02 18:02:48 CET

The change from the patch needs to be applied.  It should use strlen(info_ptr->text[i].text) instead of info_ptr->text[i].text_length

Comment 4 Mike Rambo 2018-03-02 19:31:44 CET

Patched package built for cauldron and Mageia 6.

Advisory:
========================

Updated xv package fixes DoS security vulnerability:

It was discovered that png images created in gimp would crash xv.

References:
https://lists.opensuse.org/opensuse-updates/2018-02/msg00088.html
========================

Updated packages in core/updates_testing:
========================
xv-3.10a-16.1.mga6

from xv-3.10a-16.1.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: pkg-bugs => qa-bugs

Comment 5 claire robinson 2018-03-04 14:40:28 CET

Testing complete mga6 64

Didn't find a PoC image so created a simple png image in gimp.
Saw no evidence of DoS but no regression when updated either.

$ xv Gimp-PNG.png

Whiteboard: (none) => mga6-64-ok
Keywords: (none) => has_procedure

Comment 6 claire robinson 2018-03-04 14:52:47 CET

Advisory uploaded. Validating.

Keywords: (none) => advisory, validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2018-03-04 19:05:37 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0157.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.