http://bugzilla.opensuse.org/show_bug.cgi?id=1021315 Bug ID: 1021315 Summary: VUL-1: libXpm: heap overflow Classification: openSUSE Product: openSUSE Distribution Version: Leap 42.2 Hardware: Other OS: Other Status: NEW Severity: Normal Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: mikhail.kasimov@gmail.com QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Created attachment 711152 --> http://bugzilla.opensuse.org/attachment.cgi?id=711152&action=edit proof-of-concept.c Ref: http://seclists.org/oss-sec/2017/q1/167 ======================================================== SUMMARY ======= An out of boundary write has been found in libXpm < 3.5.12 which can be exploited by an attacker through maliciously crafted XPM files. PREREQUISITE ============ For this vulnerability to step in, a program must explicitly request to also parse XPM extensions while reading files. The motif toolkit and xdm are two among some programs that set the flag (XpmReturnExtensions). It can only be exploited on 64 bit systems. DETAILS ======= The affected code is prone to two 32 bit integer overflows while parsing extensions: the amount of extensions and their concatenated length. The fact that two such overflows exist makes it possible to have full control of the memory management. The attacker can choose: - how much heap space is allocated - how many bytes will overflow - the content of the bytes that overflow Due to the integrated gzip compression in XPM files, the file can be as small as 4 MB to trigger this issue, and doesn't need to be larger than 8 MB for a fully arbitrary attack. PROOF OF CONCEPT ================ I have attached two files: poc.c is a vulnerable program that uses libXpm to parse an XPM file, including its extensions. The second file is a maliciously crafted XPM file, which is gzip-compressed thrice to reduce its size to be friendlier for e-mail transmissions. You have to gunzip it twice, which increases its size back to 4 MB. If used with a vulnerable version, the program will trigger a segmentation fault. SOLUTION ======== It is recommend to update to the released libXpm version 3.5.12. The commit that fixes the issue can be found here: https://cgit.freedesktop.org/xorg/lib/libXpm/commit/?id=d1167418f0fd02a27f61... ======================================================== https://software.opensuse.org/package/libXpm TW: 3.5.12 42.2: 3.5.11 42.1: 3.5.11 -- You are receiving this mail because: You are on the CC list for the bug.