Bug 1021315 - (CVE-2016-10164) VUL-0: CVE-2016-10164: libXpm: heap overflow
(CVE-2016-10164)
VUL-0: CVE-2016-10164: libXpm: heap overflow
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: unspecified
Assigned To: Security Team bot
Security Team bot
CVSSv2:NVD:CVE-2016-10164:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-01-22 14:33 UTC by Mikhail Kasimov
Modified: 2017-06-13 06:40 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
proof-of-concept.c (586 bytes, text/x-csrc)
2017-01-22 14:33 UTC, Mikhail Kasimov
Details
proof-of-concept (1.03 KB, application/force-download)
2017-01-22 14:34 UTC, Mikhail Kasimov
Details
PoC source code (586 bytes, text/x-c)
2017-01-24 11:31 UTC, Matthias Gerstner
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Mikhail Kasimov 2017-01-22 14:33:34 UTC
Created attachment 711152 [details]
proof-of-concept.c

Ref: http://seclists.org/oss-sec/2017/q1/167

========================================================
SUMMARY
=======
An out of boundary write has been found in libXpm < 3.5.12 which can be
exploited by an attacker through maliciously crafted XPM files.

PREREQUISITE
============
For this vulnerability to step in, a program must explicitly request
to also parse XPM extensions while reading files. The motif toolkit and
xdm are two among some programs that set the flag (XpmReturnExtensions).
It can only be exploited on 64 bit systems.

DETAILS
=======
The affected code is prone to two 32 bit integer overflows while parsing
extensions: the amount of extensions and their concatenated length. The
fact that two such overflows exist makes it possible to have full
control of the memory management. The attacker can choose:

- how much heap space is allocated
- how many bytes will overflow
- the content of the bytes that overflow

Due to the integrated gzip compression in XPM files, the file can be
as small as 4 MB to trigger this issue, and doesn't need to be larger
than 8 MB for a fully arbitrary attack.

PROOF OF CONCEPT
================
I have attached two files: poc.c is a vulnerable program that uses
libXpm to parse an XPM file, including its extensions. The second file
is a maliciously crafted XPM file, which is gzip-compressed thrice to
reduce its size to be friendlier for e-mail transmissions. You have to
gunzip it twice, which increases its size back to 4 MB. If used with a
vulnerable version, the program will trigger a segmentation fault.

SOLUTION
========
It is recommend to update to the released libXpm version 3.5.12.

The commit that fixes the issue can be found here:
https://cgit.freedesktop.org/xorg/lib/libXpm/commit/?id=d1167418f0fd02a27f617ec5afd6db053afbe185
========================================================

https://software.opensuse.org/package/libXpm

TW: 3.5.12
42.2: 3.5.11
42.1: 3.5.11
Comment 1 Mikhail Kasimov 2017-01-22 14:34:09 UTC
Created attachment 711153 [details]
proof-of-concept
Comment 2 Swamp Workflow Management 2017-01-22 23:00:45 UTC
bugbot adjusting priority
Comment 3 Stefan Dirsch 2017-01-23 16:07:20 UTC
Hmm. Is there a CVE number available?
Comment 4 Stefan Dirsch 2017-01-23 16:10:17 UTC
Ah. This is still a CVE request ...
Comment 5 Mikhail Kasimov 2017-01-23 16:11:43 UTC
(In reply to Stefan Dirsch from comment #3)
> Hmm. Is there a CVE number available?

Not yet. Initial request (see http://seclists.org/oss-sec/2017/q1/167) is still waiting for its CVE-num from CVE Assignment Team.
Comment 6 Stefan Dirsch 2017-01-23 16:12:59 UTC
Issue is, almost all git commits between 3.5.11 and 3.5.12 appear to be security related ...
Comment 7 Matthias Gerstner 2017-01-24 11:31:37 UTC
Created attachment 711374 [details]
PoC source code
Comment 9 Matthias Gerstner 2017-01-24 11:36:00 UTC
(In reply to sndirsch@suse.com from comment #6)
> Issue is, almost all git commits between 3.5.11 and 3.5.12 appear to be security related ...

I've had a look at the commits between the two tags. The diff is not very
large. So maybe you may want fix this by updating to 3.5.12.
Comment 10 Stefan Dirsch 2017-01-24 11:52:27 UTC
Well, usually I hear by our dedicated security team, once an open CVE ticket exists, which affects us. ;-) I can't do much now. It would be just waste of time fixing this one issue, when there are more of this in libXpm, which is rather likely.
Comment 11 Stefan Dirsch 2017-01-24 11:53:24 UTC
So expect this bug to be closed as duplicate of another bug in the future, which you won't be able to access. LOL.
Comment 12 Mikhail Kasimov 2017-01-24 12:03:13 UTC
That happened several times before with my reports in boo. That's normal, I feel no disappointment about this. :)

CVE Assignment Team doesn't hurry to assign CVE-num...
Comment 14 Stefan Dirsch 2017-01-24 14:23:16 UTC
Argh. Always these bug hijackers. ;-) Sure I can add just all patches between 3.5.11 and 3.5.12 as security update, if this is wanted. Just updating to a new release (tarball) is against our policy AFAIK.
Comment 15 Matthias Gerstner 2017-01-24 15:10:56 UTC
(In reply to sndirsch@suse.com from comment #14)

> Sure I can add just all patches between 3.5.11 and 3.5.12 as security
> update, if this is wanted. Just updating to a new release (tarball) is against
> our policy AFAIK.

Yes you're right.

If you could add all security relevant patches between 3.5.11 and 3.5.12
that'd be great.

Thank you!
Comment 16 Stefan Dirsch 2017-01-24 15:29:50 UTC
Note to myself.

openSUSE 42.1/42.2: libXpm (3.5.11)
sle12: libXpm (3.5.11)
sle11-sp4: xorg-x11-libXpm (3.5.7)
sles10-sp3-teradata: xorg-x11 (version unknown, X.Org release 6.9.0)
Comment 17 Matthias Gerstner 2017-01-25 09:01:53 UTC
A CVE has been assigned for this issue:

Use CVE-2016-10164.
Comment 18 Stefan Dirsch 2017-01-31 11:27:07 UTC
openSUSE 42.1/42.2: SR#453588
sle12: SR#127425
Comment 20 Stefan Dirsch 2017-01-31 12:38:39 UTC
sle11-sp4: SR #127430
Comment 21 Bernhard Wiedemann 2017-01-31 13:02:08 UTC
This is an autogenerated message for OBS integration:
This bug (1021315) was mentioned in
https://build.opensuse.org/request/show/453588 42.1+42.2 / libXpm
Comment 22 Stefan Dirsch 2017-01-31 13:05:30 UTC
sles10-sp3-teradata: SR #127436
Comment 23 Stefan Dirsch 2017-01-31 13:10:28 UTC
Update done. Reassigning to sec team.
Comment 25 Swamp Workflow Management 2017-02-01 12:58:28 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-02-15.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63372
Comment 26 Swamp Workflow Management 2017-02-15 11:09:27 UTC
SUSE-SU-2017:0467-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021315
CVE References: CVE-2016-10164
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    libXpm-3.5.11-5.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    libXpm-3.5.11-5.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    libXpm-3.5.11-5.1
SUSE Linux Enterprise Server 12-SP2 (src):    libXpm-3.5.11-5.1
SUSE Linux Enterprise Server 12-SP1 (src):    libXpm-3.5.11-5.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    libXpm-3.5.11-5.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    libXpm-3.5.11-5.1
Comment 27 Matthias Gerstner 2017-02-15 11:13:35 UTC
Update for SLE-12:Update just released, openSUSE comes from SLE. All fixed.
Comment 28 Swamp Workflow Management 2017-02-15 17:08:27 UTC
SUSE-SU-2017:0470-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021315
CVE References: CVE-2016-10164
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    xorg-x11-libXpm-7.4-3.1
SUSE Linux Enterprise Server 11-SP4 (src):    xorg-x11-libXpm-7.4-3.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    xorg-x11-libXpm-7.4-3.1
Comment 29 Swamp Workflow Management 2017-02-23 14:09:50 UTC
openSUSE-SU-2017:0557-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1021315
CVE References: CVE-2016-10164
Sources used:
openSUSE Leap 42.2 (src):    libXpm-3.5.11-8.1
openSUSE Leap 42.1 (src):    libXpm-3.5.11-7.1