Debian Bug report logs - #279726
CAN-2003-0541: null pointer dereference security hole

version graph

Package: gtkhtml; Maintainer for gtkhtml is (unknown);

Reported by: Joey Hess <joeyh@debian.org>

Date: Thu, 4 Nov 2004 22:03:03 UTC

Severity: grave

Tags: patch, security, woody

Found in version 1.0.4-5.1

Done: Thomas Bushnell BSG <tb@becket.net>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#279726; Package gtkhtml. Full text and rfc822 format available.

Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: CAN-2003-0541: null pointer dereference security hole
Date: Thu, 4 Nov 2004 16:52:50 -0500
[Message part 1 (text/plain, inline)]
Package: gtkhtml
Version: 1.0.4-5.1
Severity: grave
Tags: security patch

According to CAN-2003-0541, "gtkhtml before 1.1.10, as used in
Evolution, allows remote attackers to cause a denial of service (crash)
via a malformed message that causes a null pointer dereference."

There's some more info in the redhat advisory
(http://rhn.redhat.com/errata/RHSA-2003-264.html):

  Versions of GtkHTML prior to 1.1.10 contain a bug when handling HTML
  messages. Alan Cox discovered that certain malformed messages could cause
  the Evolution mail component to crash due to a null pointer dereference in
  the GtkHTML library. The Common Vulnerabilities and Exposures project
  (cve.mitre.org) has assigned the name CAN-2003-0541 to this issue.

  Users of Evolution are advised to upgrade to these erratum packages, which
  contain GtkHTML version 1.1.10 correcting this issue.

Debian's evolution package is built with gtkhtml3.2, which is a much newer
version and not vulnerable. So evolution is safe, but there is always
the possibility that something else built against the old version of gtkhtml
could be exploited by this hole.

Of the software in Debian, only gnuvd-gnome is still linked to this library
and likely to feed untrusted html to gtkhtml. I have not checked to see if
the hole can be exploited using gnuvd-gnome.

I've attached a patch which I took from the Mandrake security advisory.

-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.4.27
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)

Versions of packages gtkhtml depends on:
ii  bonobo                    1.0.22-2.2     The GNOME Bonobo System.
ii  gdk-imlib1                1.9.14-16      imaging library for use with gtk (
ii  libart2                   1.4.2-19       The GNOME canvas widget - runtime 
ii  libaudiofile0             0.2.6-4        Open-source version of SGI's audio
ii  libbonobo2                1.0.22-2.2     The GNOME Bonobo library.
ii  libc6                     2.3.2.ds1-18   GNU C Library: Shared libraries an
pn  libcapplet1                              Not found.
ii  libdb3                    3.2.9-20       Berkeley v3 Database Libraries [ru
ii  libesd0                   0.2.35-2       Enlightened Sound Daemon - Shared 
ii  libfreetype6              2.1.7-2.2      FreeType 2 font engine, shared lib
ii  libgal23                  0.24-1.3       G App Libs (run time library)
ii  libgdk-pixbuf-gnome2      0.22.0-7       The GNOME1 Canvas pixbuf library
ii  libgdk-pixbuf2            0.22.0-7       The GdkPixBuf image library, gtk+ 
ii  libghttp1                 1.0.9-15       original GNOME HTTP client library
ii  libglade-gnome0           1:0.17-3       Library to load .glade files at ru
ii  libglade0                 1:0.17-3       Library to load .glade files at ru
ii  libglib1.2                1.2.10-9       The GLib library of C routines
ii  libgnome32                1.4.2-19       The GNOME libraries
ii  libgnomeprint15           0.37-5         The GNOME Print architecture - run
ii  libgnomesupport0          1.4.2-19       The GNOME libraries (Support libra
ii  libgnomeui32              1.4.2-19       The GNOME libraries (User Interfac
ii  libgnorba27               1.4.2-19       GNOME CORBA services
ii  libgtk1.2                 1.2.10-17      The GIMP Toolkit set of widgets fo
pn  libgtkhtml-data                          Not found.
ii  libgtkhtml20              1.0.4-6.1      HTML rendering/editing library - r
ii  liboaf0                   0.6.10-3       The GNOME Object Activation Framew
ii  liborbit0                 0.5.17-9       Libraries for ORBit - a CORBA ORB
ii  libpopt0                  1.7-5          lib for parsing cmdline parameters
ii  libwrap0                  7.6.dbs-6      Wietse Venema's TCP wrappers libra
ii  libxml1                   1:1.8.17-9     GNOME XML library
ii  oaf                       0.6.10-3       The GNOME Object Activation Framew
ii  xlibs                     4.3.0.dfsg.1-8 X Window System client libraries m
ii  zlib1g                    1:1.2.2-3      compression library - runtime

-- 
see shy jo
[gtkhtml-1.0.2-textslave.patch (text/plain, attachment)]
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#279726; Package gtkhtml. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #10 received at 279726@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: 280134@bugs.debian.org, 279746@bugs.debian.org, 279747@bugs.debian.org, 279726@bugs.debian.org
Subject: Status of security bug
Date: Thu, 11 Nov 2004 22:24:09 +0100
Hi.

This mails goes to some security-related RC bugs in unstable/testing
which all have a patch and are about a week old. I just wanted to ask
what the status of the fixes is and if NMUs would be welcome in any
case.

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Tags added: fixed Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Takuo KITAME <kitame@debian.org>:
Bug#279726; Package gtkhtml. Full text and rfc822 format available.

Acknowledgement sent to Frank Lichtenheld <djpig@debian.org>:
Extra info received and forwarded to list. Copy sent to Takuo KITAME <kitame@debian.org>. Full text and rfc822 format available.

Message #17 received at 279726@bugs.debian.org (full text, mbox):

From: Frank Lichtenheld <djpig@debian.org>
To: Joey Hess <joeyh@debian.org>, 279726@bugs.debian.org
Subject: Re: Bug#279726: CAN-2003-0541: null pointer dereference security hole
Date: Thu, 18 Nov 2004 15:54:49 +0100
On Thu, Nov 04, 2004 at 04:52:50PM -0500, Joey Hess wrote:
> 
> I've attached a patch which I took from the Mandrake security advisory.

I've uploaded a NMU with Joey's patch. Final NMU patch:

diff -Naur gtkhtml-1.0.4.bak/debian/changelog gtkhtml-1.0.4/debian/changelog
--- gtkhtml-1.0.4.bak/debian/changelog	2004-11-17 14:05:53.000000000 +0100
+++ gtkhtml-1.0.4/debian/changelog	2004-11-17 14:48:34.000000000 +0100
@@ -1,3 +1,12 @@
+gtkhtml (1.0.4-6.2) unstable; urgency=high
+
+  * Non-maintainer upload to fix security issue.
+  * CAN-2003-0541: Apply patch to prevent DoS (crash) caused by
+    malformed messages. Patch provided by Joey Hess.
+    (Closes: #279726)
+
+ -- Frank Lichtenheld <djpig@debian.org>  Wed, 17 Nov 2004 14:45:34 +0100
+
 gtkhtml (1.0.4-6.1) unstable; urgency=high
 
   * Non-maintainer upload.
diff -Naur gtkhtml-1.0.4.bak/src/htmltextslave.c gtkhtml-1.0.4/src/htmltextslave.c
--- gtkhtml-1.0.4.bak/src/htmltextslave.c	2001-12-04 22:16:33.000000000 +0100
+++ gtkhtml-1.0.4/src/htmltextslave.c	2004-11-17 14:45:27.000000000 +0100
@@ -348,12 +348,13 @@
 
 	sep = begin = html_text_get_text (text, slave->posStart);
 
-	while (sep
+	while (sep && *sep 
 	       && widthLeft >= get_words_width (text, painter, slave->start_word, words + 1)
 	       + (slave->start_word + words + 1 == text->words ? get_next_nb_width (slave, painter) : 0)) {
 		words ++;
 		lsep   = sep;
-		sep    = strchr (lsep + (words > 1 ? 1 : 0), ' ');
+		if (sep)
+			sep    = strchr (lsep + (words > 1 ? 1 : 0), ' ');
 		pos    = sep ? g_utf8_pointer_to_offset (begin, sep) : g_utf8_strlen (begin, -1);
 		if (words + slave->start_word >= text->words)
 			break;

Gruesse,
-- 
Frank Lichtenheld <djpig@debian.org>
www: http://www.djpig.de/



Tags removed: fixed Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags added: sarge, woody Request was from Frank Lichtenheld <djpig@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Tags removed: sarge Request was from Steve Langasek <vorlon@debian.org> to control@bugs.debian.org. Full text and rfc822 format available.

Reply sent to Thomas Bushnell BSG <tb@becket.net>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #28 received at 279726-done@bugs.debian.org (full text, mbox):

From: Thomas Bushnell BSG <tb@becket.net>
To: joeyh@debian.org, 279726-done@bugs.debian.org
Subject: #279726: CAN-2003-0541: null pointer dereference security hole
Date: Wed, 01 Jun 2005 23:21:32 -0700
This bug (long fixed in unstable) is now fixed in stable, as of Debian
3.0 release 6, in gtkhtml-1.0.2-1.woody1.

Thomas




Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 05:47:12 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.