Debian Bug report logs - #457764
xemacs21: CVE-2007-6109 buffer overflow via a large precision value in an integer format string

version graph

Package: xemacs21; Maintainer for xemacs21 is Mark Brown <broonie@debian.org>; Source for xemacs21 is src:xemacs21.

Reported by: Nico Golde <nion@debian.org>

Date: Tue, 25 Dec 2007 13:15:01 UTC

Severity: grave

Tags: security

Fixed in version xemacs21/21.4.21-4

Done: OHURA Makoto <ohura@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, OHURA Makoto <ohura@debian.org>:
Bug#457764; Package xemacs21. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
New Bug report received and forwarded. Copy sent to OHURA Makoto <ohura@debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: submit@bugs.debian.org
Subject: xemacs21: CVE-2007-6109 buffer overflow via a large precision value in an integer format string
Date: Tue, 25 Dec 2007 14:13:09 +0100
[Message part 1 (text/plain, inline)]
Package: xemacs21
Severity: grave
Tags: security

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for xemacs21.

CVE-2007-6109[0]:
| Stack-based buffer overflow in emacs allows user-assisted attackers to
| cause a denial of service (application crash) and possibly have
| unspecified other impact via a large precision value in an integer
| format string specifier to the format function, as demonstrated via a
| certain "emacs -batch -eval" command line.

We believed that xemacs21 is unaffected by this first but it 
turned out (Thanks to Florian) that it actually is but at a 
differen place:
src/doprnt.c:

              /* Mostly reconstruct the spec and use sprintf() to
                 format the string. */

              *p++ = '%';
              if (spec->plus_flag)   *p++ = '+';
              if (spec->space_flag)  *p++ = ' ';
              if (spec->number_flag) *p++ = '#';
              if (spec->minus_flag)  *p++ = '-';
              if (spec->zero_flag)   *p++ = '0';

              if (spec->minwidth >= 0)
                p = long_to_string (p, spec->minwidth);
              if (spec->precision >= 0)
                {
                  *p++ = '.';
                  p = long_to_string (p, spec->precision);
                }

              if (strchr (double_converters, ch))
                {
                  *p++ = ch;
                  *p++ = '\0';
                  sprintf (text_to_print, constructed_spec, arg.d);
                }
              else
                {
                  *p++ = 'l';   /* Always use longs with sprintf() */
                  *p++ = ch;
                  *p++ = '\0';

                  if (strchr (unsigned_int_converters, ch))
                    sprintf (text_to_print, constructed_spec, arg.ul);
                  else
                    sprintf (text_to_print, constructed_spec, arg.l);
                }

If you fix this vulnerability please also include the CVE id
in your changelog entry.

For further information:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6109

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, OHURA Makoto <ohura@debian.org>:
Bug#457764; Package xemacs21. Full text and rfc822 format available.

Acknowledgement sent to Nico Golde <nion@debian.org>:
Extra info received and forwarded to list. Copy sent to OHURA Makoto <ohura@debian.org>. Full text and rfc822 format available.

Message #10 received at 457764@bugs.debian.org (full text, mbox):

From: Nico Golde <nion@debian.org>
To: 457764@bugs.debian.org
Subject: Re: Bug#457764: xemacs21: CVE-2007-6109 buffer overflow via a large precision value in an integer format string
Date: Sat, 5 Jan 2008 14:56:51 +0100
[Message part 1 (text/plain, inline)]
Hi,
* Nico Golde <nion@debian.org> [2007-12-25 14:18]:
[...] 
> We believed that xemacs21 is unaffected by this first but it 
> turned out (Thanks to Florian) that it actually is but at a 
> differen place:
> src/doprnt.c:
[...] 
It turned out that this is actually no bug in the quoted 
code because the precision is taken into account when 
reserving memory for the buffer. Unfortunately this is the 
problem because:
#define alloca_array(type, len) ((type *) alloca ((len) * sizeof (type)))

this does not do any checks and also includes an integer 
overflow and thus it is still possible to reproduce this 
problem. So the obvious thing is to fix this macro which 
should be quite important because alloca_array is used at a 
bunch of different places in the code.

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
[Message part 2 (application/pgp-signature, inline)]

Reply sent to OHURA Makoto <ohura@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Nico Golde <nion@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #15 received at 457764-close@bugs.debian.org (full text, mbox):

From: OHURA Makoto <ohura@debian.org>
To: 457764-close@bugs.debian.org
Subject: Bug#457764: fixed in xemacs21 21.4.21-4
Date: Sun, 27 Jul 2008 14:02:08 +0000
Source: xemacs21
Source-Version: 21.4.21-4

We believe that the bug you reported is fixed in the latest version of
xemacs21, which is due to be installed in the Debian FTP archive:

xemacs21-bin_21.4.21-4_i386.deb
  to pool/main/x/xemacs21/xemacs21-bin_21.4.21-4_i386.deb
xemacs21-gnome-mule-canna-wnn_21.4.21-4_i386.deb
  to pool/main/x/xemacs21/xemacs21-gnome-mule-canna-wnn_21.4.21-4_i386.deb
xemacs21-gnome-mule_21.4.21-4_i386.deb
  to pool/main/x/xemacs21/xemacs21-gnome-mule_21.4.21-4_i386.deb
xemacs21-gnome-nomule_21.4.21-4_i386.deb
  to pool/main/x/xemacs21/xemacs21-gnome-nomule_21.4.21-4_i386.deb
xemacs21-mule-canna-wnn_21.4.21-4_i386.deb
  to pool/main/x/xemacs21/xemacs21-mule-canna-wnn_21.4.21-4_i386.deb
xemacs21-mule_21.4.21-4_i386.deb
  to pool/main/x/xemacs21/xemacs21-mule_21.4.21-4_i386.deb
xemacs21-nomule_21.4.21-4_i386.deb
  to pool/main/x/xemacs21/xemacs21-nomule_21.4.21-4_i386.deb
xemacs21-support_21.4.21-4_all.deb
  to pool/main/x/xemacs21/xemacs21-support_21.4.21-4_all.deb
xemacs21-supportel_21.4.21-4_all.deb
  to pool/main/x/xemacs21/xemacs21-supportel_21.4.21-4_all.deb
xemacs21_21.4.21-4.diff.gz
  to pool/main/x/xemacs21/xemacs21_21.4.21-4.diff.gz
xemacs21_21.4.21-4.dsc
  to pool/main/x/xemacs21/xemacs21_21.4.21-4.dsc
xemacs21_21.4.21-4_all.deb
  to pool/main/x/xemacs21/xemacs21_21.4.21-4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 457764@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
OHURA Makoto <ohura@debian.org> (supplier of updated xemacs21 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sun, 27 Jul 2008 17:42:21 +0900
Source: xemacs21
Binary: xemacs21 xemacs21-mule xemacs21-nomule xemacs21-mule-canna-wnn xemacs21-bin xemacs21-support xemacs21-supportel xemacs21-gnome-mule xemacs21-gnome-nomule xemacs21-gnome-mule-canna-wnn
Architecture: source all i386
Version: 21.4.21-4
Distribution: unstable
Urgency: high
Maintainer: OHURA Makoto <ohura@debian.org>
Changed-By: OHURA Makoto <ohura@debian.org>
Description: 
 xemacs21   - highly customizable text editor
 xemacs21-bin - highly customizable text editor -- support binaries
 xemacs21-gnome-mule - highly customizable text editor -- Mule binary
 xemacs21-gnome-mule-canna-wnn - highly customizable text editor -- Mule binary compiled with Cann
 xemacs21-gnome-nomule - highly customizable text editor -- Non-mule binary
 xemacs21-mule - highly customizable text editor -- Mule binary
 xemacs21-mule-canna-wnn - highly customizable text editor -- Mule binary compiled with Cann
 xemacs21-nomule - highly customizable text editor -- Non-mule binary
 xemacs21-support - highly customizable text editor -- architecture independent suppo
 xemacs21-supportel - highly customizable text editor -- non-required library files
Closes: 457764 476613
Changes: 
 xemacs21 (21.4.21-4) unstable; urgency=high
 .
   * Set urgency to high to fix RC bugs.
   * debian/patches/10_doprnt_use_malloc.dpatch: New patch.
     - Use malloc(3) instead of alloca(3).  (CVE-2007-6109) (Closes: #457764)
   * debian/patches/10_vcdiff_use_mktemp.dpatch: New patch.
     - Fix insecure usage of temporary files. (CVE-2008-1694)
     (Closes: #476613)
   * debian/rules: Add -Wall and -O2 to CFLAGS.
   * debian/control.in:
     - Update Standards-Version.
     - Remove Build-dependency on x-dev.
     - Add Build-dependency on autotools-dev.
   * debian/PackagesMakefile.in: Sync with newer config.sub and
     config.guess.
Checksums-Sha1: 
 2a2a9c7e42fbfb8d3874ab5d824e25b22e4f6b3c 1566 xemacs21_21.4.21-4.dsc
 3806f74a807df1577a4a408cb9c96e0acc2b89e2 50897 xemacs21_21.4.21-4.diff.gz
 a8b12bbba3295d1495e0a7c819c0d894a6061878 15102 xemacs21_21.4.21-4_all.deb
 bae97524f34e68ee2b12324e171a789c02d39fd4 1314698 xemacs21-supportel_21.4.21-4_all.deb
 2abfa1ed3970b15b298e13978123fbd401612354 4583446 xemacs21-support_21.4.21-4_all.deb
 50809f85f06764cbbb8e955214a1784ac5eaaf21 1822126 xemacs21-nomule_21.4.21-4_i386.deb
 2918576f0c62d36ea797d0ed015bfca0263a3782 2026980 xemacs21-mule_21.4.21-4_i386.deb
 70dfa2a1574516bc5d3482881aa087cc6db46a9f 2121844 xemacs21-mule-canna-wnn_21.4.21-4_i386.deb
 2a1a548fa5a044f9c07fc3cafc14f523829fe111 1880284 xemacs21-gnome-nomule_21.4.21-4_i386.deb
 f7abb101268febaa06bb918ce8e231b0b027355f 2076764 xemacs21-gnome-mule_21.4.21-4_i386.deb
 5f6cf30c72a14a36dba9bc8592823a7ca20e7812 2169120 xemacs21-gnome-mule-canna-wnn_21.4.21-4_i386.deb
 fdfa18c987b86ea6e8f42f348086369fe2ec3ff4 503244 xemacs21-bin_21.4.21-4_i386.deb
Checksums-Sha256: 
 7addeb2f6e44b0de542ff1a3e08991c91d6c6a1b6ed04661b7f910902d3681f9 1566 xemacs21_21.4.21-4.dsc
 629df59f50933e5bf041612cb2c07a172b6960306af7d436474311ef91df97f8 50897 xemacs21_21.4.21-4.diff.gz
 69f24f434967411568c26a7b3e8c86879825b3252c3e6102842d1aa84a0dd214 15102 xemacs21_21.4.21-4_all.deb
 dafeac9a3dc480b0c5e7360c3b507654bdbf7c1761b26a281f19190edc2091b4 1314698 xemacs21-supportel_21.4.21-4_all.deb
 04ba966deac1704b2375bd523aba5d7d649356d1938bd33e857dfdeafbfcc377 4583446 xemacs21-support_21.4.21-4_all.deb
 07fed7a970f73357ed89cf698cef684c86cbfe6855892d3a0f043953c29146e7 1822126 xemacs21-nomule_21.4.21-4_i386.deb
 bc6c082ab755f9d9837d20abcaab2a0dd5aa04ac9a685789a2745e76979caaad 2026980 xemacs21-mule_21.4.21-4_i386.deb
 4aba9eb33277955def2a690e6b0da34dc7372deb40af002b0ae8f2ac7ac168c7 2121844 xemacs21-mule-canna-wnn_21.4.21-4_i386.deb
 4fe46f2f4dd4d4f4362ab8161ef2771aeb4140822098e54ee9310609d5f28ac6 1880284 xemacs21-gnome-nomule_21.4.21-4_i386.deb
 cf362f9267a926ac03d850ffdf258544fbbbc56ab4eeacda8e9f413f476468d1 2076764 xemacs21-gnome-mule_21.4.21-4_i386.deb
 a8c87f0001663ea36c5f71b54af4ecdcad0f957358d85613f726ac7d67bb8101 2169120 xemacs21-gnome-mule-canna-wnn_21.4.21-4_i386.deb
 d0e14e1075363725d78c1a012e6d248f3b261c9c610984dd8e0d9f08e9a52403 503244 xemacs21-bin_21.4.21-4_i386.deb
Files: 
 28641d5cddc6f95537a26f53496eb0a1 1566 editors optional xemacs21_21.4.21-4.dsc
 52746a739a717b54a8d8bfbbe7c191f6 50897 editors optional xemacs21_21.4.21-4.diff.gz
 4c04a1d89fb77f8511b6aaabd50fd432 15102 editors optional xemacs21_21.4.21-4_all.deb
 1e93e49a675a4caecea23bc33319bf95 1314698 editors optional xemacs21-supportel_21.4.21-4_all.deb
 f57869404dadac411efc5353e5d8f5c7 4583446 editors optional xemacs21-support_21.4.21-4_all.deb
 3809365b066cfdf7685dffdb743a45b6 1822126 editors optional xemacs21-nomule_21.4.21-4_i386.deb
 043983b427c1f5abf7a04fc0a213ebbc 2026980 editors optional xemacs21-mule_21.4.21-4_i386.deb
 e5c99465f6c8f100accdfb0abfa10650 2121844 editors optional xemacs21-mule-canna-wnn_21.4.21-4_i386.deb
 c322deb88cecef196cbf496e519ae294 1880284 gnome optional xemacs21-gnome-nomule_21.4.21-4_i386.deb
 c5fc027c2c8b564fb33e671c1bb937e4 2076764 gnome optional xemacs21-gnome-mule_21.4.21-4_i386.deb
 57dac6c6b62e65a65bd308b9c92465f6 2169120 gnome optional xemacs21-gnome-mule-canna-wnn_21.4.21-4_i386.deb
 64ab3d4bb057ffbb1ae477b463f0a414 503244 editors optional xemacs21-bin_21.4.21-4_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFIjHoa7qLvonfc4IMRAvGJAKDXmigWdSwPs+6RBI8lNomJquSv8QCfTX2r
6IuAhjDcx3SnJaEDUdzPoRE=
=Ly54
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 16 Mar 2009 09:39:26 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Fri Apr 18 19:28:48 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.