(Debian Issues Fix) 'gv' Postscript and PDF File Viewer Buffer Overflow May Execute Remotely Supplied Code in Malicioius Postscript or PDF Files
|
|
SecurityTracker Alert ID: 1005428 |
|
CVE Reference: CAN-2002-0838
(Links to External Site)
|
Date: Oct 16 2002
|
Impact: Execution of arbitrary code via network, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 3.5.8
|
Description: A buffer overflow vulnerability was reported in the 'gv' postscript and PDF file viewer. A remote user can create a malicious file that, when viewed by the target user, will cause arbitrary code to be executed.
iDEFENSE reported that there is a buffer oveflow due to an unsafe sscanf() call.
A demonstration exploit is provided in the Source
Message (it is Base64 encoded). A demonstration exploit transcript is also provided:
[root@victim]# ls -al /tmp/itworked
/bin/ls:
/tmp/itworked: No such file or directory
[root@victim]# gv gv-exploit.pdf
[root@victim]# ls -al /tmp/itworked
- -rw-r--r--
1 root root 0 Aug 22 16:50 /tmp/itworked
|
Impact: A remote user can create a malicious file that, when viewed by gv, will cause arbitrary code to be executed by the target user's gv viewer. The code will run with the privileges of the target user.
|
Solution: Debian has released a fix in version 3.5.8-26.1 for the current stable distribution (woody), in version 3.5.8-17.1 for the old stable
distribution (potato) and version 3.5.8-27 for the unstable distribution (sid).
Debian GNU/Linux 2.2 alias potato
Source
archives:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1.dsc
Size/MD5 checksum: 555 3aa3cb663f578cbf02c09f370951a814
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1.diff.gz
Size/MD5 checksum: 29382 2e9e7149b69bf36a80632c8b695b6495
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8.orig.tar.gz
Size/MD5 checksum: 369609 8f2f0bd97395d6cea52926ddee736da8
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_alpha.deb
Size/MD5 checksum:
278646 b12dd5fef60ff840b3921a511eb28c74
ARM architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_arm.deb
Size/MD5 checksum: 238918 52892bea304128845836b4c9976d39a3
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_i3
86.deb
Size/MD5 checksum: 226416 4f44d7df45cec7b132c1c7c9a6ba84ea
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3
.5.8-17.1_m68k.deb
Size/MD5 checksum: 217712 2decb437f1a28beac92edb63f3d31444
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gv
/gv_3.5.8-17.1_powerpc.deb
Size/MD5 checksum: 244382 cb3bd27b214e391ada83ce0593e16715
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_sparc.deb
Size/MD5 checksum: 237878 ba1bdf19f68f62d36c8f58c015867287
Debian
GNU/Linux 3.0 alias woody
Source archives:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1.dsc
Size/MD5 checksum: 559 e7a2b5dfb91d7217d1b171b24682ea41
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1.diff.gz
Size/MD5 checksum: 18453 f9910a58912e1a6fbaef33ff4fe27b94
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8.orig.tar.gz
Size/MD5 checksum: 369609 8f2f0bd97395d6cea52926ddee736da8
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_alpha.de
b
Size/MD5 checksum: 273262 6cb8adebf56cc25ef43d1358636dc9ca
ARM architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_arm.de
b
Size/MD5 checksum: 243382 2707a8a87e133a45cc2a98dd223e7c8f
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.
1_i386.deb
Size/MD5 checksum: 226106 304f32b84e6497612222a26c9dc5c1fd
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_
3.5.8-26.1_ia64.deb
Size/MD5 checksum: 313888 522c58c4d2fecb99424533c4980d1409
HP Precision architecture:
http://security.debian.org/pool/updates/mai
n/g/gv/gv_3.5.8-26.1_hppa.deb
Size/MD5 checksum: 252054 aa50a00ebb6d5c304ec94bbf1e65a2c9
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_m68k.deb
Size/MD5 checksum: 216922 d11c3c10e70fb1593ce15c2b6c3863be
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_mips.deb
Size/MD5 checksum:
252064 6b944b4c04f4488ea380063bdf3324ad
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_mipsel.deb
Size/MD5 checksum: 250914 87afee172cf73ed91ad0449fadd9bb4b
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_powerp
c.deb
Size/MD5 checksum: 243450 9c77e9860e1044bc4c7b9a7b054e8a4d
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-2
6.1_s390.deb
Size/MD5 checksum: 232784 96242f88c593319e0d3fddef928c47d2
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_
3.5.8-26.1_sparc.deb
Size/MD5 checksum: 237798 e5091427da6e76dbb9bb34cf03e94647
|
Vendor URL: wwwthep.physik.uni-mainz.de/~plass/gv/ (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Linux (Debian)
|
Underlying OS Comments: 2.2, 3.0
|
Reported By: joey@infodrom.org (Martin Schulze)
|
Message History:
This archive entry is a follow-up to the message listed below.
|
Source Message Contents
|
Date: Wed, 16 Oct 2002 16:59:28 +0200 (CEST)
From: joey@infodrom.org (Martin Schulze)
Subject: [SECURITY] [DSA 176-1] New gv packages fix buffer overflow
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- --------------------------------------------------------------------------
Debian Security Advisory DSA 176-1 security@debian.org
http://www.debian.org/security/ Martin Schulze
October 16th, 2002 http://www.debian.org/security/faq
- --------------------------------------------------------------------------
Package : gv
Vulnerability : buffer overflow
Problem-Type : remote
Debian-specific: no
CVE Id : CAN-2002-0838
BugTraq ID : 5808
Zen-parse discovered a buffer overflow in gv, a PostScript and PDF
viewer for X11. This problem is triggered by scanning the PostScript
file and can be exploited by an attacker sending a malformed
PostScript or PDF file. The attacker is able to cause arbitrary code
to be run with the privileges of the victim.
This problem has been fixed in version 3.5.8-26.1 for the current
stable distribution (woody), in version 3.5.8-17.1 for the old stable
distribution (potato) and version 3.5.8-27 for the unstable
distribution (sid).
We recommend that you upgrade your gv package.
wget url
will fetch the file for you
dpkg -i file.deb
will install the referenced file.
If you are using the apt-get package manager, use the line for
sources.list as given below:
apt-get update
will update the internal database
apt-get upgrade
will install corrected packages
You may use an automated update by adding the resources from the
footer to the proper configuration.
Debian GNU/Linux 2.2 alias potato
- ---------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1.dsc
Size/MD5 checksum: 555 3aa3cb663f578cbf02c09f370951a814
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1.diff.gz
Size/MD5 checksum: 29382 2e9e7149b69bf36a80632c8b695b6495
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8.orig.tar.gz
Size/MD5 checksum: 369609 8f2f0bd97395d6cea52926ddee736da8
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_alpha.deb
Size/MD5 checksum: 278646 b12dd5fef60ff840b3921a511eb28c74
ARM architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_arm.deb
Size/MD5 checksum: 238918 52892bea304128845836b4c9976d39a3
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_i386.deb
Size/MD5 checksum: 226416 4f44d7df45cec7b132c1c7c9a6ba84ea
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_m68k.deb
Size/MD5 checksum: 217712 2decb437f1a28beac92edb63f3d31444
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_powerpc.deb
Size/MD5 checksum: 244382 cb3bd27b214e391ada83ce0593e16715
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-17.1_sparc.deb
Size/MD5 checksum: 237878 ba1bdf19f68f62d36c8f58c015867287
Debian GNU/Linux 3.0 alias woody
- --------------------------------
Source archives:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1.dsc
Size/MD5 checksum: 559 e7a2b5dfb91d7217d1b171b24682ea41
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1.diff.gz
Size/MD5 checksum: 18453 f9910a58912e1a6fbaef33ff4fe27b94
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8.orig.tar.gz
Size/MD5 checksum: 369609 8f2f0bd97395d6cea52926ddee736da8
Alpha architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_alpha.deb
Size/MD5 checksum: 273262 6cb8adebf56cc25ef43d1358636dc9ca
ARM architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_arm.deb
Size/MD5 checksum: 243382 2707a8a87e133a45cc2a98dd223e7c8f
Intel IA-32 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_i386.deb
Size/MD5 checksum: 226106 304f32b84e6497612222a26c9dc5c1fd
Intel IA-64 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_ia64.deb
Size/MD5 checksum: 313888 522c58c4d2fecb99424533c4980d1409
HP Precision architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_hppa.deb
Size/MD5 checksum: 252054 aa50a00ebb6d5c304ec94bbf1e65a2c9
Motorola 680x0 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_m68k.deb
Size/MD5 checksum: 216922 d11c3c10e70fb1593ce15c2b6c3863be
Big endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_mips.deb
Size/MD5 checksum: 252064 6b944b4c04f4488ea380063bdf3324ad
Little endian MIPS architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_mipsel.deb
Size/MD5 checksum: 250914 87afee172cf73ed91ad0449fadd9bb4b
PowerPC architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_powerpc.deb
Size/MD5 checksum: 243450 9c77e9860e1044bc4c7b9a7b054e8a4d
IBM S/390 architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_s390.deb
Size/MD5 checksum: 232784 96242f88c593319e0d3fddef928c47d2
Sun Sparc architecture:
http://security.debian.org/pool/updates/main/g/gv/gv_3.5.8-26.1_sparc.deb
Size/MD5 checksum: 237798 e5091427da6e76dbb9bb34cf03e94647
These files will probably be moved into the stable distribution on
its next revision.
- ---------------------------------------------------------------------------------
For apt-get: deb http://security.debian.org/ stable/updates main
For dpkg-ftp: ftp://security.debian.org/debian-security dists/stable/updates/main
Mailing list: debian-security-announce@lists.debian.org
Package info: `apt-cache show <pkg>' and http://packages.debian.org/<pkg>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9rX7QW5ql+IAeqTIRAl1SAJ9zrIG8/ejNUdP3XbXO3pqjqWO9iQCgoU5h
4FWVpDFC9IT+aMv1KpZRNmc=
=wuLa
-----END PGP SIGNATURE-----
--
To UNSUBSCRIBE, email to debian-security-announce-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
|
|
