inkscape: Arbitrary code execution when opening a malicious file

Debian Bug report logs - #330894
inkscape: Arbitrary code execution when opening a malicious file

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joxean Koret <joxeankoret@yahoo.es>

To: submit@bugs.debian.org

Subject: inkscape: Arbitrary code execution when opening a malicious file

Date: Fri, 30 Sep 2005 12:51:04 +0200

[Message part 1 (text/plain, inline)]

Subject: inkscape: Arbitrary code execution opening a file
Package: inkscape
Version: 0.41-4.99.sarge0
Severity: grave
Justification: user security hole

Inkscape is vulnerable to, almost, one buffer overflow that may allow
arbitrary code execution. I contacted the Inkscape team but, at the
moment, there is no patch for the issue.

Attached goes a Proof Of Concept.

NOTE: I think the problem may not be exploitable because you need to
write a shellcode using only valid XML characters.

Regards,
Joxean Koret


-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)

Versions of packages inkscape depends on:
ii  libatk1.0-0            1.8.0-4           The ATK accessibility
toolkit
ii  libc6                  2.3.2.ds1-22      GNU C Library: Shared
libraries an
ii  libfontconfig1         2.3.1-2           generic font configuration
library
ii  libfreetype6           2.1.7-2.4         FreeType 2 font engine,
shared lib
ii  libgc1                 1:6.4-1           conservative garbage
collector for
ii  libgcc1                1:3.4.3-13        GCC support library
ii  libglib2.0-0           2.6.4-1           The GLib library of C
routines
ii  libglibmm-2.4-1        2.6.1-1           C++ wrapper for the GLib
toolkit (
ii  libgtk2.0-0            2.6.4-3           The GTK+ graphical user
interface 
ii  libgtkmm-2.4-1         2.4.10-1          C++ wrappers for GTK+ 2.4
(shared 
ii  libpango1.0-0          1.8.1-1           Layout and rendering of
internatio
ii  libpng12-0             1.2.8rel-1        PNG library - runtime
ii  libpopt0               1.7-5             lib for parsing cmdline
parameters
ii  libsigc++-2.0-0        2.0.10-1          type-safe Signal Framework
for C++
ii  libstdc++5             1:3.3.5-13        The GNU Standard C++
Library v3
ii  libx11-6               4.3.0.dfsg.1-14   X Window System protocol
client li
ii  libxft2                2.1.7-1           FreeType-based font drawing
librar
ii  libxml2                2.6.16-7          GNOME XML library
ii  libxrender1            1:0.8.3-1         X Rendering Extension
client libra
ii  libxslt1.1             1.1.12-8          XSLT processing library -
runtime 
ii  xlibs                  4.3.0.dfsg.1-14   X Keyboard Extension (XKB)
configu
ii  zlib1g                 1:1.2.2-4.sarge.2 compression library -
runtime

-- no debconf information

[poc.svg (image/svg+xml, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #10 received at 330894@bugs.debian.org (full text, mbox, reply):

From: Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>

To: Joxean Koret <joxeankoret@yahoo.es>, 330894@bugs.debian.org

Cc: control@bugs.debian.org

Subject: Re: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file

Date: Fri, 30 Sep 2005 17:58:16 +0200

[Message part 1 (text/plain, inline)]

forwarded 330894 inkscape-devel@lists.sourceforge.net
Thanks


Hi Joxean!

On Fri, Sep 30, 2005 at 12:51:04PM +0200, Joxean Koret wrote:
> Subject: inkscape: Arbitrary code execution opening a file
> Package: inkscape
> Version: 0.41-4.99.sarge0
> Severity: grave
> Justification: user security hole
> 
> Inkscape is vulnerable to, almost, one buffer overflow that may allow
> arbitrary code execution. I contacted the Inkscape team but, at the
> moment, there is no patch for the issue.
> 
> Attached goes a Proof Of Concept.
> 
> NOTE: I think the problem may not be exploitable because you need to
> write a shellcode using only valid XML characters.
> 
> Regards,
> Joxean Koret
> 
> 
[...snip...]

Thanks for your report. I forwarded it to the developer's mailing list.
On my PowerBook inkscape simply crashed when opening your file, I don't
know what it should do on a i386 box. I tried to open it in vim, but
there it causes troubles too, at least for the syntax highlighter. 

I also tried it with sodipodi, but could not see an effect. It seems to
open cleanly.


With best wishes,

Wolfi

[signature.asc (application/pgp-signature, inline)]

Message #17 received at 330894@bugs.debian.org (full text, mbox, reply):

From: Joxean Koret <joxeankoret@yahoo.es>

To: Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>

Cc: 330894@bugs.debian.org, control@bugs.debian.org

Subject: Re: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file

Date: Fri, 30 Sep 2005 20:30:20 +0200

[Message part 1 (text/plain, inline)]

> Hi Joxean!
> [...snip...]
> 
> Thanks for your report. I forwarded it to the developer's mailing list.
> On my PowerBook inkscape simply crashed when opening your file, I don't
> know what it should do on a i386 box. I tried to open it in vim, but
> there it causes troubles too, at least for the syntax highlighter. 
> 

This is only a P.O.C. I have no working exploit at the moment for the
issue.

> I also tried it with sodipodi, but could not see an effect. It seems to
> open cleanly.
> 
> With best wishes,
> 
> Wolfi

Regards,
Joxean Koret

[signature.asc (application/pgp-signature, inline)]

Message #22 received at 330894@bugs.debian.org (full text, mbox, reply):

From: MenTaLguY <mental@rydia.net>

To: 330894@bugs.debian.org

Subject: Re: Inkscape SVG parser buffer overflows

Date: Sun, 20 Nov 2005 14:54:53 -0500

[Message part 1 (text/plain, inline)]

On Sun, 2005-11-20 at 15:54 +0100, Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > | October 9, 2005
> > |
> > | Mentalguy has released new point releases of the past two  versions of Inkscape
> > | to correct two issues with arbitrary  code execution when  opening malicious 
> > | files. There  are no  known exploits  for this  issue, but  if you  use Inkscape
> > | on a production machine in a manner that invokes files from arbitrary sources,
> > | you may wish to upgrade.
> 
> Hi,
> 
> could you provide some assistance?  The above note about arbitrary
> code execution may originate in our Bug#330894 <bugs.debian.org/330894>.
> I'd like to see the correction for this/these particular issue(s) so
> that Debian can correct the older version of Inkscape in its stable
> release, where no new upstream versions are installed.

Yes, I believe that's the bug that prompted the new point release.  I've
attached the patch for the 0.42 branch.

It's worth noting that (except for incrementing the version number in
the about dialog, etc, and some changes to the distributed Windows
makefiles) this is the only difference between 0.42.2 and 0.42.3.

I believe the patch can also be applied to the 0.41 line as well (the
same change is present in 0.41.1).  I don't believe it's relevent to
0.40.

-mental

[fix.diff (text/x-patch, attachment)]

[signature.asc (application/pgp-signature, inline)]

Message #27 received at 330894@bugs.debian.org (full text, mbox, reply):

From: Guido Trotter <ultrotter@debian.org>

To: 330894@bugs.debian.org

Subject: Isn't this fixed in the unstable version of inkscape?

Date: Fri, 25 Nov 2005 10:55:48 +0100

[Message part 1 (text/plain, inline)]

Hi!

You wrote two times in the changelog that this issue is resolved:

Changes: 
 inkscape (0.43-1) unstable; urgency=high

   * urgency=high since this version fixes the buffer overflow discovered by
     Joxean Koret (see CVE-2005-3737, debian bug 330894).

Changes: 
 inkscape (0.42.2+0.43pre1-1) unstable; urgency=low

   * Just for the record: inkscape version 0.42 and newer is not vulnerable to
     the security bug mentioned in Bug #321501.


So I'm wondering: why can't this bug be closed, with the appropriate version tag?
This would also help migrating inkscape into testing, which it cannot do till this bug remains open...

Thanks,

Guido

[signature.asc (application/pgp-signature, inline)]

Message #32 received at 330894-done@bugs.debian.org (full text, mbox, reply):

From: Steve Langasek <vorlon@debian.org>

To: Guido Trotter <ultrotter@debian.org>, 330894-done@bugs.debian.org

Subject: Re: Bug#330894: Isn't this fixed in the unstable version of inkscape?

Date: Fri, 25 Nov 2005 02:12:04 -0800

[Message part 1 (text/plain, inline)]

Version: 0.43-1

On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:

> You wrote two times in the changelog that this issue is resolved:

> Changes: 
>  inkscape (0.43-1) unstable; urgency=high

>    * urgency=high since this version fixes the buffer overflow discovered by
>      Joxean Koret (see CVE-2005-3737, debian bug 330894).

> Changes: 
>  inkscape (0.42.2+0.43pre1-1) unstable; urgency=low

>    * Just for the record: inkscape version 0.42 and newer is not vulnerable to
>      the security bug mentioned in Bug #321501.

> So I'm wondering: why can't this bug be closed, with the appropriate version tag?
> This would also help migrating inkscape into testing, which it cannot do till this bug remains open...

These are not the same bug; 321501 is a tempfile bug, and 330894 is a buffer
overflow.  But you're right, based on the available information this bug
should be marked as closed in unstable.

Cheers,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
vorlon@debian.org                                   http://www.debian.org/

[signature.asc (application/pgp-signature, inline)]

Message #37 received at 330894@bugs.debian.org (full text, mbox, reply):

From: Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>

To: Guido Trotter <ultrotter@debian.org>, 330894@bugs.debian.org

Subject: Re: Bug#330894: Isn't this fixed in the unstable version of inkscape?

Date: Fri, 25 Nov 2005 14:17:49 +0100

[Message part 1 (text/plain, inline)]

Hi Guido,

On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
> 
> Hi!
> 
> You wrote two times in the changelog that this issue is resolved:
> 
> Changes: 
>  inkscape (0.43-1) unstable; urgency=high
> 
>    * urgency=high since this version fixes the buffer overflow discovered by
>      Joxean Koret (see CVE-2005-3737, debian bug 330894).
> 
> Changes: 
>  inkscape (0.42.2+0.43pre1-1) unstable; urgency=low
> 
>    * Just for the record: inkscape version 0.42 and newer is not vulnerable to
>      the security bug mentioned in Bug #321501.
> 
> 
> So I'm wondering: why can't this bug be closed, with the appropriate version tag?
> This would also help migrating inkscape into testing, which it cannot do till this bug remains open...
Yes, you are right. My thinking was that I close this bug when it is
fixed in stable, too. But I see that this was wrong.

Thanks Steve for closing, I hope the security team will upload the fixed
version I sent them to sarge.
> 
> Thanks,
> 
> Guido
> 

With best wishes,

Wolfi

[signature.asc (application/pgp-signature, inline)]

Send a report that this bug log contains spam.