Debian Bug report logs -
#330894
inkscape: Arbitrary code execution when opening a malicious file
Reported by: Joxean Koret <joxeankoret@yahoo.es>
Date: Fri, 30 Sep 2005 10:48:06 UTC
Severity: grave
Found in version inkscape/0.41-4.99.sarge0
Fixed in version 0.43-1
Done: Steve Langasek <vorlon@debian.org>
Bug is archived. No further changes may be made.
Forwarded to inkscape-devel@lists.sourceforge.net
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
:
Bug#330894
; Package inkscape
.
(full text, mbox, link).
Acknowledgement sent to Joxean Koret <joxeankoret@yahoo.es>
:
New Bug report received and forwarded. Copy sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Subject: inkscape: Arbitrary code execution opening a file
Package: inkscape
Version: 0.41-4.99.sarge0
Severity: grave
Justification: user security hole
Inkscape is vulnerable to, almost, one buffer overflow that may allow
arbitrary code execution. I contacted the Inkscape team but, at the
moment, there is no patch for the issue.
Attached goes a Proof Of Concept.
NOTE: I think the problem may not be exploitable because you need to
write a shellcode using only valid XML characters.
Regards,
Joxean Koret
-- System Information:
Debian Release: 3.1
Architecture: i386 (i686)
Kernel: Linux 2.6.11-1-386
Locale: LANG=es_ES@euro, LC_CTYPE=es_ES@euro (charmap=ISO-8859-15)
Versions of packages inkscape depends on:
ii libatk1.0-0 1.8.0-4 The ATK accessibility
toolkit
ii libc6 2.3.2.ds1-22 GNU C Library: Shared
libraries an
ii libfontconfig1 2.3.1-2 generic font configuration
library
ii libfreetype6 2.1.7-2.4 FreeType 2 font engine,
shared lib
ii libgc1 1:6.4-1 conservative garbage
collector for
ii libgcc1 1:3.4.3-13 GCC support library
ii libglib2.0-0 2.6.4-1 The GLib library of C
routines
ii libglibmm-2.4-1 2.6.1-1 C++ wrapper for the GLib
toolkit (
ii libgtk2.0-0 2.6.4-3 The GTK+ graphical user
interface
ii libgtkmm-2.4-1 2.4.10-1 C++ wrappers for GTK+ 2.4
(shared
ii libpango1.0-0 1.8.1-1 Layout and rendering of
internatio
ii libpng12-0 1.2.8rel-1 PNG library - runtime
ii libpopt0 1.7-5 lib for parsing cmdline
parameters
ii libsigc++-2.0-0 2.0.10-1 type-safe Signal Framework
for C++
ii libstdc++5 1:3.3.5-13 The GNU Standard C++
Library v3
ii libx11-6 4.3.0.dfsg.1-14 X Window System protocol
client li
ii libxft2 2.1.7-1 FreeType-based font drawing
librar
ii libxml2 2.6.16-7 GNOME XML library
ii libxrender1 1:0.8.3-1 X Rendering Extension
client libra
ii libxslt1.1 1.1.12-8 XSLT processing library -
runtime
ii xlibs 4.3.0.dfsg.1-14 X Keyboard Extension (XKB)
configu
ii zlib1g 1:1.2.2-4.sarge.2 compression library -
runtime
-- no debconf information
[poc.svg (image/svg+xml, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#330894
; Package inkscape
.
(full text, mbox, link).
Acknowledgement sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #10 received at 330894@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
forwarded 330894 inkscape-devel@lists.sourceforge.net
Thanks
Hi Joxean!
On Fri, Sep 30, 2005 at 12:51:04PM +0200, Joxean Koret wrote:
> Subject: inkscape: Arbitrary code execution opening a file
> Package: inkscape
> Version: 0.41-4.99.sarge0
> Severity: grave
> Justification: user security hole
>
> Inkscape is vulnerable to, almost, one buffer overflow that may allow
> arbitrary code execution. I contacted the Inkscape team but, at the
> moment, there is no patch for the issue.
>
> Attached goes a Proof Of Concept.
>
> NOTE: I think the problem may not be exploitable because you need to
> write a shellcode using only valid XML characters.
>
> Regards,
> Joxean Koret
>
>
[...snip...]
Thanks for your report. I forwarded it to the developer's mailing list.
On my PowerBook inkscape simply crashed when opening your file, I don't
know what it should do on a i386 box. I tried to open it in vim, but
there it causes troubles too, at least for the syntax highlighter.
I also tried it with sodipodi, but could not see an effect. It seems to
open cleanly.
With best wishes,
Wolfi
[signature.asc (application/pgp-signature, inline)]
Noted your statement that Bug has been forwarded to inkscape-devel@lists.sourceforge.net.
Request was from Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
:
Bug#330894
; Package inkscape
.
(full text, mbox, link).
Acknowledgement sent to Joxean Koret <joxeankoret@yahoo.es>
:
Extra info received and forwarded to list. Copy sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
.
(full text, mbox, link).
Message #17 received at 330894@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
> Hi Joxean!
> [...snip...]
>
> Thanks for your report. I forwarded it to the developer's mailing list.
> On my PowerBook inkscape simply crashed when opening your file, I don't
> know what it should do on a i386 box. I tried to open it in vim, but
> there it causes troubles too, at least for the syntax highlighter.
>
This is only a P.O.C. I have no working exploit at the moment for the
issue.
> I also tried it with sodipodi, but could not see an effect. It seems to
> open cleanly.
>
> With best wishes,
>
> Wolfi
Regards,
Joxean Koret
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
:
Bug#330894
; Package inkscape
.
(full text, mbox, link).
Acknowledgement sent to MenTaLguY <mental@rydia.net>
:
Extra info received and forwarded to list. Copy sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
.
(full text, mbox, link).
Message #22 received at 330894@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Sun, 2005-11-20 at 15:54 +0100, Martin Schulze wrote:
> Moritz Muehlenhoff wrote:
> > | October 9, 2005
> > |
> > | Mentalguy has released new point releases of the past two versions of Inkscape
> > | to correct two issues with arbitrary code execution when opening malicious
> > | files. There are no known exploits for this issue, but if you use Inkscape
> > | on a production machine in a manner that invokes files from arbitrary sources,
> > | you may wish to upgrade.
>
> Hi,
>
> could you provide some assistance? The above note about arbitrary
> code execution may originate in our Bug#330894 <bugs.debian.org/330894>.
> I'd like to see the correction for this/these particular issue(s) so
> that Debian can correct the older version of Inkscape in its stable
> release, where no new upstream versions are installed.
Yes, I believe that's the bug that prompted the new point release. I've
attached the patch for the 0.42 branch.
It's worth noting that (except for incrementing the version number in
the about dialog, etc, and some changes to the distributed Windows
makefiles) this is the only difference between 0.42.2 and 0.42.3.
I believe the patch can also be applied to the 0.41 line as well (the
same change is present in 0.41.1). I don't believe it's relevent to
0.40.
-mental
[fix.diff (text/x-patch, attachment)]
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org, Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
:
Bug#330894
; Package inkscape
.
(full text, mbox, link).
Acknowledgement sent to Guido Trotter <ultrotter@debian.org>
:
Extra info received and forwarded to list. Copy sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
.
(full text, mbox, link).
Message #27 received at 330894@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi!
You wrote two times in the changelog that this issue is resolved:
Changes:
inkscape (0.43-1) unstable; urgency=high
* urgency=high since this version fixes the buffer overflow discovered by
Joxean Koret (see CVE-2005-3737, debian bug 330894).
Changes:
inkscape (0.42.2+0.43pre1-1) unstable; urgency=low
* Just for the record: inkscape version 0.42 and newer is not vulnerable to
the security bug mentioned in Bug #321501.
So I'm wondering: why can't this bug be closed, with the appropriate version tag?
This would also help migrating inkscape into testing, which it cannot do till this bug remains open...
Thanks,
Guido
[signature.asc (application/pgp-signature, inline)]
Reply sent to Steve Langasek <vorlon@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Joxean Koret <joxeankoret@yahoo.es>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #32 received at 330894-done@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Version: 0.43-1
On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
> You wrote two times in the changelog that this issue is resolved:
> Changes:
> inkscape (0.43-1) unstable; urgency=high
> * urgency=high since this version fixes the buffer overflow discovered by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).
> Changes:
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=low
> * Just for the record: inkscape version 0.42 and newer is not vulnerable to
> the security bug mentioned in Bug #321501.
> So I'm wondering: why can't this bug be closed, with the appropriate version tag?
> This would also help migrating inkscape into testing, which it cannot do till this bug remains open...
These are not the same bug; 321501 is a tempfile bug, and 330894 is a buffer
overflow. But you're right, based on the available information this bug
should be marked as closed in unstable.
Cheers,
--
Steve Langasek Give me a lever long enough and a Free OS
Debian Developer to set it on, and I can move the world.
vorlon@debian.org http://www.debian.org/
[signature.asc (application/pgp-signature, inline)]
Information forwarded to debian-bugs-dist@lists.debian.org
:
Bug#330894
; Package inkscape
.
(full text, mbox, link).
Acknowledgement sent to Wolfram Quester <wolfi@mittelerde.physik.uni-konstanz.de>
:
Extra info received and forwarded to list.
(full text, mbox, link).
Message #37 received at 330894@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Hi Guido,
On Fri, Nov 25, 2005 at 10:55:48AM +0100, Guido Trotter wrote:
>
> Hi!
>
> You wrote two times in the changelog that this issue is resolved:
>
> Changes:
> inkscape (0.43-1) unstable; urgency=high
>
> * urgency=high since this version fixes the buffer overflow discovered by
> Joxean Koret (see CVE-2005-3737, debian bug 330894).
>
> Changes:
> inkscape (0.42.2+0.43pre1-1) unstable; urgency=low
>
> * Just for the record: inkscape version 0.42 and newer is not vulnerable to
> the security bug mentioned in Bug #321501.
>
>
> So I'm wondering: why can't this bug be closed, with the appropriate version tag?
> This would also help migrating inkscape into testing, which it cannot do till this bug remains open...
Yes, you are right. My thinking was that I close this bug when it is
fixed in stable, too. But I see that this was wrong.
Thanks Steve for closing, I hope the security team will upload the fixed
version I sent them to sarge.
>
> Thanks,
>
> Guido
>
With best wishes,
Wolfi
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 27 Jun 2007 05:50:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:02:13 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.