oCERT-2008-015 glib and glib-predecessor heap overflows

Description:

Base64 encoding and decoding functions in glib suffer from vulnerabilities during memory allocation which may result in arbitrary code execution when processing large strings. A number of other GNOME-related applications which predate glib are vulnerable due to the commonality of this flawed code.

In all cases, heap memory is allocated using a length calculated with a user-supplied, platform-specifc value. It follows the pattern below:

  g_malloc(user_supplied_length * 3 / 4 + some_small_num)

Due to the evaluation order of arithmetic operations, the length is multiplied by 3 prior to division by 4. This will allow the calculated argument used for allocation length to overflow resulting in a region which is smaller than expected. Base64 encoding and decoding functions in glib suffer from vulnerabilities during memory allocation which may result in arbitrary code execution when processing large strings. A number of other GNOME-related applications are vulnerable due to the duplication of this flawed code.

The following patches fix the issues:
glib (CVE-2008-4316)
gst-plugins-base (CVE-2009-0586)
libcamel (evolution: CVE-2009-0587)
evc (evolution: CVE-2009-0587)
libsoup (CVE-2009-0585)

Affected version:

(actively affected)

GLib >= 2.11 unstable

GLib >= 2.12 stable

gst-plugins-base < 0.10.23

(older versions affected only)

libsoup < 2.2.x

libsoup < 2.24

evolution data server < 2.24.5

Fixed version:

GLib >= 2.20 (revision >= 7973)

gst-plugins-base >= 0.10.23 (git change)

(Other identified packages are unaffected in current versions.)

Credit: vulnerability report and initial analysis received from Diego Pettenò <flameeyes (at) gmail.com> with extended analysis, vulnerabilities, and patches for libsoup, gst-plugins-base, and evolution-data-server from Tomas Hoger <thoger (at) redhat.com>.

CVE: CVE-2008-4316 (glib), CVE-2009-0585 (libsoup), CVE-2009-0586 (gst-plugins-base), CVE-2009-0587 (evolution-data-server)

Timeline:

2008-10-22: vulnerability report received
2008-11-11: failed to contact gnome-upstream privately (ml, bugs)
2008-11-27: contacted vendor-sec as gnome-upstream
2008-11-28: thoger confirms and assigns initial CVE
2008-11-29: flameeyes notes other potentially affected libraries
2008-12-05: thoger supplies glib patch expands scope to include eds, gst
2009-01-14: patch review by mclasen; thoger analysis eds, soup
2009-01-26: gst-plugins-base detailed analysis by thoger
2009-02-22: gstreamer upstream contacted
2009-03-03: gst-plugins-base patch from upstream
2009-03-04: evolution data server lead contacted
2009-03-05: final embargo lift date settled
2009-03-12: glib, gst upstream patches public; advisory published

References:
glib svn commit
gstreamer git commit