Bugzilla – Bug 878345
VUL-0: CVE-2014-2977: DirectFB: Possible RCE through integer signedness vulnerability
Last modified: 2016-04-27 19:29:42 UTC
DirectFB is prone to an integer signedness vulnerability since version 1.4.13. The vulnerability can be triggered remotely without authentication through Voodoo interface (network layer of DirectFB). openSUSE 12.3: 1.6.2 openSUSE 13.1: 1.6.3 openSUSE Factory: 1.7.4 are affected References: https://bugzilla.redhat.com/show_bug.cgi?id=1098528 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2977
bugbot adjusting priority
http://mail.directfb.org/pipermail/directfb-dev/2014-April/006813.html No upstream commit found so far.
Hmm, there is following portion of code (similarly for case 4:): 1734 case 2: { 1735 if (rect->w > 2048) { 1736 u16 *buf = D_MALLOC( rect->w * 2 ); 1737 1738 if (buf) { 1739 rle16_decode( ptr, buf, rect->w ); 1740 1741 real->Write( real, rect, buf, pitch ); 1742 1743 D_FREE( buf ); 1744 } 1745 else 1746 D_OOM(); 1747 } 1748 else { 1749 u16 buf[2048]; 1750 1751 rle16_decode( ptr, buf, rect->w ); 1752 1753 real->Write( real, rect, buf, pitch ); 1754 } 1755 break; 1756 } I can't confirm yet that rect->w can be really lower than zero. But if yes, then the check is obviously wrong. Question is, how DirectFB should react. Is rect->width allowed at all? http://mail.directfb.org/pipermail/directfb-dev/2014-April/006811.html If it is allowed, how should it be interpreted by e. g. rle16_decode() (~ which third argument, which is actually unsigned, it should get)?
(In reply to comment #3) > then the check is obviously wrong. Question is, how DirectFB should react. Is > rect->width allowed at all? *Is rect->width lower than zero allowed at all? > http://mail.directfb.org/pipermail/directfb-dev/2014-April/006811.html
rect->w * 2 and rect->w * 4 respectively should be probably checked against overflow, too, if rect->w is not limited somewhere.
Created attachment 628302 [details] patch proposed upstream
This is an autogenerated message for OBS integration: This bug (878345) was mentioned in https://build.opensuse.org/request/show/293665 Factory / DirectFB
Upstream still do not react. I have sent proposed patches to them on 2015-03-30 http://mail.directfb.org/pipermail/directfb-dev/2015-March/006879.html but no reply. Johannes, could you please review patches so I can submit them to older products?
(In reply to Petr Gajdos from comment #8) Both look fine but are you sure that rect->w is limited somewhere so that the multiplications in the malloc are okay?
(In reply to Johannes Segitz from comment #9) > (In reply to Petr Gajdos from comment #8) > Both look fine but are you sure that rect->w is limited somewhere so that > the multiplications in the malloc are okay? Not sure, but I think it is not related to this CVE ;).
Packages submitted.
openSUSE-SU-2015:0807-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 878345,878349 CVE References: CVE-2014-2977,CVE-2014-2978 Sources used: openSUSE 13.2 (src): DirectFB-1.7.5-3.3.1 openSUSE 13.1 (src): DirectFB-1.6.3-4.3.1
SUSE-SU-2015:0839-1: An update that fixes two vulnerabilities is now available. Category: security (important) Bug References: 878345,878349 CVE References: CVE-2014-2977,CVE-2014-2978 Sources used: SUSE Linux Enterprise Workstation Extension 12 (src): DirectFB-1.7.1-4.1 SUSE Linux Enterprise Software Development Kit 12 (src): DirectFB-1.7.1-4.1 SUSE Linux Enterprise Server 12 (src): DirectFB-1.7.1-4.1 SUSE Linux Enterprise Desktop 12 (src): DirectFB-1.7.1-4.1
all updates released