Ubuntu
libthai package

CVE-2009-4012: arbitrary code execution

Bug #507939 reported by Marc Deslauriers
262
This bug affects 1 person
Affects Status Importance Assigned to Milestone
libthai (Ubuntu)
Fix Released
Medium
Unassigned
Hardy
Fix Released
Medium
Unassigned
Intrepid
Fix Released
Medium
Unassigned
Jaunty
Fix Released
Medium
Unassigned
Karmic
Fix Released
Medium
Unassigned
Lucid
Fix Released
Medium
Unassigned

Bug Description

libthai contains a integer/heap overflow. It can be exploited by passing a very long string to overflow the calculated
malloc size, and can lead to arbitrary code execution.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I have uploaded the proposed security update to the following PPA for testing, please comment on testing results here:

https://launchpad.net/~mdeslaur/+archive/testing

visibility: private → public
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Actually, please disregard comment #1.

The packages for testing will be in this PPA:

https://launchpad.net/~ubuntu-security-proposed/+archive/ppa/

Please test and comment on results here. Thanks!

Changed in libthai (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in libthai (Ubuntu Hardy):
status: New → Confirmed
Changed in libthai (Ubuntu Karmic):
status: New → Confirmed
Changed in libthai (Ubuntu Jaunty):
status: New → Confirmed
Changed in libthai (Ubuntu Intrepid):
status: New → Confirmed
Marc Deslauriers (mdeslaur)
Changed in libthai (Ubuntu Karmic):
importance: Undecided → Medium
Changed in libthai (Ubuntu Jaunty):
importance: Undecided → Medium
Changed in libthai (Ubuntu Hardy):
importance: Undecided → Medium
Changed in libthai (Ubuntu Intrepid):
importance: Undecided → Medium
Revision history for this message
Manatsawin Hanmongkolchai (whs) wrote :

Tested on Ubuntu 9.04 (Club Distro Prompt Edition 9.07 -- Remix) as a VirtualBox 3.0.10 guest vm (host is Windows 7 build7100) guest additions installed.

$ locale
LANG=th_TH.UTF-8
LC_CTYPE="th_TH.UTF-8"
LC_NUMERIC="th_TH.UTF-8"
LC_TIME="th_TH.UTF-8"
LC_COLLATE="th_TH.UTF-8"
LC_MONETARY="th_TH.UTF-8"
LC_MESSAGES="th_TH.UTF-8"
LC_PAPER="th_TH.UTF-8"
LC_NAME="th_TH.UTF-8"
LC_ADDRESS="th_TH.UTF-8"
LC_TELEPHONE="th_TH.UTF-8"
LC_MEASUREMENT="th_TH.UTF-8"
LC_IDENTIFICATION="th_TH.UTF-8"
LC_ALL=

after libthai_0.1.9-4 in Security Team's Proposed PPA have been installed my desktop and panel menu still working normally.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libthai - 0.1.9-1ubuntu0.2

---------------
libthai (0.1.9-1ubuntu0.2) hardy-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via long strings
    (LP: #507939)
    - src/thbrk/brk-maximal.c: validate size of n_brk_pos before malloc.
    - src/thbrk/thbrk.c: validate size of n_brk_pos before malloc, and
      perform error checking.
    - Patches from Debian DSA-1971-1
    - CVE-2009-4012
 -- Marc Deslauriers <email address hidden> Fri, 15 Jan 2010 08:32:12 -0500

Changed in libthai (Ubuntu Hardy):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libthai - 0.1.9-4ubuntu0.8.10.2

---------------
libthai (0.1.9-4ubuntu0.8.10.2) intrepid-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via long strings
    (LP: #507939)
    - src/thbrk/brk-maximal.c: validate size of n_brk_pos before malloc.
    - src/thbrk/thbrk.c: validate size of n_brk_pos before malloc, and
      perform error checking.
    - Patches from Debian DSA-1971-1
    - CVE-2009-4012
 -- Marc Deslauriers <email address hidden> Fri, 15 Jan 2010 08:30:43 -0500

Changed in libthai (Ubuntu Intrepid):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libthai - 0.1.12-1ubuntu0.2

---------------
libthai (0.1.12-1ubuntu0.2) karmic-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via long strings
    (LP: #507939)
    - src/thbrk/brk-maximal.c: validate size of n_brk_pos before malloc.
    - src/thbrk/thbrk.c: validate size of n_brk_pos before malloc, and
      perform error checking.
    - Patches from Debian DSA-1971-1
    - CVE-2009-4012
 -- Marc Deslauriers <email address hidden> Fri, 15 Jan 2010 08:21:40 -0500

Changed in libthai (Ubuntu Karmic):
status: Confirmed → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package libthai - 0.1.9-4ubuntu0.9.04.2

---------------
libthai (0.1.9-4ubuntu0.9.04.2) jaunty-security; urgency=low

  * SECURITY UPDATE: arbitrary code execution via long strings
    (LP: #507939)
    - src/thbrk/brk-maximal.c: validate size of n_brk_pos before malloc.
    - src/thbrk/thbrk.c: validate size of n_brk_pos before malloc, and
      perform error checking.
    - Patches from Debian DSA-1971-1
    - CVE-2009-4012
 -- Marc Deslauriers <email address hidden> Fri, 15 Jan 2010 08:28:44 -0500

Changed in libthai (Ubuntu Jaunty):
status: Confirmed → Fix Released
Revision history for this message
Jamie Strandboge (jdstrand) wrote :

This was fixed in 0.1.13-1.

Changed in libthai (Ubuntu Lucid):
status: Confirmed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.