Hi allotogether,
I just received a message at debian's BTS [1] which reports a possible security flaw in inkscape. It is surely a DOS since here on my PowerBook inkscape simply crashes saying wolfi@...453...:/tmp $ inkscape poc.svg
Emergency save activated! Segmentation fault (core dumped)
I attach the backtrace, which shows that inkscape is rather irritated: Core was generated by `aaaaaaaaaaaaaaaaa'.
BTW, vim's syntax highlighter has certain toubles when editing this file, too.
Thanks,
Wolfi
[1] http://bugs.debian.org/330894
----- Forwarded message from Joxean Koret <joxeankoret_at_yahoo_dot_es> -----
Subject: Bug#330894: inkscape: Arbitrary code execution when opening a malicious file Reply-To: Joxean Koret <joxeankoret_at_yahoo_dot_es>, 330894@...499... Resent-From: Joxean Koret <joxeankoret_at_yahoo_dot_es> Resent-To: debian-bugs-dist@...501... Resent-Cc: Wolfram Quester <wolfi@...111...> Resent-Date: Fri, 30 Sep 2005 10:48:06 UTC Resent-Message-ID: <handler.330894.B.11280765119494@...499...> X-Debian-PR-Message: report 330894 X-Debian-PR-Package: inkscape X-Debian-PR-Keywords: From: Joxean Koret <joxeankoret_at_yahoo_dot_es> To: submit@...499... Date: Fri, 30 Sep 2005 12:51:04 +0200 Resent-Sender: Debian BTS <debbugs@...499...> X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at honk.physik.uni-konstanz.de X-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at honk.physik.uni-konstanz.de
Subject: inkscape: Arbitrary code execution opening a file Package: inkscape Version: 0.41-4.99.sarge0 Severity: grave Justification: user security hole
Inkscape is vulnerable to, almost, one buffer overflow that may allow arbitrary code execution. I contacted the Inkscape team but, at the moment, there is no patch for the issue.
Attached goes a Proof Of Concept.
NOTE: I think the problem may not be exploitable because you need to write a shellcode using only valid XML characters.
Regards, Joxean Koret
-- System Information: [...snip...]
----- End forwarded message -----
