Vulnerabilities > CVE-2017-7875 - Out-of-bounds Write vulnerability in FEH Project FEH
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
In wallpaper.c in feh before v2.18.3, if a malicious client pretends to be the E17 window manager, it is possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2018-56EC0CCD82.NASL description - update to 2.28 fixes rhbz #1438979 #1444077 and #1602421 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2018-11-14 plugin id 118941 published 2018-11-14 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118941 title Fedora 27 : feh (2018-56ec0ccd82) NASL family Fedora Local Security Checks NASL id FEDORA_2018-A84B6D0071.NASL description - update to 2.28 fixes rhbz #1438979 #1444077 and #1602421 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120688 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120688 title Fedora 29 : feh (2018-a84b6d0071) NASL family Fedora Local Security Checks NASL id FEDORA_2018-3AC43A1E15.NASL description - update to 2.28 fixes rhbz #1438979 #1444077 and #1602421 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2019-01-03 plugin id 120360 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120360 title Fedora 28 : feh (2018-3ac43a1e15) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-899.NASL description Tobias Stoeckmann discovered it was possible to trigger an out-of-boundary heap write with the image viewer feh while receiving an IPC message. For Debian 7 last seen 2020-03-17 modified 2017-04-18 plugin id 99420 published 2017-04-18 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99420 title Debian DLA-899-1 : feh security update NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-531.NASL description This update for feh on Leap 42.1 fixes this security issue : - CVE-2017-7875: In wallpaper.c in feh if a malicious client pretended to be the E17 window manager, it was possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free (bsc#1034567). This update for feh on Leap 42.2 to version 2.18.3 fixes several issues. This security issue was fixed on Leap 42.2 : - CVE-2017-7875: In wallpaper.c in feh if a malicious client pretended to be the E17 window manager, it was possible to trigger an out-of-boundary heap write while receiving an IPC message. An integer overflow leads to a buffer overflow and/or a double free (bsc#1034567). These non-security issue was fixed on Leap 42.2 : - boo#955576: added jpegexiforient - Fixed image-specific format specifiers not being updated correctly in thumbnail mode window titles - Fixed memory leak when closing images opened from thumbnail mode - Fixed a possible out of bounds read caused by an unterminated string when using --output to save images in long paths - Fixed out of bounds read/write when handling empty or broken caption files. - Fixed memory leak when saving a filelist or image whose target filename already exists. - Fixed image-specific format specifiers not being updated correctly - New key binding: ! - zoom_fill (zoom to fill window, may cut off image parts - Disable EXIF-based auto rotation by default - Added --auto-rotate option to enable auto rotation - Added feh-makefile_app.patch -- fix install location of icons - Install feh icon (both 48x48 and scalable SVG) to /usr/share/icons when running last seen 2020-06-05 modified 2017-05-02 plugin id 99926 published 2017-05-02 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/99926 title openSUSE Security Update : feh (openSUSE-2017-531) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-2219.NASL description Tobias Stoeckmann discovered that it was possible to trigger an out-of-boundary heap write with the image viewer feh while receiving an IPC message. For Debian 8 last seen 2020-05-31 modified 2020-05-26 plugin id 136835 published 2020-05-26 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/136835 title Debian DLA-2219-1 : feh security update NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201707-08.NASL description The remote host is affected by the vulnerability described in GLSA-201707-08 (feh: Arbitrary remote code execution) Tobias Stoeckmann discovered it was possible to trigger an out-of-boundary heap write with the image viewer feh while receiving an IPC message. Impact : A remote attacker, pretending to be the E17 window manager, could possibly trigger an out-of-boundary heap write in feh while receiving an IPC message. This could result in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 101339 published 2017-07-10 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101339 title GLSA-201707-08 : feh: Arbitrary remote code execution
References
- http://www.securityfocus.com/bid/97689
- http://www.securityfocus.com/bid/97689
- https://feh.finalrewind.org/
- https://feh.finalrewind.org/
- https://github.com/derf/feh/commit/f7a547b7ef8fc8ebdeaa4c28515c9d72e592fb6d
- https://github.com/derf/feh/commit/f7a547b7ef8fc8ebdeaa4c28515c9d72e592fb6d
- https://lists.debian.org/debian-lts-announce/2020/05/msg00021.html
- https://lists.debian.org/debian-lts-announce/2020/05/msg00021.html
- https://security.gentoo.org/glsa/201707-08
- https://security.gentoo.org/glsa/201707-08