Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 26 Jul 2016 22:37:46 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Cc: cve-assign@...re.org
Subject: Re: CVE Request: Write out-of-bounds in gdk-pixbuf 2.30.7

Explicitly adding cve-assign to CC, this seems to have fallen through
the cracks.

Regards,

2016-07-13 19:53 GMT+02:00 Franco Costantini <franco.costantini.20@...il.com>:
> This issue was reported to Redhat secalert, they asked me to disclose it
> publicly.
>
> A write out-of-bounds parsing an ico file was found in gdk-pixbuf 2.30.7.
> It's tested in Ubuntu 14.04, other versions can be affected (in Debian 8, an
> assert inside gtk3 stops the execution before the crash). This issue can be
> reproduced using eog:
>
>  (gdb) run crash.ico
>  Starting program: /usr/bin/eog crash.ico
>  [Thread debugging using libthread_db enabled]
>  Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
>  [New Thread 0x7fffec58e700 (LWP 3709)]
>  [New Thread 0x7fffebd8d700 (LWP 3710)]
>  [New Thread 0x7fffe9656700 (LWP 3711)]
>  [New Thread 0x7fffe8e55700 (LWP 3712)]
>
>  (eog:3705): EOG-WARNING **: Couldn't load icon: Icon 'image-loading' not
> present in theme
>
>  Program received signal SIGSEGV, Segmentation fault.
>  [Switching to Thread 0x7fffe9656700 (LWP 3711)]
>  0x00007fffd83b428c in OneLine32 (context=0x7fffe0029820) at io-ico.c:589
>  (gdb) bt
>  #0  0x00007fffd83b428c in OneLine32 (context=0x7fffe0029820) at
> io-ico.c:589
>  #1  OneLine (context=0x7fffe0029820) at io-ico.c:800
>  #2  gdk_pixbuf__ico_image_load_increment (data=0x7fffe0029820,
>      buf=0x7fffe001b852 "", size=0, error=0x7fffe9655b68) at io-ico.c:891
>  #3  0x00007ffff53e2665 in gdk_pixbuf_loader_load_module (
>      loader=loader@...ry=0x7df420, image_type=image_type@...ry=0x0,
>      error=error@...ry=0x7fffe9655b68) at gdk-pixbuf-loader.c:443
>  #4  0x00007ffff53e2ee8 in gdk_pixbuf_loader_close (loader=0x7df420,
>      error=0xaa1aa0) at gdk-pixbuf-loader.c:808
>  #5  0x00000000004236ab in eog_image_load ()
>  #6  0x00000000004275d7 in ?? ()
>  #7  0x0000000000425959 in ?? ()
>  #8  0x00007ffff43eff05 in ?? () from /lib/x86_64-linux-gnu/libglib-2.0.so.0
>  #9  0x00007ffff3f53184 in start_thread (arg=0x7fffe9656700)
>      at pthread_create.c:312
>  #10 0x00007ffff3c8037d in clone ()
>      at ../sysdeps/unix/sysv/linux/x86_64/clone.S:111
>
> The affected function is here:
>
>  static void OneLine32 (struct ico_progressive_state *context)
> {
>         gint X;
>         guchar *Pixels;
>
>         X = 0;
>         if (context->Header.Negative == 0)
>                 Pixels = (context->pixbuf->pixels +
>                           context->pixbuf->rowstride *
>                           (context->Header.height - context->Lines - 1));
>         else
>                 Pixels = (context->pixbuf->pixels +
>                           context->pixbuf->rowstride *
>                           context->Lines);
>         while (X < context->Header.width) {
>                 Pixels[X * 4 + 0] = context->LineBuf[X * 4 + 2];
>                 Pixels[X * 4 + 1] = context->LineBuf[X * 4 + 1];
>                 Pixels[X * 4 + 2] = context->LineBuf[X * 4 + 0];
>                 Pixels[X * 4 + 3] = context->LineBuf[X * 4 + 3];
>                 X++;
>         }
> }
>
> The value of context->Header.height in OneLine32 is a very large number
> (probably it wasn't validated correctly). Such value is used to calculate
> where to write, resulting in an overflow where Pixels is written.
>
> This issue was found using QuickFuzz, the file to reproduce it is attached.
> Please assign a CVE if suitable.
>
> Regards, Franco

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.