Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CACn5sdSFtHbu1d45rK4Hi8=Z+KirfOZ+g=gBT5LsCWcxgfnz-w@mail.gmail.com>
Date: Mon, 4 Jul 2016 21:13:05 +0200
From: Gustavo Grieco <gustavo.grieco@...il.com>
To: oss-security@...ts.openwall.com
Subject: Browsing and attaching images considered harmful in Linux

Hi,

I would like to bring the attention of the oss-security list to the
existence of many security issues in the gdk-pixbuf library and its
dependencies causing a that attaching a corrupted image file in Linux
has become a risky business. For instance,  there is a read
out-of-bounds in librsvg2 (a dependency of gdk-pixbuf used to render
svg images), which can be easily triggered if you try to attach a svg
in Firefox. I tested it in Ubuntu 14.04 (x86_64) using the
corresponding version of librsvg2 (2.40.2-1 with debug symbols) and
Firefox. To reproduce:

1. Download and unpack boom.tar.gz somewhere.
2. gdb --args /usr/lib/firefox/firefox
3. Execute "run" and try to attach (ctrl+o) the svg file inside boom
directory in Firefox.

Result:

Program received signal SIGSEGV, Segmentation fault.
0x00007fffbb7a4c0d in rsvg_pattern_fix_fallback
(pattern=pattern@...ry=0x7ffffffea110) at rsvg-paint-server.c:645
645        rsvg-paint-server.c: No such file or directory.
(gdb) bt
#0  0x00007fffbb7a4c0d in rsvg_pattern_fix_fallback
(pattern=pattern@...ry=0x7ffffffea110) at rsvg-paint-server.c:645
#1  0x00007fffbb7c0650 in _set_source_rsvg_pattern
(ctx=0x7fffc1672b00, rsvg_pattern=0x7ffffffea110, opacity=<optimized
out>, bbox=...)
    at rsvg-cairo-draw.c:195
#2  0x00007fffbb7c1e4d in rsvg_cairo_render_path (ctx=0x7fffc1672b00,
path=<optimized out>) at rsvg-cairo-draw.c:526
#3  0x00007fffbb7bea12 in rsvg_render_path
(ctx=ctx@...ry=0x7fffc1672b00, path=path@...ry=0x7fffc4708640) at
rsvg-base.c:1976
#4  0x00007fffbb7b59c8 in _rsvg_node_rect_draw (self=0x7fffc45c6f50,
ctx=0x7fffc1672b00, dominate=0) at rsvg-shapes.c:479
#5  0x00007fffbb7b6503 in rsvg_node_draw (self=0x7fffc45c6f50,
ctx=0x7fffc1672b00, dominate=<optimized out>) at rsvg-structure.c:69
#6  0x00007fffbb7b6583 in _rsvg_node_draw_children
(self=0x7fffc8058560, ctx=0x7fffc1672b00, dominate=0) at
rsvg-structure.c:87
#7  0x00007fffbb7b6503 in rsvg_node_draw (self=0x7fffc8058560,
ctx=0x7fffc1672b00, dominate=<optimized out>) at rsvg-structure.c:69
#8  0x00007fffbb7b6903 in rsvg_node_svg_draw (self=0x7fffc4915080,
ctx=0x7fffc1672b00, dominate=<optimized out>) at rsvg-structure.c:323
#9  0x00007fffbb7b6503 in rsvg_node_draw (self=0x7fffc4915080,
ctx=0x7fffc1672b00, dominate=<optimized out>) at rsvg-structure.c:69
#10 0x00007fffbb7c2ac3 in rsvg_handle_render_cairo_sub
(handle=handle@...ry=0x7fffc8cd3440, cr=cr@...ry=0x7fffd7d58000,
id=id@...ry=0x0)
    at rsvg-cairo-render.c:225
#11 0x00007fffbb7c2ef4 in rsvg_handle_get_pixbuf_sub
(handle=0x7fffc8cd3440, id=id@...ry=0x0) at rsvg.c:90
#12 0x00007fffbb7c2f77 in rsvg_handle_get_pixbuf (handle=<optimized
out>) at rsvg.c:119
#13 0x00007fffbb9cee46 in gdk_pixbuf__svg_image_stop_load
(data=0x7fffc50e18e0, error=0x7ffffffea6b8) at io-svg.c:160
#14 0x00007ffff35d31fb in gdk_pixbuf_loader_close
(loader=loader@...ry=0x7fffc4424ea0, error=error@...ry=0x0) at
gdk-pixbuf-loader.c:821
#15 0x00007ffff35d0e2a in gdk_pixbuf_new_from_file_at_scale
(filename=0x7fffc4577100
"/home/g/Work/Code/ef/gdk-pixbuf/svg/overflow-real-reap.svg",
    width=<optimized out>, height=<optimized out>,
preserve_aspect_ratio=<optimized out>, error=0x0) at
gdk-pixbuf-io.c:1372
#16 0x00007fffeafc7d19 in UpdateFilePreviewWidget
(file_chooser=0x7fffd9d53a30, preview_widget_voidptr=<optimized out>)
    at /build/firefox-mh9_e1/firefox-46.0.1+build1/widget/gtk/nsFilePicker.cpp:115
#17 0x00007ffff25273b8 in g_closure_invoke () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
#18 0x00007ffff2538d3d in ?? () from
/usr/lib/x86_64-linux-gnu/libgobject-2.0.so.0
...

It is interesting to note that rcx looks controllable:

(gdb) x/i $rip
=> 0x7fffbb7a4c0d <rsvg_pattern_fix_fallback+333>:        testb  $0x4,0xe4(%rcx)
(gdb) info registers
...
rcx            0xe5e5e5e5e5e5e5e5        -1880844493789993499
...

Fortunately, this issue is already solved in the last revision of
librsvg2 (AFAIK, this issue has no CVE, so please MITRE assign one if
suitable). Nevertheless, I reported such vulnerability to Mozilla more
than a month ago hoping that they will disable the svg support in the
open/attach widget. After some discussion, it was marked as WONTFIX.
While i understand why, i still feel it can be productive to discuss
this here.

(the same trick can be used to crash Chrome/Chromium, since the code
to open/attach an image is almost the same, so this is not a Firefox
specific issue)


Regards,
Gustavo

Download attachment "boom.tar.gz" of type "application/x-gzip" (745 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.