Bugzilla – Bug 1205033
VUL-0: CVE-2022-44638: pixman: integer overflow in pixman_sample_floor_y leading to heap out-of-bounds write
Last modified: 2022-11-28 14:23:54 UTC
rh#2139988 In libpixman in Pixman before 0.42.2, there is an out-of-bounds write (aka heap-based buffer overflow) in rasterize_edges_8 due to an integer overflow in pixman_sample_floor_y. https://gitlab.freedesktop.org/pixman/pixman/-/issues/63 References: https://bugzilla.redhat.com/show_bug.cgi?id=2139988 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-44638 https://www.cve.org/CVERecord?id=CVE-2022-44638 http://www.cvedetails.com/cve/CVE-2022-44638/ https://gitlab.freedesktop.org/pixman/pixman/-/issues/63
Affected: - SUSE:SLE-11-SP3:Update - SUSE:SLE-12-SP2:Update - SUSE:SLE-15:Update - SUSE:SLE-15-SP4:Update - openSUSE:Factory Patch: https://gitlab.freedesktop.org/pixman/pixman/-/commit/a1f88e842e0216a5b4df1ab023caebe33c101395
Created attachment 862643 [details] Reproducer SLE-15-SP4 Reproducer: $ gcc CVE-2022-44638-poc.c -I/usr/include/pixman-1/ -ldl -fsanitize=address -o CVE-2022-44638-poc $ ./CVE-2022-44638-poc ================================================================= ==1197==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61b0000009b1 at pc 0x7f5adb3eb1b8 bp 0x7ffe2bbb5900 sp 0x7ffe2bbb50b0 WRITE of size 10 at 0x61b0000009b1 thread T0 #0 0x7f5adb3eb1b7 (/usr/lib64/libasan.so.4+0x5f1b7) #1 0x7f5ad748f7ca in pixman_rasterize_edges (/usr/lib64/libpixman-1.so.0.40.0+0x387ca) #2 0x7f5ad74b6e04 in pixman_rasterize_trapezoid (/usr/lib64/libpixman-1.so.0.40.0+0x5fe04) #3 0x400f1c in main (/root/poc+0x400f1c) #4 0x7f5adadc829c in __libc_start_main (/lib64/libc.so.6+0x3529c) #5 0x4008b9 in _start (/root/poc+0x4008b9) Address 0x61b0000009b1 is a wild pointer. SUMMARY: AddressSanitizer: heap-buffer-overflow (/usr/lib64/libasan.so.4+0x5f1b7) Shadow bytes around the buggy address: 0x0c367fff80e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff80f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8100: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8110: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8120: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa =>0x0c367fff8130: fa fa fa fa fa fa[fa]fa fa fa fa fa fa fa fa fa 0x0c367fff8140: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8150: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8160: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8170: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa 0x0c367fff8180: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa Shadow byte legend (one shadow byte represents 8 application bytes): Addressable: 00 Partially addressable: 01 02 03 04 05 06 07 Heap left redzone: fa Freed heap region: fd Stack left redzone: f1 Stack mid redzone: f2 Stack right redzone: f3 Stack after return: f5 Stack use after scope: f8 Global redzone: f9 Global init order: f6 Poisoned by user: f7 Container overflow: fc Array cookie: ac Intra object redzone: bb ASan internal: fe Left alloca redzone: ca Right alloca redzone: cb ==1197==ABORTING
SUSE-SU-2022:4148-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1205033 CVE References: CVE-2022-44638 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): pixman-0.34.0-150000.7.5.1 openSUSE Leap 15.3 (src): pixman-0.34.0-150000.7.5.1 SUSE Manager Server 4.1 (src): pixman-0.34.0-150000.7.5.1 SUSE Manager Retail Branch Server 4.1 (src): pixman-0.34.0-150000.7.5.1 SUSE Manager Proxy 4.1 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Server for SAP 15-SP2 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Server for SAP 15-SP1 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Server for SAP 15 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Server 15-SP2-LTSS (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Server 15-SP2-BCL (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Server 15-SP1-LTSS (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Server 15-SP1-BCL (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Server 15-LTSS (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15-SP3 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP3 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Micro 5.2 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise Micro 5.1 (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): pixman-0.34.0-150000.7.5.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): pixman-0.34.0-150000.7.5.1 SUSE Enterprise Storage 7 (src): pixman-0.34.0-150000.7.5.1 SUSE Enterprise Storage 6 (src): pixman-0.34.0-150000.7.5.1 SUSE CaaS Platform 4.0 (src): pixman-0.34.0-150000.7.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4206-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1205033 CVE References: CVE-2022-44638 JIRA References: Sources used: openSUSE Leap Micro 5.3 (src): pixman-0.40.0-150400.3.3.1 openSUSE Leap 15.4 (src): pixman-0.40.0-150400.3.3.1 SUSE Linux Enterprise Module for Desktop Applications 15-SP4 (src): pixman-0.40.0-150400.3.3.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): pixman-0.40.0-150400.3.3.1 SUSE Linux Enterprise Micro 5.3 (src): pixman-0.40.0-150400.3.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2022:4249-1: An update that fixes one vulnerability is now available. Category: security (important) Bug References: 1205033 CVE References: CVE-2022-44638 JIRA References: Sources used: SUSE OpenStack Cloud Crowbar 9 (src): pixman-0.34.0-8.3.1 SUSE OpenStack Cloud 9 (src): pixman-0.34.0-8.3.1 SUSE Linux Enterprise Software Development Kit 12-SP5 (src): pixman-0.34.0-8.3.1 SUSE Linux Enterprise Server for SAP 12-SP4 (src): pixman-0.34.0-8.3.1 SUSE Linux Enterprise Server 12-SP5 (src): pixman-0.34.0-8.3.1 SUSE Linux Enterprise Server 12-SP4-LTSS (src): pixman-0.34.0-8.3.1 SUSE Linux Enterprise Server 12-SP3-BCL (src): pixman-0.34.0-8.3.1 SUSE Linux Enterprise Server 12-SP2-BCL (src): pixman-0.34.0-8.3.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.