Bug 942801 - (CVE-2015-4491) VUL-1: CVE-2015-4491: gdk2,gdk-pixbuf: bug-fix stable update (fixing possible security vulnerability)
(CVE-2015-4491)
VUL-1: CVE-2015-4491: gdk2,gdk-pixbuf: bug-fix stable update (fixing possible...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
All All
: P4 - Low : Normal
: ---
Assigned To: E-mail List
Security Team bot
CVSSv2:SUSE:CVE-2015-4491:6.8:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-23 02:40 UTC by Atri Bhattacharya
Modified: 2022-02-13 10:57 UTC (History)
11 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Atri Bhattacharya 2015-08-23 02:40:13 UTC
gdk-pixbuf in openSUSE 13.2 is to be updated to version 2.31.6 (from the presently available version 2.31.1). Fixes include that for the security vulnerability CVE-2015-4491. Full list of changes follow:

-------------------------------------------------------------------
Wed Aug 19 08:36:31 UTC 2015 - zaitor@opensuse.org

- Update to version 2.31.6:
  + Really fix bgo#752297. This is CVE-2015-4491.
  + Updated translations.

-------------------------------------------------------------------
Tue Jul 21 01:12:26 UTC 2015 - zaitor@opensuse.org

- Update to version 2.31.5:
  + Add support for g_autoptr for all object types (bgo#750497).
  + Avoid a possible divide-by-zero in the pixbuf loader
    (bgo#750440).
  + Remove gettext .pot file hack (bgo#743574).
  + Be more careful about integer overflow (bgo#752297).
  + Updated translations.
- Drop README from docs as it is now empty.
- Add generic www.gnome.org URL to silence a few lint warnings.

-------------------------------------------------------------------
Tue May 12 10:47:00 UTC 2015 - zaitor@opensuse.org

- Update to version 2.31.4:
  + SVGZ icons in notification GNOME3 (bgo#648815).
  + gdk_pixbuf_apply_embedded_orientation is not working
    (bgo#725582).
  + Updated translations.

-------------------------------------------------------------------
Sun Mar  8 10:23:12 UTC 2015 - zaitor@opensuse.org

- Update to version 2.31.3:
  + API changes: Revert an annotation change that broke bindings.
  + Build fixes:
    - Clean up configure
    - Fix Visual Studio build
    - Define MAP_ANONYMOUS when needed
    - Include gi18n-lib.h where needed
  + Updated translations.

-------------------------------------------------------------------
Sat Nov 22 09:56:09 UTC 2014 - zaitor@opensuse.org

- Update to version 2.31.2:
  + API changes:
    - Deprecate GdkPixdata.
    - Add gdk_pixbuf_get_options() helper to list set options.
    - Annotations fixes for various functions.
    - Remove incorrect info about area-prepared signal.
  + Image format support changes:
    - Flag multi-page TIFF files.
    - Fix memory usage for GIF animations, add note about minimum
      frame length.
    - Return an error for truncated PNG files.
    - Add density (DPI) support for JPEG, PNG and TIFF.
    - Fix reading CMYK JPEG files generated by Photoshop.
    - Allow saving 1-bit mono TIFF files as used in faxes.
    - Simplify loader names.
    - Fix loading GIF files when the first write is short.
    - Add progressive loading to ICNS files.
    - Add support for 256x256 ICO files.
    - Fix reading MS AMCap2 BMP files.
  + Other:
    - Honour requested depth in Xlib.
    - Special-case compositing/copying with no scaling.
    - Add relocation support to OSX and Linux.
    - Prefer gdk-pixbuf's loaders to the GDI+ ones on Windows.

-------------------------------------------------------------------
Sun Nov 09 03:48:00 UTC 2014 - Led <ledest@gmail.com>

- fix bashism in post script

-------------------------------------------------------------------
Comment 1 Atri Bhattacharya 2015-08-23 02:42:34 UTC
Mr. Maintenance, please let us know if this will be okay.
Comment 2 Marcus Meissner 2015-08-24 06:09:20 UTC
This minor version update in the 2.31.x series seems ok. It mentions API changes, but I hope its just a drop in without breaking programs.

tagging for security.

is gtk2 also affected?
Comment 3 Bernhard Wiedemann 2015-08-24 11:00:09 UTC
This is an autogenerated message for OBS integration:
This bug (942801) was mentioned in
https://build.opensuse.org/request/show/325795 13.2 / gdk-pixbuf
Comment 4 Swamp Workflow Management 2015-08-24 22:00:17 UTC
bugbot adjusting priority
Comment 5 Swamp Workflow Management 2015-09-07 06:09:51 UTC
openSUSE-SU-2015:1500-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 942801
CVE References: CVE-2015-4491
Sources used:
openSUSE 13.2 (src):    gdk-pixbuf-2.31.6-3.1
Comment 7 Scott Reeves 2015-09-11 20:07:26 UTC
Mike - can you look into this...
Comment 8 Atri Bhattacharya 2015-09-11 20:59:07 UTC
(In reply to Scott Reeves from comment #7)
> Mike - can you look into this...

Sorry, i worked on this bug: I believe the required fix for this was released already. What else needs to be done? If there is something else, I can take a look at it again.

Thanks.
Comment 9 Scott Reeves 2015-09-11 21:09:24 UTC
(In reply to Atri Bhattacharya from comment #8)
> (In reply to Scott Reeves from comment #7)
> > Mike - can you look into this...
> 
> Sorry, i worked on this bug: I believe the required fix for this was
> released already. What else needs to be done? If there is something else, I
> can take a look at it again.
> 
> Thanks.

Hi Atri,

Thanks for the work on this.
I just wanted Mike to look at this and see if we need to do anything for SLE also.
Comment 12 Marcus Meissner 2015-09-17 05:45:53 UTC
if all done, reassign to security-team... doing so
Comment 13 Swamp Workflow Management 2015-10-20 13:10:59 UTC
SUSE-SU-2015:1787-1: An update that solves two vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 922741,942801,948791
CVE References: CVE-2015-4491,CVE-2015-7674
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gtk2-2.18.9-0.35.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    gtk2-2.18.9-0.35.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    gtk2-2.18.9-0.35.1
SUSE Linux Enterprise Server 11-SP4 (src):    gtk2-2.18.9-0.35.1
SUSE Linux Enterprise Server 11-SP3 (src):    gtk2-2.18.9-0.35.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    gtk2-2.18.9-0.35.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    gtk2-2.18.9-0.35.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gtk2-2.18.9-0.35.1
Comment 14 Swamp Workflow Management 2015-11-11 14:44:32 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-11-25.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62334
Comment 15 Viktor Kijasev 2015-12-01 16:18:30 UTC
Regarding to:  "Really fix bgo#752297. This is CVE-2015-4491"
bgo#752297
A minimal example of a vulnerable program is attached: it is just a call to gdk_pixbuf_new_from_file_at_size.
Also two bmp POC are included: one to crash the minimal example and another POC to trigger a heap overflow in Firefox 
overflow-firefox.bmp (82 bytes, image/bmp)
pixbuf_vuln_poc.c (396 bytes, text/plain)
overflow-32x32.bmp (82 bytes, image/bmp)

https://bugzilla.gnome.org/show_bug.cgi?id=752297
Running with the attached test program:
./pixbuf_vuln_poc overflow-32x32.bmp

== before update: 
Program received signal SIGSEGV, Segmentation fault.
make_filter_table (filter=0x7ffffffedf50) at pixops.c:1214
1214	pixops.c: No such file or directory.
(gdb) bt
#0  make_filter_table (filter=0x7ffffffedf50) at pixops.c:1214
#1  pixops_process (dest_buf=0x611da0 '\272' <repeats 96 times>, "\221EEEEEE\aq", render_x0=0, render_y0=0, render_x1=32, 
    render_y1=1, dest_rowstride=96, dest_channels=3, dest_has_alp.......

== after update: no crash

Test with Eye of Gnome
=======================
 # eog overflow-32x32.bmp
**
Gdk:ERROR:gdkcairo.c:193:gdk_cairo_surface_paint_pixbuf: assertion failed: (cairo_image_surface_get_format (surface) == CAIRO_FORMAT_RGB24 || cairo_image_surface_get_format (surface) == CAIRO_FORMAT_ARGB32)
Aborted (core dumped)

The same crash before/after update.
Comment 16 Viktor Kijasev 2015-12-01 17:08:40 UTC
Communicated with mmeissner on irc

issue addressed:
https://bugzilla.suse.com/show_bug.cgi?id=957399

looks ok for the current update
Comment 17 Swamp Workflow Management 2015-12-04 13:22:20 UTC
SUSE-SU-2015:2195-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 942801,948790,948791
CVE References: CVE-2015-4491,CVE-2015-7673,CVE-2015-7674
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    gdk-pixbuf-2.30.6-7.1
SUSE Linux Enterprise Server 12 (src):    gdk-pixbuf-2.30.6-7.1
SUSE Linux Enterprise Desktop 12 (src):    gdk-pixbuf-2.30.6-7.1
Comment 18 Swamp Workflow Management 2015-12-23 17:30:00 UTC
SUSE-SU-2015:2195-2: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 942801,948790,948791
CVE References: CVE-2015-4491,CVE-2015-7673,CVE-2015-7674
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gdk-pixbuf-2.30.6-7.2
SUSE Linux Enterprise Server 12-SP1 (src):    gdk-pixbuf-2.30.6-7.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    gdk-pixbuf-2.30.6-7.2
Comment 19 Michael Gorse 2016-01-04 15:28:48 UTC
I submitted an update to 2.32.3 to GNOME:Factory. This includes my commit to add a few more checks along with various other potential security fixes. We already have 2.31.6 in Leap at least, so my suggestion would be to just update to 2.32.3.
Comment 21 Marcus Meissner 2017-06-15 21:26:46 UTC
released
Comment 22 Liu Shukui 2018-07-05 09:48:08 UTC
(In reply to Marcus Meissner from comment #21)
> released

It seems there is a regression while testing http://download.suse.de/ibs/SUSE:/Maintenance:/7709/SUSE_Updates_SLE-SERVER_12-SP3_x86_64/src/gdk-pixbuf-2.34.0-19.11.1.src.rpm

s12sp3-vbox:/usr/src/packages/BUILD/gdk-pixbuf-2.34.0/tests # ./cve-2015-4491 cve-2015-4491.bmp 
/pixbuf/cve-2015-4491/original: **
ERROR:cve-2015-4491.c:36:test_original: assertion failed (err == NULL): BMP image has bogus header data (gdk-pixbuf-error-quark, 0)
Aborted (core dumped)
Comment 23 Michael Gorse 2018-07-16 18:43:18 UTC
(In reply to Liu Shukui from comment #22)
> (In reply to Marcus Meissner from comment #21)
> > released
> 
> It seems there is a regression while testing
> http://download.suse.de/ibs/SUSE:/Maintenance:/7709/SUSE_Updates_SLE-
> SERVER_12-SP3_x86_64/src/gdk-pixbuf-2.34.0-19.11.1.src.rpm
> 
> s12sp3-vbox:/usr/src/packages/BUILD/gdk-pixbuf-2.34.0/tests #
> ./cve-2015-4491 cve-2015-4491.bmp 
> /pixbuf/cve-2015-4491/original: **
> ERROR:cve-2015-4491.c:36:test_original: assertion failed (err == NULL): BMP
> image has bogus header data (gdk-pixbuf-error-quark, 0)
> Aborted (core dumped)

I see that that test has been updated upstream, so that the new behavior is considered correct, but I didn't include the change to the test.
I'll submit a new maintenance request.
Comment 26 Alexandros Toptsoglou 2019-05-29 12:37:01 UTC
Closing