Bug 948790 - (CVE-2015-7673) VUL-0: CVE-2015-7673: gdk-pixbuf: Heap overflow and DoS with a tga file
(CVE-2015-7673)
VUL-0: CVE-2015-7673: gdk-pixbuf: Heap overflow and DoS with a tga file
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Atri Bhattacharya
Security Team bot
https://smash.suse.de/issue/157277/
CVSSv2:RedHat:CVE-2015-7673:4.3:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-10-05 10:25 UTC by Andreas Stieger
Modified: 2019-05-22 01:03 UTC (History)
5 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
PoC code (397 bytes, text/x-csrc)
2015-10-05 11:50 UTC, Andreas Stieger
Details
DoS reproducer file (60 bytes, application/gzip)
2015-10-05 11:50 UTC, Andreas Stieger
Details
overflow reproducer file (105 bytes, application/gzip)
2015-10-05 11:51 UTC, Andreas Stieger
Details

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Andreas Stieger 2015-10-05 11:50:08 UTC
Created attachment 650147 [details]
PoC code

PoC code from http://seclists.org/oss-sec/2015/q4/31

    Could you make them available please?


Sure! Please find attached the two test cases as well as a minimal example of a vulnerable program: it is just a call to gdk_pixbuf_new_from_file_at_size. Also, a detailed backtrace of the heap overflow is here:

Starting program: pixbuf_vuln_poc overflow.tga
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148, dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0,
    dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4, dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60,
    src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1, x_init=<optimized out>, x_step=x_step@entry=9629110,
    src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974
974        
(gdb) bt
#0  scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148, dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0,
    dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4, dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60,
    src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1, x_init=<optimized out>, x_step=x_step@entry=9629110,
    src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974
#1  0x00002aaaaace5698 in pixops_process (dest_buf=<optimized out>, render_x0=0, render_y0=<optimized out>, render_x1=<optimized out>,
    render_y1=<optimized out>, dest_rowstride=<optimized out>, dest_channels=4, dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627,
    src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1, scale_x=<optimized out>, scale_y=<optimized out>, check_x=0, check_y=0,
    check_size=0, color1=0, color2=0, filter=0x7ffffffedc90, line_func=0x2aaaaace3c10 <scale_line>, pixel_func=0x2aaaaace49a0 <scale_pixel>)
    at pixops.c:1366
#2  0x00002aaaaace5f09 in _pixops_scale_real (interp_type=PIXOPS_INTERP_BILINEAR, interp_type@entry=PIXOPS_INTERP_NEAREST,
    scale_y=0,0068091545299791946, scale_x=0,0068060281964025283, src_has_alpha=1, src_channels=4, src_rowstride=90508, src_height=26435,
    src_width=22627, src_buf=0x2aaaad14f010 "", dest_has_alpha=1, dest_channels=4, dest_rowstride=616, render_y1=<optimized out>, render_x1=154,
    render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:2230
#3  _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=154, dest_height=dest_height@entry=180, dest_rowstride=616, dest_channels=4,
    dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627, src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1,
    dest_x=dest_x@entry=0, dest_y=dest_y@entry=0, dest_region_width=dest_region_width@entry=154, dest_region_height=dest_region_height@entry=180,
    offset_x=offset_x@entry=0, offset_y=<optimized out>, scale_x=scale_x@entry=0,0068060281964025283, scale_y=scale_y@entry=0,0068091545299791946,
    interp_type=interp_type@entry=PIXOPS_INTERP_BILINEAR) at pixops.c:2285
#4  0x00002aaaaacdda2d in gdk_pixbuf_scale (src=0x618000, dest=0x618050, dest_x=0, dest_y=0, dest_width=154, dest_height=180, offset_x=0,
    offset_y=<optimized out>, scale_x=0,0068060281964025283, scale_y=0,0068091545299791946, interp_type=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:147
#5  0x00002aaaaacde07a in gdk_pixbuf_scale_simple (src=src@entry=0x618000, dest_width=154, dest_height=dest_height@entry=180,
    interp_type=interp_type@entry=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:321
#6  0x00002aaaaacdf340 in get_scaled_pixbuf (scaled=0x616440, pixbuf=0x618000) at gdk-pixbuf-scaled-anim.c:138
#7  0x00002aaaaacdae88 in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe36b "overflow.tga", width=<optimized out>, height=<optimized out>,
    preserve_aspect_ratio=<optimized out>, error=0x7fffffffdee0) at gdk-pixbuf-io.c:1377
#8  0x00000000004007b8 in main ()

(gdb) x/i $rip
=> 0x2aaaaace3dd0 <scale_line+448>:        movzbl 0x3(%rcx),%edx
(gdb) info registers
rax            0x0        0
rbx            0x94        148
rcx            0x2aaa2d6d51c4        46910394945988
rdx            0x0        0
rsi            0x4        4
rdi            0x2aab3c468c10        46914939030544
rbp            0x2aab3c468e60        0x2aab3c468e60
rsp            0x7ffffffeda18        0x7ffffffeda18
r8             0x0        0
r9             0x0        0
r10            0x0        0
r11            0x0        0
r12            0x0        0
r13            0x63ce60        6540896
r14            0x2aab3c468c10        46914939030544
r15            0x94        148
rip            0x2aaaaace3dd0        0x2aaaaace3dd0 <scale_line+448>
eflags         0x10202        [ IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0

And the backtrace of the DoS here:

Starting program: pixbuf_vuln_poc DoS.tga
[Depuración de hilo usando libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".

Program received signal SIGSEGV, Segmentation fault.
0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at io-tga.c:367
367
(gdb) bt
#0  0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at io-tga.c:367
#1  parse_data_for_row (err=0x7ffffffede28, ctx=0x614ca0) at io-tga.c:413
#2  gdk_pixbuf__tga_load_increment (data=0x614ca0, buffer=<optimized out>, size=<optimized out>, err=0x7ffffffede28) at io-tga.c:922
#3  0x00002aaaaacdca45 in gdk_pixbuf_loader_load_module (loader=loader@entry=0x60f200, image_type=image_type@entry=0x0,
    error=error@entry=0x7ffffffede28) at gdk-pixbuf-loader.c:445
#4  0x00002aaaaacdd2b8 in gdk_pixbuf_loader_close (loader=loader@entry=0x60f200, error=error@entry=0x7fffffffdef0) at gdk-pixbuf-loader.c:810
#5  0x00002aaaaacdae2a in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe370 "DoS.tga", width=<optimized out>, height=<optimized out>,
    preserve_aspect_ratio=<optimized out>, error=0x7fffffffdef0) at gdk-pixbuf-io.c:1372
#6  0x00000000004007b8 in main ()

(gdb) x/i $rip
=> 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612>:        mov    0x8(%rdx),%rdx
(gdb) info registers
rax            0x6163e0        6382560
rbx            0x614ca0        6376608
rcx            0x7        7
rdx            0x0        0
rsi            0x611b02        6363906
rdi            0x618000        6389760
rbp            0x7ffffffede28        0x7ffffffede28
rsp            0x7ffffffedd80        0x7ffffffedd80
r8             0x616200        6382080
r9             0x6163e7        6382567
r10            0x8        8
r11            0x2aaaaaf05c10        46912500685840
r12            0x0        0
r13            0x0        0
r14            0x15        21
r15            0xb        11
rip            0x2aaaacf4c384        0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612>
eflags         0x10202        [ IF RF ]
cs             0x33        51
ss             0x2b        43
ds             0x0        0
es             0x0        0
fs             0x0        0
gs             0x0        0
Comment 3 Andreas Stieger 2015-10-05 11:50:59 UTC
Created attachment 650148 [details]
DoS reproducer file

DoS reproducer file from http://seclists.org/oss-sec/2015/q4/31
Comment 4 Andreas Stieger 2015-10-05 11:51:24 UTC
Created attachment 650149 [details]
overflow reproducer file

overflow reproducer file from http://seclists.org/oss-sec/2015/q4/31
Comment 5 Swamp Workflow Management 2015-10-05 22:00:16 UTC
bugbot adjusting priority
Comment 9 Michael Gorse 2015-11-25 20:32:33 UTC
Reassigning to security-team.
Comment 10 Swamp Workflow Management 2015-12-04 13:22:31 UTC
SUSE-SU-2015:2195-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 942801,948790,948791
CVE References: CVE-2015-4491,CVE-2015-7673,CVE-2015-7674
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    gdk-pixbuf-2.30.6-7.1
SUSE Linux Enterprise Server 12 (src):    gdk-pixbuf-2.30.6-7.1
SUSE Linux Enterprise Desktop 12 (src):    gdk-pixbuf-2.30.6-7.1
Comment 11 Andreas Stieger 2015-12-23 13:22:38 UTC
Releasing for SLE 12 SP1, last one.
Comment 12 Swamp Workflow Management 2015-12-23 17:30:13 UTC
SUSE-SU-2015:2195-2: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 942801,948790,948791
CVE References: CVE-2015-4491,CVE-2015-7673,CVE-2015-7674
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gdk-pixbuf-2.30.6-7.2
SUSE Linux Enterprise Server 12-SP1 (src):    gdk-pixbuf-2.30.6-7.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    gdk-pixbuf-2.30.6-7.2
Comment 13 Atri Bhattacharya 2016-03-22 10:46:55 UTC
Reopening for openSUSE 13.2 and Leap:42.1
Comment 14 Swamp Workflow Management 2016-03-28 16:08:20 UTC
openSUSE-SU-2016:0897-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 948790,948791,958963
CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674
Sources used:
openSUSE 13.2 (src):    gdk-pixbuf-2.31.6-6.1
Comment 15 Swamp Workflow Management 2016-06-01 13:11:10 UTC
openSUSE-SU-2016:1467-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 948790,948791,958963
CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674
Sources used:
openSUSE Leap 42.1 (src):    gdk-pixbuf-2.31.6-4.1
Comment 16 Johannes Segitz 2017-08-10 14:12:19 UTC
fixed