Bugzilla – Bug 948790
VUL-0: CVE-2015-7673: gdk-pixbuf: Heap overflow and DoS with a tga file
Last modified: 2019-05-22 01:03:29 UTC
We found a heap overflow and a DoS in the gdk-pixbuf implementation triggered by the scaling of tga file. These issues are only fixed in the recent release of gdk-pixbuf 2.32.1 https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e Use CVE-2015-7673. Apparently the cause of the issue was use of heap memory after an allocation failure. Fixed in 2.32.0, changelog: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=02a76ac6956ee1418da926d6f2cedb78525495b7 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7673 http://seclists.org/oss-sec/2015/q4/18 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7673.html https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e Different from bsc#942801 CVE-2015-4491: gdk-pixbuf bug-fix stable update (fixing possible security vulnerability) I asked the researcher for a crasher.
Created attachment 650147 [details] PoC code PoC code from http://seclists.org/oss-sec/2015/q4/31 Could you make them available please? Sure! Please find attached the two test cases as well as a minimal example of a vulnerable program: it is just a call to gdk_pixbuf_new_from_file_at_size. Also, a detailed backtrace of the heap overflow is here: Starting program: pixbuf_vuln_poc overflow.tga Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148, dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0, dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4, dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60, src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1, x_init=<optimized out>, x_step=x_step@entry=9629110, src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974 974 (gdb) bt #0 scale_line (weights=weights@entry=0x2aab3c468c10, n_x=148, n_y=148, dest=dest@entry=0x630ee0 "", dest_x=dest_x@entry=0, dest_end=dest_end@entry=0x631144 "", dest_channels=dest_channels@entry=4, dest_has_alpha=dest_has_alpha@entry=1, src=src@entry=0x63ce60, src_channels=src_channels@entry=4, src_has_alpha=src_has_alpha@entry=1, x_init=<optimized out>, x_step=x_step@entry=9629110, src_width=src_width@entry=22627, check_size=check_size@entry=0, color1=color1@entry=0, color2=color2@entry=0) at pixops.c:974 #1 0x00002aaaaace5698 in pixops_process (dest_buf=<optimized out>, render_x0=0, render_y0=<optimized out>, render_x1=<optimized out>, render_y1=<optimized out>, dest_rowstride=<optimized out>, dest_channels=4, dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627, src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1, scale_x=<optimized out>, scale_y=<optimized out>, check_x=0, check_y=0, check_size=0, color1=0, color2=0, filter=0x7ffffffedc90, line_func=0x2aaaaace3c10 <scale_line>, pixel_func=0x2aaaaace49a0 <scale_pixel>) at pixops.c:1366 #2 0x00002aaaaace5f09 in _pixops_scale_real (interp_type=PIXOPS_INTERP_BILINEAR, interp_type@entry=PIXOPS_INTERP_NEAREST, scale_y=0,0068091545299791946, scale_x=0,0068060281964025283, src_has_alpha=1, src_channels=4, src_rowstride=90508, src_height=26435, src_width=22627, src_buf=0x2aaaad14f010 "", dest_has_alpha=1, dest_channels=4, dest_rowstride=616, render_y1=<optimized out>, render_x1=154, render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:2230 #3 _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=154, dest_height=dest_height@entry=180, dest_rowstride=616, dest_channels=4, dest_has_alpha=1, src_buf=0x2aaaad14f010 "", src_width=22627, src_height=26435, src_rowstride=90508, src_channels=4, src_has_alpha=1, dest_x=dest_x@entry=0, dest_y=dest_y@entry=0, dest_region_width=dest_region_width@entry=154, dest_region_height=dest_region_height@entry=180, offset_x=offset_x@entry=0, offset_y=<optimized out>, scale_x=scale_x@entry=0,0068060281964025283, scale_y=scale_y@entry=0,0068091545299791946, interp_type=interp_type@entry=PIXOPS_INTERP_BILINEAR) at pixops.c:2285 #4 0x00002aaaaacdda2d in gdk_pixbuf_scale (src=0x618000, dest=0x618050, dest_x=0, dest_y=0, dest_width=154, dest_height=180, offset_x=0, offset_y=<optimized out>, scale_x=0,0068060281964025283, scale_y=0,0068091545299791946, interp_type=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:147 #5 0x00002aaaaacde07a in gdk_pixbuf_scale_simple (src=src@entry=0x618000, dest_width=154, dest_height=dest_height@entry=180, interp_type=interp_type@entry=GDK_INTERP_BILINEAR) at gdk-pixbuf-scale.c:321 #6 0x00002aaaaacdf340 in get_scaled_pixbuf (scaled=0x616440, pixbuf=0x618000) at gdk-pixbuf-scaled-anim.c:138 #7 0x00002aaaaacdae88 in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe36b "overflow.tga", width=<optimized out>, height=<optimized out>, preserve_aspect_ratio=<optimized out>, error=0x7fffffffdee0) at gdk-pixbuf-io.c:1377 #8 0x00000000004007b8 in main () (gdb) x/i $rip => 0x2aaaaace3dd0 <scale_line+448>: movzbl 0x3(%rcx),%edx (gdb) info registers rax 0x0 0 rbx 0x94 148 rcx 0x2aaa2d6d51c4 46910394945988 rdx 0x0 0 rsi 0x4 4 rdi 0x2aab3c468c10 46914939030544 rbp 0x2aab3c468e60 0x2aab3c468e60 rsp 0x7ffffffeda18 0x7ffffffeda18 r8 0x0 0 r9 0x0 0 r10 0x0 0 r11 0x0 0 r12 0x0 0 r13 0x63ce60 6540896 r14 0x2aab3c468c10 46914939030544 r15 0x94 148 rip 0x2aaaaace3dd0 0x2aaaaace3dd0 <scale_line+448> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 And the backtrace of the DoS here: Starting program: pixbuf_vuln_poc DoS.tga [Depuración de hilo usando libthread_db enabled] Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. 0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at io-tga.c:367 367 (gdb) bt #0 0x00002aaaacf4c384 in parse_data_for_row_pseudocolor (ctx=0x614ca0) at io-tga.c:367 #1 parse_data_for_row (err=0x7ffffffede28, ctx=0x614ca0) at io-tga.c:413 #2 gdk_pixbuf__tga_load_increment (data=0x614ca0, buffer=<optimized out>, size=<optimized out>, err=0x7ffffffede28) at io-tga.c:922 #3 0x00002aaaaacdca45 in gdk_pixbuf_loader_load_module (loader=loader@entry=0x60f200, image_type=image_type@entry=0x0, error=error@entry=0x7ffffffede28) at gdk-pixbuf-loader.c:445 #4 0x00002aaaaacdd2b8 in gdk_pixbuf_loader_close (loader=loader@entry=0x60f200, error=error@entry=0x7fffffffdef0) at gdk-pixbuf-loader.c:810 #5 0x00002aaaaacdae2a in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe370 "DoS.tga", width=<optimized out>, height=<optimized out>, preserve_aspect_ratio=<optimized out>, error=0x7fffffffdef0) at gdk-pixbuf-io.c:1372 #6 0x00000000004007b8 in main () (gdb) x/i $rip => 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612>: mov 0x8(%rdx),%rdx (gdb) info registers rax 0x6163e0 6382560 rbx 0x614ca0 6376608 rcx 0x7 7 rdx 0x0 0 rsi 0x611b02 6363906 rdi 0x618000 6389760 rbp 0x7ffffffede28 0x7ffffffede28 rsp 0x7ffffffedd80 0x7ffffffedd80 r8 0x616200 6382080 r9 0x6163e7 6382567 r10 0x8 8 r11 0x2aaaaaf05c10 46912500685840 r12 0x0 0 r13 0x0 0 r14 0x15 21 r15 0xb 11 rip 0x2aaaacf4c384 0x2aaaacf4c384 <gdk_pixbuf__tga_load_increment+612> eflags 0x10202 [ IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0
Created attachment 650148 [details] DoS reproducer file DoS reproducer file from http://seclists.org/oss-sec/2015/q4/31
Created attachment 650149 [details] overflow reproducer file overflow reproducer file from http://seclists.org/oss-sec/2015/q4/31
bugbot adjusting priority
Reassigning to security-team.
SUSE-SU-2015:2195-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 942801,948790,948791 CVE References: CVE-2015-4491,CVE-2015-7673,CVE-2015-7674 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): gdk-pixbuf-2.30.6-7.1 SUSE Linux Enterprise Server 12 (src): gdk-pixbuf-2.30.6-7.1 SUSE Linux Enterprise Desktop 12 (src): gdk-pixbuf-2.30.6-7.1
Releasing for SLE 12 SP1, last one.
SUSE-SU-2015:2195-2: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 942801,948790,948791 CVE References: CVE-2015-4491,CVE-2015-7673,CVE-2015-7674 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): gdk-pixbuf-2.30.6-7.2 SUSE Linux Enterprise Server 12-SP1 (src): gdk-pixbuf-2.30.6-7.2 SUSE Linux Enterprise Desktop 12-SP1 (src): gdk-pixbuf-2.30.6-7.2
Reopening for openSUSE 13.2 and Leap:42.1
openSUSE-SU-2016:0897-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 948790,948791,958963 CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674 Sources used: openSUSE 13.2 (src): gdk-pixbuf-2.31.6-6.1
openSUSE-SU-2016:1467-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 948790,948791,958963 CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674 Sources used: openSUSE Leap 42.1 (src): gdk-pixbuf-2.31.6-4.1
fixed