Bugzilla – Bug 948791
VUL-0: CVE-2015-7674: gdk-pixbuf: Heap overflow with a gif file
Last modified: 2020-06-23 17:15:18 UTC
We found a heap overflow in the gdk-pixbuf implementation triggered by the scaling of gif file. These issues are only fixed in the recent release of gdk-pixbuf 2.32.1 fixed in 2.32.1 with this commit: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa Use CVE-2015-7674. Apparently the cause of the issue was that the integer data type was incompatible with the details of how bitwise shifts were used. The entry in the 2.32.1 changelog is shown in: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=044bdb059a26608fa8178e16a8505eb7ef56dfd0 References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7674 http://seclists.org/oss-sec/2015/q4/19 http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-7674.html https://git.gnome.org/browse/gdk-pixbuf/commit/?id=044bdb059a26608fa8178e16a8505eb7ef56dfd0
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-10-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62303
Created attachment 650150 [details] overflow reproducer gif overflow reproducer gif from http://seclists.org/oss-sec/2015/q4/32
Created attachment 650151 [details] overflow PoC overflow PoC code from http://seclists.org/oss-sec/2015/q4/32 Could you please share you fuzzed sample? Sure!, please find attached the compressed test case as well as a minimal example of a vulnerable program: it is just a call to gdk_pixbuf_new_from_file_at_size. Trying to attach the test case in the last version of Evolution will also produce a crash. A detailed backtrace of the heap overflow is here: Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized out>, src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4, src_rowstride=262076, src_height=4096, src_width=65519, src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24, render_y1=<optimized out>, render_x1=6, render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:332 332 pixops.c: No such file or directory. (gdb) bt #0 0x00007ffff7bced38 in pixops_scale_nearest (dest_has_alpha=<optimized out>, src_has_alpha=<optimized out>, scale_y=1, scale_x=1, src_channels=4, src_rowstride=262076, src_height=4096, src_width=65519, src_buf=0x7fffb599b010 "", dest_channels=4, dest_rowstride=24, render_y1=<optimized out>, render_x1=6, render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:332 #1 _pixops_scale_real (interp_type=interp_type@entry=PIXOPS_INTERP_NEAREST, scale_y=1, scale_x=1, src_has_alpha=1, src_channels=4, src_rowstride=262076, src_height=4096, src_width=65519, src_buf=0x7fffb599b010 "", dest_has_alpha=<optimized out>, dest_channels=4, dest_rowstride=24, render_y1=<optimized out>, render_x1=6, render_y0=<optimized out>, render_x0=0, dest_buf=<optimized out>) at pixops.c:2207 #2 _pixops_scale (dest_buf=<optimized out>, dest_width=dest_width@entry=6, dest_height=dest_height@entry=65532, dest_rowstride=24, dest_channels=4, dest_has_alpha=<optimized out>, src_buf=0x7fffb599b010 "", src_width=65519, src_height=4096, src_rowstride=262076, src_channels=4, src_has_alpha=1, dest_x=dest_x@entry=0, dest_y=dest_y@entry=0, dest_region_width=dest_region_width@entry=6, dest_region_height=dest_region_height@entry=4096, offset_x=offset_x@entry=-32768, offset_y=<optimized out>, scale_x=scale_x@entry=1, scale_y=scale_y@entry=1, interp_type=interp_type@entry=PIXOPS_INTERP_NEAREST) at pixops.c:2285 #3 0x00007ffff7bc6a2d in gdk_pixbuf_scale (src=0x6288a0, dest=0x628850, dest_x=0, dest_y=0, dest_width=6, dest_height=4096, offset_x=-32768, offset_y=<optimized out>, scale_x=1, scale_y=1, interp_type=GDK_INTERP_NEAREST) at gdk-pixbuf-scale.c:147 #4 0x00007ffff595b40b in gif_get_lzw (context=0x6160e0) at io-gif.c:967 #5 gif_main_loop (context=context@entry=0x6160e0) at io-gif.c:1424 #6 0x00007ffff595ba4c in gdk_pixbuf__gif_image_load_increment (data=0x6160e0, buf=0x60fa0c "GIF89a\357\377", size=1357, error=<optimized out>) at io-gif.c:1610 #7 0x00007ffff7bc5a45 in gdk_pixbuf_loader_load_module (loader=loader@entry=0x60f2a0, image_type=image_type@entry=0x0, error=error@entry=0x7ffffffee478) at gdk-pixbuf-loader.c:445 #8 0x00007ffff7bc62b8 in gdk_pixbuf_loader_close (loader=loader@entry=0x60f2a0, error=error@entry=0x7fffffffe548) at gdk-pixbuf-loader.c:810 #9 0x00007ffff7bc3e2a in gdk_pixbuf_new_from_file_at_scale (filename=0x7fffffffe890 "sigsegv.gif", width=<optimized out>, height=<optimized out>, preserve_aspect_ratio=<optimized out>, error=0x7fffffffe548) at gdk-pixbuf-io.c:1372 #10 0x0000000000400838 in main () (gdb) x/i $rip => 0x7ffff7bced38 <_pixops_scale+1048>: mov (%r9),%r15d (gdb) info registers rax 0x7ffff7e4c010 140737352351760 rbx 0x80068000 2147909632 <callto:2147909632> rcx 0x0 0 rdx 0x80008000 2147516416 <callto:2147516416> rsi 0x7fffb599b010 140736240136208 rdi 0x7ffff7e4c010 140737352351760 rbp 0x80068000 0x80068000 rsp 0x7ffffffee130 0x7ffffffee130 r8 0x1000 4096 r9 0x7fffb597b028 140736240005160 r10 0x10000 65536 r11 0x80068000 2147909632 <callto:2147909632> r12 0x4 4 r13 0x8000 32768 r14 0x80008000 2147516416 <callto:2147516416> r15 0x7ffff7e4c010 140737352351760 rip 0x7ffff7bced38 0x7ffff7bced38 <_pixops_scale+1048> eflags 0x10206 [ PF IF RF ] cs 0x33 51 ss 0x2b 43 ds 0x0 0 es 0x0 0 fs 0x0 0 gs 0x0 0 and the valgrind report: ==8162== Memcheck, a memory error detector ==8162== Copyright (C) 2002-2013, and GNU GPL'd, by Julian Seward et al. ==8162== Using Valgrind-3.10.0.SVN and LibVEX; rerun with -h for copyright info ==8162== Command: ../bins/gdk-pixbuf sigsegv.gif ==8162== ==8162== Warning: set address range perms: large range [0x3a00e040, 0x79fca040) (undefined) ==8162== Invalid read of size 4 ==8162== at 0x4E4CD38: _pixops_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E44A2C: gdk_pixbuf_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x74B540A: gif_main_loop (in /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so) ==8162== by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so) ==8162== by 0x4E43A44: gdk_pixbuf_loader_load_module (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E442B7: gdk_pixbuf_loader_close (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x400837: main (in /home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf) ==8162== Address 0x39fee058 is in the BSS segment of /usr/lib/valgrind/memcheck-amd64-linux ==8162== ==8162== Invalid read of size 4 ==8162== at 0x4E4CD48: _pixops_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E44A2C: gdk_pixbuf_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x74B540A: gif_main_loop (in /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so) ==8162== by 0x74B5A4B: gdk_pixbuf__gif_image_load_increment (in /usr/lib/x86_64-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so) ==8162== by 0x4E43A44: gdk_pixbuf_loader_load_module (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E442B7: gdk_pixbuf_loader_close (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x4E41E29: gdk_pixbuf_new_from_file_at_scale (in /usr/lib/x86_64-linux-gnu/libgdk_pixbuf-2.0.so.0.3000.7) ==8162== by 0x400837: main (in /home/vagrant/repos/QuickFuzz/bins/gdk-pixbuf) ==8162== Address 0x39fee058 is in the BSS segment of /usr/lib/valgrind/memcheck-amd64-linux ==8162== ==8162== Warning: set address range perms: large range [0x3a00e028, 0x79fca058) (noaccess) Gerror: GIF file was missing some data (perhaps it was truncated somehow?)
bugbot adjusting priority
A commenter mentioned that an identical construct is used elsewhere: http://seclists.org/oss-sec/2015/q4/36 > The patch fixes pixops_scale_nearest() but AFAICT I think the same > should be applied to other functions has they use the same construct: > > - pixops_composite_nearest() > > https://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/pixops/pixops.c?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa#n339 > > - pixops_composite_color_nearest() > > https://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/pixops/pixops.c?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa#n504 > > - pixops_process() > > https://git.gnome.org/browse/gdk-pixbuf/tree/gdk-pixbuf/pixops/pixops.c?id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa#n1316 Michael, if that makes sense to you would you patch this as well and send it upstream?
SUSE-SU-2015:1787-1: An update that solves two vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 922741,942801,948791 CVE References: CVE-2015-4491,CVE-2015-7674 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gtk2-2.18.9-0.35.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): gtk2-2.18.9-0.35.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): gtk2-2.18.9-0.35.1 SUSE Linux Enterprise Server 11-SP4 (src): gtk2-2.18.9-0.35.1 SUSE Linux Enterprise Server 11-SP3 (src): gtk2-2.18.9-0.35.1 SUSE Linux Enterprise Desktop 11-SP4 (src): gtk2-2.18.9-0.35.1 SUSE Linux Enterprise Desktop 11-SP3 (src): gtk2-2.18.9-0.35.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gtk2-2.18.9-0.35.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-11-25. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62334
SUSE-SU-2015:2195-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 942801,948790,948791 CVE References: CVE-2015-4491,CVE-2015-7673,CVE-2015-7674 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): gdk-pixbuf-2.30.6-7.1 SUSE Linux Enterprise Server 12 (src): gdk-pixbuf-2.30.6-7.1 SUSE Linux Enterprise Desktop 12 (src): gdk-pixbuf-2.30.6-7.1
SUSE-SU-2015:2195-2: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 942801,948790,948791 CVE References: CVE-2015-4491,CVE-2015-7673,CVE-2015-7674 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): gdk-pixbuf-2.30.6-7.2 SUSE Linux Enterprise Server 12-SP1 (src): gdk-pixbuf-2.30.6-7.2 SUSE Linux Enterprise Desktop 12-SP1 (src): gdk-pixbuf-2.30.6-7.2
looks like it still missing the openSUSE submissions
Atri: We already have the unstable 2.31.6 -> that has become the new 2.32.x stable branch in both 13.2 and Leap. Would you mind taking a stab at bumping this to proper stable that would include the fix for this bug?
I am happy to take it. @mgorse, just to be sure, are you not already working on this for openSUSE? It is assigned to you still.
Re-assigning to security-team. I've submitted patches for GNOME:STABLE:3.16 and 13.2, but just updating to 2.32.3 should also be fine.
openSUSE-SU-2016:0897-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 948790,948791,958963 CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674 Sources used: openSUSE 13.2 (src): gdk-pixbuf-2.31.6-6.1
openSUSE-SU-2016:1467-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 948790,948791,958963 CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674 Sources used: openSUSE Leap 42.1 (src): gdk-pixbuf-2.31.6-4.1
Still open for SLE 11
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-08-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64100
Done