Bug 958963 (CVE-2015-7552) - VUL-0: CVE-2015-7552: gdk-pixbuf: heap overflow in flipping bmp files
Summary: VUL-0: CVE-2015-7552: gdk-pixbuf: heap overflow in flipping bmp files
Status: RESOLVED FIXED
Alias: CVE-2015-7552
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2018-08-16
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle10-sp3:64101 CVSSv2...
Keywords:
Depends on:
Blocks:
 
Reported: 2015-12-14 12:17 UTC by Marcus Meissner
Modified: 2020-06-23 17:15 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
gdk-pixbuf-flip.c (784 bytes, text/plain)
2015-12-14 12:17 UTC, Marcus Meissner
Details
overflow.bmp (794 bytes, application/octet-stream)
2015-12-14 12:17 UTC, Marcus Meissner
Details
Improved reproducer (1.00 KB, text/x-csrc)
2016-01-25 21:20 UTC, Michael Gorse
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2015-12-14 12:17:20 UTC
via security@gnome.org, embargoed

From: Gustavo Grieco <gustavo.grieco@imag.fr>
Subject: [security@suse.de] A new  heap overflow in gdk-pixbuf

Hello,

We found a heap overflow in the gdk-pixbuf implementation triggered by the flipping of bmp file (using gdk_pixbuf_flip). At least, these issues are affecting gdk-pixbuf 2.30 in x86_64 (we tested in a fully updated Ubuntu 14.04). Other versions are probably affected. Please find attached a test cases as well as a minimal example of a vulnerable program. The crash is located inside this memcpy:

https://github.com/GNOME/gdk-pixbuf/blob/master/gdk-pixbuf/gdk-pixbuf-scale.c#L546

and the parameters of it should be somehow controllable (maybe because a integer overflow?). This issue was found using QuickFuzz and does not have a CVE assigned yet.

Regards,
Gustavo.
Comment 1 Marcus Meissner 2015-12-14 12:17:36 UTC
Created attachment 659203 [details]
gdk-pixbuf-flip.c

gdk-pixbuf-flip.c rerproducer
Comment 2 Marcus Meissner 2015-12-14 12:17:52 UTC
Created attachment 659205 [details]
overflow.bmp

overflow.bmp
Comment 3 Marcus Meissner 2015-12-14 12:22:50 UTC
QA REPRODUCER:

gcc -o gdk-pixbuf-flip gdk-pixbuf-flip.c `pkg-config --cflags glib-2.0` `pkg-config --cflags gdk-pixbuf-2.0` `pkg-config --libs gdk-pixbuf-2.0`

./gdk-pixbuf-flip overflow.bmp
Segmentation fault
Comment 5 Swamp Workflow Management 2015-12-14 23:00:43 UTC
bugbot adjusting priority
Comment 6 Scott Reeves 2015-12-14 23:28:17 UTC
Mike - can you take this...
Comment 7 Michael Gorse 2015-12-15 19:32:22 UTC
This was fixed by one of the commits between 2.31.6 and 2.32.0. There were several commits around that time that fixed various overflows. For SLE, we should probably take all of them, although they do not all directly relate to this bug.

Leap at least has 2.31.6; maybe it should just be upgraded to 2.32.0.
Comment 12 Johannes Segitz 2016-01-05 09:26:18 UTC
Reporter sees no need to keep it private. I will wait until
Thursday to see if the other distros object, then I'll make this bug
public
Comment 15 Swamp Workflow Management 2016-01-05 12:10:39 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2016-01-19.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/62408
Comment 16 Andreas Stieger 2016-01-05 12:52:34 UTC
https://build.suse.de/request/show/86494

Could you please supersede to include the CVE?
Comment 18 Johannes Segitz 2016-01-07 10:13:54 UTC
Nobody objected, making it public
Comment 19 Forgotten User XYm3-YGTUw 2016-01-21 15:06:20 UTC
I tested the update on SLE11 SP3 & SP4 but it does not seem to be fixed. I used the provided reproducer from comment#3 and I observe the Segmentation fault before as well as after the update is installed.
Comment 21 Forgotten User XYm3-YGTUw 2016-01-22 09:52:46 UTC
(In reply to Michael Gorse from comment #20)
> When I install the version of gtk2 from
> home:mgorse:branches:SUSE:SLE-11-SP2:Update (the patch doesn't seem to be
> present in SUSE:SLE-11-SP2:Update yet), the reproducer doesn't even get to
> the gdk_pixbuf_flip() call; it displays an error saying that there isn't
> enough memory (although that error message is inaccurate, since it's
> actually aborting the call after checking for an overflow). I'm wondering if
> I'm testing the same package that you are testing.

Hi Michael,

I also frequently get the same memory error. The exact output is:
> Gerror: Failed to load image '/tmp/SUSE:Maintenance:1776:87776/overflow.bmp': Not enough memory to load bitmap image

However, I assumed that it is part of the problem, or even reproduction of the bug itself. Please see below the output that I observe when testing the reproducer in comment#3:

                  HOST                       Output            free/total memory
  fletcher.qam.suse.de (sles11sp3-x86_64)  : Not enough memory   622/1879 
    palmer.qam.suse.de (sled11sp3-x86_64)  : Not enough memory   680/1878 
cunningham.qam.suse.de (sles11sp3-i386)    : Segmentation fault  941/1886 
    s390vsw037.suse.de (sles11sp3-s390x)   : Not enough memory     40/867 
     homer.qam.suse.de (sles11sp4-x86_64)  : Not enough memory  1186/2006 
     klaus.qam.suse.de (sled11sp4-x86_64)  : Not enough memory  1181/2006 
    hayley.qam.suse.de (sles11sp4-i386)    : Segmentation fault 1099/1886 
      jeff.qam.suse.de (sled11sp4-i386)    : Segmentation fault 1605/2014 

Now, the issue is that I observe exactly the same output even after the update.
Comment 22 Marcus Meissner 2016-01-22 12:25:30 UTC
the segfault on i586 is
#0  0xb7f8b3d5 in IA__gdk_pixbuf_new_from_data (data=0x17b9c008 "", colorspace=GDK_COLORSPACE_RGB, has_alpha=1, bits_per_sample=8, width=20, height=33554440, rowstride=80, destroy_fn=
    0xb7f88d90 <free_buffer>, destroy_fn_data=0x0) at gdk-pixbuf-data.c:76
#1  0xb7f88d85 in IA__gdk_pixbuf_new (colorspace=GDK_COLORSPACE_RGB, has_alpha=1, bits_per_sample=8, width=20, height=33554440) at gdk-pixbuf.c:273
#2  0xb7fd3725 in DecodeHeader (error=<optimized out>, State=<optimized out>, BIH=<optimized out>, BFH=<optimized out>) at io-bmp.c:439
#3  gdk_pixbuf__bmp_image_load_increment (data=0x804e128, buf=0xbffee1de "z\003X\267ลง\017\240%6\214\233\bt%O\300\302M\264;\rY`\230\306\304\310", <incomplete sequence \326>, size=740, 
    error=0xbffff230) at io-bmp.c:1254
#4  0xb7f8d502 in _gdk_pixbuf_generic_image_load (module=0x804f2a8, f=0x804b008, error=0xbffff230) at gdk-pixbuf-io.c:907
#5  0xb7f8e5e4 in IA__gdk_pixbuf_new_from_file (filename=0xbffff502 "overflow.bmp", error=0xbffff230) at gdk-pixbuf-io.c:1008
#6  0x080486bc in main ()



65              pixbuf = g_object_new (GDK_TYPE_PIXBUF, 
66                                     "colorspace", colorspace,
67                                     "n-channels", has_alpha ? 4 : 3,
68                                     "bits-per-sample", bits_per_sample,
69                                     "has-alpha", has_alpha ? TRUE : FALSE,
70                                     "width", width,

pixbuf is NULL and dereferenced afterwards with
76              pixbuf->destroy_fn = destroy_fn;

a missing pixbuf check might be needed. Not sure why g_object_new could fail though, I have a hard time singlestepping this in the debugger.


the "out of memory" seem to trigger on the overflowing bitmaps correctly, othe checks might have caught this even before.
Comment 24 Michael Gorse 2016-01-25 00:44:29 UTC
How much ram is available to the process on the machines that are segfaulting? I don't know if that is somehow related, but, on i586, SP4, and the package from home:mgorse:branches:SUSE:SLE-11-SP2:Update, I either get the "not enough memory" error (when running the vm with 1gb) or the program exits without error (if I assign 4gb). Also, are there any warnings or errors printed to the console before the segfault?
Comment 25 Forgotten User XYm3-YGTUw 2016-01-25 10:09:42 UTC
(In reply to Michael Gorse from comment #24)
> How much ram is available to the process on the machines that are
> segfaulting? I don't know if that is somehow related, but, on i586, SP4, and
> the package from home:mgorse:branches:SUSE:SLE-11-SP2:Update, I either get
> the "not enough memory" error (when running the vm with 1gb) or the program
> exits without error (if I assign 4gb). Also, are there any warnings or
> errors printed to the console before the segfault?

This is the output on the testing machine:

> jeff:~ # gcc `pkg-config --cflags glib-2.0` `pkg-config --cflags gdk-pixbuf-2.0` `pkg-config --libs gdk-pixbuf-2.0` -o /tmp/SUSE:Maintenance:1776:87776/gdk-pixbuf-flip /tmp/SUSE:Maintenance:1776:87776/gdk-pixbuf-flip.c
> jeff:~ # free -m; /tmp/SUSE:Maintenance:1776:87776/gdk-pixbuf-flip /tmp/SUSE:Maintenance:1776:87776/overflow.bmp
>              total       used       free     shared    buffers     cached
> Mem:          2014        671       1343          0        128        487
> -/+ buffers/cache:         55       1959
> Swap:         2053          0       2053
> 
> (process:6495): GLib-GObject-CRITICAL **: gtype.c:2475: initialization assertion failed, use IA__g_type_init() prior to this function
> 
> (process:6495): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
> 
> (process:6495): GLib-GObject-CRITICAL **: g_object_new: assertion `G_TYPE_IS_OBJECT (object_type)' failed
> 
> (process:6495): GLib-GObject-WARNING **: invalid (NULL) pointer instance
> 
> (process:6495): GLib-GObject-CRITICAL **: g_signal_connect_data: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed
> 
> (process:6495): GdkPixbuf-CRITICAL **: gdk_pixbuf_loader_write: assertion `GDK_IS_PIXBUF_LOADER (loader)' failed
> 
> (process:6495): GdkPixbuf-CRITICAL **: gdk_pixbuf_loader_close: assertion `GDK_IS_PIXBUF_LOADER (loader)' failed
> 
> (process:6495): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed
> 
> (process:6495): GLib-GObject-CRITICAL **: gtype.c:2475: initialization assertion failed, use IA__g_type_init() prior to this function
> 
> (process:6495): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed
> 
> (process:6495): GLib-GObject-CRITICAL **: g_object_new: assertion `G_TYPE_IS_OBJECT (object_type)' failed
> Segmentation fault

Also, I've written the free memory size right before the testing in the table in comment#21 for each host.
Comment 26 Swamp Workflow Management 2016-01-25 12:13:15 UTC
SUSE-SU-2016:0225-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 958963,960155
CVE References: CVE-2015-7552
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    gdk-pixbuf-2.30.6-10.1
SUSE Linux Enterprise Software Development Kit 12 (src):    gdk-pixbuf-2.30.6-10.1
SUSE Linux Enterprise Server 12-SP1 (src):    gdk-pixbuf-2.30.6-10.1
SUSE Linux Enterprise Server 12 (src):    gdk-pixbuf-2.30.6-10.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    gdk-pixbuf-2.30.6-10.1
SUSE Linux Enterprise Desktop 12 (src):    gdk-pixbuf-2.30.6-10.1
Comment 28 Michael Gorse 2016-01-25 21:20:57 UTC
Created attachment 663152 [details]
Improved reproducer

Add call to g_type_init().
Add printfs to indicate whether we've bailed for lack of memory vs. successfully executing the flip.
Comment 29 Forgotten User XYm3-YGTUw 2016-01-26 14:22:26 UTC
The improved reproducer produces the same results before and after the update, just like the original. The difference is that, instead of "Segmentation fault", there is the "gdk_pixbuf_flip returned NULL" output. 

Since Michael believes that SLE 11 is not currently vulnerable and since no accurate reproducer exists, shall we accept that the reproducer is not applicable and continue without bug fix validation?
Comment 30 Marcus Meissner 2016-01-27 13:11:57 UTC
I would say lets proceed as suggested.
Comment 31 Swamp Workflow Management 2016-01-29 15:12:20 UTC
SUSE-SU-2016:0282-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 958963,960155
CVE References: CVE-2015-7552
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    gtk2-2.18.9-0.39.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    gtk2-2.18.9-0.39.1
SUSE Linux Enterprise Server for VMWare 11-SP3 (src):    gtk2-2.18.9-0.39.1
SUSE Linux Enterprise Server 11-SP4 (src):    gtk2-2.18.9-0.39.1
SUSE Linux Enterprise Server 11-SP3 (src):    gtk2-2.18.9-0.39.1
SUSE Linux Enterprise Desktop 11-SP4 (src):    gtk2-2.18.9-0.39.1
SUSE Linux Enterprise Desktop 11-SP3 (src):    gtk2-2.18.9-0.39.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    gtk2-2.18.9-0.39.1
Comment 33 Swamp Workflow Management 2016-03-28 16:08:44 UTC
openSUSE-SU-2016:0897-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 948790,948791,958963
CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674
Sources used:
openSUSE 13.2 (src):    gdk-pixbuf-2.31.6-6.1
Comment 35 Marcus Meissner 2016-05-30 14:36:41 UTC
(last reported by Salvatore Bonaccorso of Debian)
Comment 36 Swamp Workflow Management 2016-06-01 13:11:33 UTC
openSUSE-SU-2016:1467-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 948790,948791,958963
CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674
Sources used:
openSUSE Leap 42.1 (src):    gdk-pixbuf-2.31.6-4.1
Comment 40 Swamp Workflow Management 2018-08-02 14:05:26 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2018-08-16.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/64100
Comment 45 Alexandros Toptsoglou 2020-04-28 12:27:11 UTC
Done