Bugzilla – Bug 958963
VUL-0: CVE-2015-7552: gdk-pixbuf: heap overflow in flipping bmp files
Last modified: 2020-06-23 17:15:22 UTC
via security@gnome.org, embargoed From: Gustavo Grieco <gustavo.grieco@imag.fr> Subject: [security@suse.de] A new heap overflow in gdk-pixbuf Hello, We found a heap overflow in the gdk-pixbuf implementation triggered by the flipping of bmp file (using gdk_pixbuf_flip). At least, these issues are affecting gdk-pixbuf 2.30 in x86_64 (we tested in a fully updated Ubuntu 14.04). Other versions are probably affected. Please find attached a test cases as well as a minimal example of a vulnerable program. The crash is located inside this memcpy: https://github.com/GNOME/gdk-pixbuf/blob/master/gdk-pixbuf/gdk-pixbuf-scale.c#L546 and the parameters of it should be somehow controllable (maybe because a integer overflow?). This issue was found using QuickFuzz and does not have a CVE assigned yet. Regards, Gustavo.
Created attachment 659203 [details] gdk-pixbuf-flip.c gdk-pixbuf-flip.c rerproducer
Created attachment 659205 [details] overflow.bmp overflow.bmp
QA REPRODUCER: gcc -o gdk-pixbuf-flip gdk-pixbuf-flip.c `pkg-config --cflags glib-2.0` `pkg-config --cflags gdk-pixbuf-2.0` `pkg-config --libs gdk-pixbuf-2.0` ./gdk-pixbuf-flip overflow.bmp Segmentation fault
bugbot adjusting priority
Mike - can you take this...
This was fixed by one of the commits between 2.31.6 and 2.32.0. There were several commits around that time that fixed various overflows. For SLE, we should probably take all of them, although they do not all directly relate to this bug. Leap at least has 2.31.6; maybe it should just be upgraded to 2.32.0.
Reporter sees no need to keep it private. I will wait until Thursday to see if the other distros object, then I'll make this bug public
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2016-01-19. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62408
https://build.suse.de/request/show/86494 Could you please supersede to include the CVE?
Nobody objected, making it public
I tested the update on SLE11 SP3 & SP4 but it does not seem to be fixed. I used the provided reproducer from comment#3 and I observe the Segmentation fault before as well as after the update is installed.
(In reply to Michael Gorse from comment #20) > When I install the version of gtk2 from > home:mgorse:branches:SUSE:SLE-11-SP2:Update (the patch doesn't seem to be > present in SUSE:SLE-11-SP2:Update yet), the reproducer doesn't even get to > the gdk_pixbuf_flip() call; it displays an error saying that there isn't > enough memory (although that error message is inaccurate, since it's > actually aborting the call after checking for an overflow). I'm wondering if > I'm testing the same package that you are testing. Hi Michael, I also frequently get the same memory error. The exact output is: > Gerror: Failed to load image '/tmp/SUSE:Maintenance:1776:87776/overflow.bmp': Not enough memory to load bitmap image However, I assumed that it is part of the problem, or even reproduction of the bug itself. Please see below the output that I observe when testing the reproducer in comment#3: HOST Output free/total memory fletcher.qam.suse.de (sles11sp3-x86_64) : Not enough memory 622/1879 palmer.qam.suse.de (sled11sp3-x86_64) : Not enough memory 680/1878 cunningham.qam.suse.de (sles11sp3-i386) : Segmentation fault 941/1886 s390vsw037.suse.de (sles11sp3-s390x) : Not enough memory 40/867 homer.qam.suse.de (sles11sp4-x86_64) : Not enough memory 1186/2006 klaus.qam.suse.de (sled11sp4-x86_64) : Not enough memory 1181/2006 hayley.qam.suse.de (sles11sp4-i386) : Segmentation fault 1099/1886 jeff.qam.suse.de (sled11sp4-i386) : Segmentation fault 1605/2014 Now, the issue is that I observe exactly the same output even after the update.
the segfault on i586 is #0 0xb7f8b3d5 in IA__gdk_pixbuf_new_from_data (data=0x17b9c008 "", colorspace=GDK_COLORSPACE_RGB, has_alpha=1, bits_per_sample=8, width=20, height=33554440, rowstride=80, destroy_fn= 0xb7f88d90 <free_buffer>, destroy_fn_data=0x0) at gdk-pixbuf-data.c:76 #1 0xb7f88d85 in IA__gdk_pixbuf_new (colorspace=GDK_COLORSPACE_RGB, has_alpha=1, bits_per_sample=8, width=20, height=33554440) at gdk-pixbuf.c:273 #2 0xb7fd3725 in DecodeHeader (error=<optimized out>, State=<optimized out>, BIH=<optimized out>, BFH=<optimized out>) at io-bmp.c:439 #3 gdk_pixbuf__bmp_image_load_increment (data=0x804e128, buf=0xbffee1de "z\003X\267ลง\017\240%6\214\233\bt%O\300\302M\264;\rY`\230\306\304\310", <incomplete sequence \326>, size=740, error=0xbffff230) at io-bmp.c:1254 #4 0xb7f8d502 in _gdk_pixbuf_generic_image_load (module=0x804f2a8, f=0x804b008, error=0xbffff230) at gdk-pixbuf-io.c:907 #5 0xb7f8e5e4 in IA__gdk_pixbuf_new_from_file (filename=0xbffff502 "overflow.bmp", error=0xbffff230) at gdk-pixbuf-io.c:1008 #6 0x080486bc in main () 65 pixbuf = g_object_new (GDK_TYPE_PIXBUF, 66 "colorspace", colorspace, 67 "n-channels", has_alpha ? 4 : 3, 68 "bits-per-sample", bits_per_sample, 69 "has-alpha", has_alpha ? TRUE : FALSE, 70 "width", width, pixbuf is NULL and dereferenced afterwards with 76 pixbuf->destroy_fn = destroy_fn; a missing pixbuf check might be needed. Not sure why g_object_new could fail though, I have a hard time singlestepping this in the debugger. the "out of memory" seem to trigger on the overflowing bitmaps correctly, othe checks might have caught this even before.
How much ram is available to the process on the machines that are segfaulting? I don't know if that is somehow related, but, on i586, SP4, and the package from home:mgorse:branches:SUSE:SLE-11-SP2:Update, I either get the "not enough memory" error (when running the vm with 1gb) or the program exits without error (if I assign 4gb). Also, are there any warnings or errors printed to the console before the segfault?
(In reply to Michael Gorse from comment #24) > How much ram is available to the process on the machines that are > segfaulting? I don't know if that is somehow related, but, on i586, SP4, and > the package from home:mgorse:branches:SUSE:SLE-11-SP2:Update, I either get > the "not enough memory" error (when running the vm with 1gb) or the program > exits without error (if I assign 4gb). Also, are there any warnings or > errors printed to the console before the segfault? This is the output on the testing machine: > jeff:~ # gcc `pkg-config --cflags glib-2.0` `pkg-config --cflags gdk-pixbuf-2.0` `pkg-config --libs gdk-pixbuf-2.0` -o /tmp/SUSE:Maintenance:1776:87776/gdk-pixbuf-flip /tmp/SUSE:Maintenance:1776:87776/gdk-pixbuf-flip.c > jeff:~ # free -m; /tmp/SUSE:Maintenance:1776:87776/gdk-pixbuf-flip /tmp/SUSE:Maintenance:1776:87776/overflow.bmp > total used free shared buffers cached > Mem: 2014 671 1343 0 128 487 > -/+ buffers/cache: 55 1959 > Swap: 2053 0 2053 > > (process:6495): GLib-GObject-CRITICAL **: gtype.c:2475: initialization assertion failed, use IA__g_type_init() prior to this function > > (process:6495): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed > > (process:6495): GLib-GObject-CRITICAL **: g_object_new: assertion `G_TYPE_IS_OBJECT (object_type)' failed > > (process:6495): GLib-GObject-WARNING **: invalid (NULL) pointer instance > > (process:6495): GLib-GObject-CRITICAL **: g_signal_connect_data: assertion `G_TYPE_CHECK_INSTANCE (instance)' failed > > (process:6495): GdkPixbuf-CRITICAL **: gdk_pixbuf_loader_write: assertion `GDK_IS_PIXBUF_LOADER (loader)' failed > > (process:6495): GdkPixbuf-CRITICAL **: gdk_pixbuf_loader_close: assertion `GDK_IS_PIXBUF_LOADER (loader)' failed > > (process:6495): GLib-GObject-CRITICAL **: g_object_unref: assertion `G_IS_OBJECT (object)' failed > > (process:6495): GLib-GObject-CRITICAL **: gtype.c:2475: initialization assertion failed, use IA__g_type_init() prior to this function > > (process:6495): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed > > (process:6495): GLib-GObject-CRITICAL **: g_object_new: assertion `G_TYPE_IS_OBJECT (object_type)' failed > Segmentation fault Also, I've written the free memory size right before the testing in the table in comment#21 for each host.
SUSE-SU-2016:0225-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 958963,960155 CVE References: CVE-2015-7552 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): gdk-pixbuf-2.30.6-10.1 SUSE Linux Enterprise Software Development Kit 12 (src): gdk-pixbuf-2.30.6-10.1 SUSE Linux Enterprise Server 12-SP1 (src): gdk-pixbuf-2.30.6-10.1 SUSE Linux Enterprise Server 12 (src): gdk-pixbuf-2.30.6-10.1 SUSE Linux Enterprise Desktop 12-SP1 (src): gdk-pixbuf-2.30.6-10.1 SUSE Linux Enterprise Desktop 12 (src): gdk-pixbuf-2.30.6-10.1
Created attachment 663152 [details] Improved reproducer Add call to g_type_init(). Add printfs to indicate whether we've bailed for lack of memory vs. successfully executing the flip.
The improved reproducer produces the same results before and after the update, just like the original. The difference is that, instead of "Segmentation fault", there is the "gdk_pixbuf_flip returned NULL" output. Since Michael believes that SLE 11 is not currently vulnerable and since no accurate reproducer exists, shall we accept that the reproducer is not applicable and continue without bug fix validation?
I would say lets proceed as suggested.
SUSE-SU-2016:0282-1: An update that solves one vulnerability and has one errata is now available. Category: security (moderate) Bug References: 958963,960155 CVE References: CVE-2015-7552 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gtk2-2.18.9-0.39.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): gtk2-2.18.9-0.39.1 SUSE Linux Enterprise Server for VMWare 11-SP3 (src): gtk2-2.18.9-0.39.1 SUSE Linux Enterprise Server 11-SP4 (src): gtk2-2.18.9-0.39.1 SUSE Linux Enterprise Server 11-SP3 (src): gtk2-2.18.9-0.39.1 SUSE Linux Enterprise Desktop 11-SP4 (src): gtk2-2.18.9-0.39.1 SUSE Linux Enterprise Desktop 11-SP3 (src): gtk2-2.18.9-0.39.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gtk2-2.18.9-0.39.1
openSUSE-SU-2016:0897-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 948790,948791,958963 CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674 Sources used: openSUSE 13.2 (src): gdk-pixbuf-2.31.6-6.1
so far applied: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=7b10db13ff370bf2500688054249101ff175a942 https://git.gnome.org/browse/gdk-pixbuf/commit/?id=ca74893a8e06e99b4adc682ee1550bfd020687c7 https://git.gnome.org/browse/gdk-pixbuf/commit/?id=b7bf6fbfb310fceba2d35d4de143b8d5ffdad990 missing one more integer overflow fix: https://git.gnome.org/browse/gdk-pixbuf/commit/?id=4f68cb78a5277f169b9531e6998c00c7976594e4 (2.31.7) the last commit is NOT in 13.2:Update, so we need that again the last commit is in SLE12 Update
(last reported by Salvatore Bonaccorso of Debian)
openSUSE-SU-2016:1467-1: An update that fixes three vulnerabilities is now available. Category: security (moderate) Bug References: 948790,948791,958963 CVE References: CVE-2015-7552,CVE-2015-7673,CVE-2015-7674 Sources used: openSUSE Leap 42.1 (src): gdk-pixbuf-2.31.6-4.1
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2018-08-16. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/64100
Done