Bug 1174307

Summary: VUL-0: gdk-pixbuf: integer underflow in the GIF loader
Product: [openSUSE] openSUSE Tumbleweed Reporter: Wolfgang Frisch <wolfgang.frisch>
Component: SecurityAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, wolfgang.frisch, yfjiang, zcjia
Version: Current   
Target Milestone: Current   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/264045/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Wolfgang Frisch 2020-07-20 11:12:55 UTC 
An integer underflow bug was found in the GIF loader of gdk-pixbuf. Given a crafted input, it will abort with a segmentation fault.

Steps to reproduce:
wget https://gitlab.gnome.org/GNOME/gdk-pixbuf/uploads/a68dee3aaf8b80634f0b10d3f536e714/poc1.zip
unzip poc1.zip
gdk-pixbuf-pixdata poc1 /dev/null

References:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/132
Comment 1 Wolfgang Frisch 2020-07-20 11:36:08 UTC 
Alternative reproducer:
valgrind --tool=memcheck gdk-pixbuf-thumbnailer poc1 /dev/null

BAD:
==8381== Invalid write of size 8
==8381==    at 0x483F42B: memset (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
...

The bug appears to have been introduced recently.

openSUSE:Factory           Affected
SUSE:SLE-15-SP2:Update     Not affected
SUSE:SLE-15:Update         Not affected
SUSE:SLE-12-SP2:Update     Not affected
SUSE:SLE-11:Update         Not affected
Comment 2 OBSbugzilla Bot 2020-07-27 12:40:07 UTC 
This is an autogenerated message for OBS integration:
This bug (1174307) was mentioned in
https://build.opensuse.org/request/show/822966 Factory / gdk-pixbuf
Comment 3 Jia Zhaocong 2021-01-07 09:06:18 UTC 
Hi Wolfgang, although the fix was released to Tumbleweed, but when I am doing another gdk-pixbuf CVE fixing, I find that this bug actually affects (at least) SLE-15-SP2.

Can you give this another look please?
Comment 5 Jia Zhaocong 2021-01-20 06:41:33 UTC 
Assigning back to security-team for reevaluation.
Comment 6 Jia Zhaocong 2021-01-20 06:43:27 UTC 
Fix for SLE-15-SP2 is submitted and accepted.
Comment 7 Wolfgang Frisch 2021-01-20 17:04:23 UTC 
Indeed SLE-15-SP2 is affected.
The bug is not reproducible on SLE-15-SP1 and earlier.
Comment 8 Swamp Workflow Management 2021-01-21 14:17:56 UTC 
SUSE-SU-2021:0184-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1174307,1180393
CVE References: CVE-2020-29385
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Desktop Applications 15-SP2 (src):    gdk-pixbuf-2.40.0-3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    gdk-pixbuf-2.40.0-3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-01-24 20:16:54 UTC 
openSUSE-SU-2021:0150-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1174307,1180393
CVE References: CVE-2020-29385
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    gdk-pixbuf-2.40.0-lp152.2.3.1
Comment 10 Wolfgang Frisch 2021-02-01 13:11:52 UTC 
Released.