Bugzilla – Bug 789835
VUL-0: CVE-2012-4433: gegl: Integer overflow, leading to heap-based buffer overflow by parsing PPM image headers
Last modified: 2018-10-30 14:42:31 UTC
is public, via oss-sec From: Huzaifa Sidhpurwala <huzaifas@redhat.com> Date: Tue, 06 Nov 2012 09:38:09 +0530 Subject: [oss-security] gegl: Integer overflow, leading to heap-based buffer overflow by parsing PPM image headers Hi All, An integer overflow, leading to heap-based buffer overflow was found in the way portable pixmap format (PPM) image file format handler of GEGL, a graph based image processing framework, processed certain input PPM image file headers. A remote attacker could provide a specially-crafted PPM image that when opened in gegl executable would lead to crash, or, potentially arbitrary code execution with the privileges of the user running the binary. This issue was found by Murray McAllister, Red Hat Security Response Team. We have assigned CVE-2012-4433 to this issue. Reference: https://bugzilla.redhat.com/show_bug.cgi?id=856300
The SWAMPID for this issue is 50110. This issue was rated as moderate. Please submit fixed packages until 2012-11-29. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
bugbot adjusting priority
The problem surely affects openSUSE 12.2 and the patch in the Redhat Bugzilla applies there. I am unsure, whether it affects older products as well. Older products (12.1, SLE11) support only 8bpp images.
Maybe it is possible to overflow even with two numbers and multiplier 3, so older products are probably affected as well. I have tried to port the fix to the old code (currently 12.1, porting to SLE11 should be easier). I will prepare packages in Monday. But the fix will need some testing. Surprisingly, gegl in 12.1 does not compile: [ 128s] exr-load.cpp: In function 'gboolean query_exr(const gchar*, gint*, gint*, gint*, void**)': [ 128s] exr-load.cpp:596:39: error: invalid conversion from 'const void*' to 'gpointer {aka void*}' [-fpermissive] [ 128s] make[3]: *** [exr_load_la-exr-load.lo] Error 1
This is an autogenerated message for OBS integration: This bug (789835) was mentioned in https://build.opensuse.org/request/show/142940 Maintenance / https://build.opensuse.org/request/show/142941 Maintenance /
I just finished porting and its testing: In 12.2 we can apply the patch without changes. created request id Request: #142940 In 12.1 I had to backport it to 8bit-only GEGL. However I don't know, whether it can be exploited there, I guess that it can. Simply pick large enough dimensions to get overflow for 3*width*height, but the overflowed byte size is small enough that allocation succeeds. created request id Request: #142941 SLE11 is not vulnerable, gegl-0.0.20 does not support PPM loading. Ad comment 4: It was a Build Service issue. It was building 12.1 version for 12.2, even if it was disabled there. I just tested gimp with gegl with backported 12.1 fix. It opens PPM files correctly, so I believe that I did no serious mistake while backporting. Created maintenance incident 142943?
i canceled the SLE swamp workflow after #c6 ... opensuse proceeds as usual. thanks!
released!
This is an autogenerated message for OBS integration: This bug (789835) was mentioned in https://build.opensuse.org/request/show/145905 Evergreen:11.2 / gegl
This is an autogenerated message for OBS integration: This bug (789835) was mentioned in https://build.opensuse.org/request/show/146337 Evergreen:11.2 / gegl
*** Bug 1023636 has been marked as a duplicate of this bug. ***
noty fixed for sle12 and current opensuse
This is an autogenerated message for OBS integration: This bug (789835) was mentioned in https://build.opensuse.org/request/show/476790 Factory / gegl
I took the fix that was submitted last month into Factory, and used it for SLE12 and SLE12 SP2. I guess that I don't need to fix Leap 42.*, as it will inherit fixes from SLE12 *. Verified that the patch from Redhat contains exactly the same as all three relevant upstream commits. Surprisingly, the code does not compile on SLE12 ppc64le s390 s390x. Even the original (released?) code does not compile.
The failing code is #include <jasper/jasper.h> in operations/external/jp2-load.c. It looks like a breakage outside gegl.
Confirming that it is a problem outside gegl. If I move #include <jasper/jasper.h> to be a first include, it still fails: [ 86s] In file included from /usr/include/jasper/jasper.h:65:0, [ 86s] from jp2-load.c:19: [ 86s] /usr/include/sys/types.h:150:27: error: duplicate 'unsigned' [ 86s] typedef unsigned long int ulong; [ 86s] ^ [ 86s] /usr/include/sys/types.h:151:28: error: duplicate 'unsigned' [ 86s] typedef unsigned short int ushort; [ 86s] ^ [ 86s] /usr/include/sys/types.h:151:28: error: duplicate 'short' [ 86s] typedef unsigned short int ushort; [ 86s] ^ [ 86s] /usr/include/sys/types.h:152:22: error: duplicate 'unsigned' [ 86s] typedef unsigned int uint; [ 86s] ^ [ 86s] /usr/include/sys/types.h:152:22: error: two or more data types in declaration specifiers [ 86s] typedef unsigned int uint; [ 86s] ^ Surprisingly, in SLE12 GA it built OK, and in SLE12 SP2 it builds OK as well.
The package builds against SUSE:SLE-12:GA (ports). In SUSE:SLE-12:Update (standard), it builds only if I downgrade jasper to a version from GA. Build in GA succeeds as well. https://build.suse.de/project/monitor/home:sbrabec:branches:789835-gegl-security:sle12 => jasper online update has broken header.
SUSE:SLE-12:Update: https://build.suse.de/request/show/128788 Depends on https://build.suse.de/request/show/128784 SUSE:SLE-12-SP2:Update: https://build.suse.de/request/show/128789 Do I need to submit Leap separately?
(In reply to Stanislav Brabec from comment #18) > SUSE:SLE-12:Update: > https://build.suse.de/request/show/128788 > Depends on https://build.suse.de/request/show/128784 > > SUSE:SLE-12-SP2:Update: > https://build.suse.de/request/show/128789 > > Do I need to submit Leap separately? Yes, I am pretty sure it is not automatic and this should go to Factory to the -devel project.
Factory was already done last month. I think that if Leap has identical version as SLE 12, then it happens automatically. (At least it happens in util-linux.) Here it seems to be identical.
SUSE-SU-2017:0694-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 789835 CVE References: CVE-2012-4433 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP2 (src): gegl-0.2.0-14.3 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): gegl-0.2.0-14.3 SUSE Linux Enterprise Desktop 12-SP2 (src): gegl-0.2.0-14.3
SUSE-SU-2017:0696-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 789835 CVE References: CVE-2012-4433 Sources used: SUSE Linux Enterprise Workstation Extension 12-SP1 (src): gegl-0.2.0-10.3.3 SUSE Linux Enterprise Software Development Kit 12-SP1 (src): gegl-0.2.0-10.3.3 SUSE Linux Enterprise Desktop 12-SP1 (src): gegl-0.2.0-10.3.3
openSUSE-SU-2017:0828-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 789835 CVE References: CVE-2012-4433 Sources used: openSUSE Leap 42.2 (src): gegl-0.2.0-16.1
This should be done, please check and close or reassign if something is missing.
This has been fixed by now, bug can be closed.