Bugzilla – Bug 1027024
VUL-1: CVE-2017-6313: gdk-pixbuf: An dangerous integer underflow in io-icns.c
Last modified: 2024-05-09 17:56:58 UTC
http://seclists.org/oss-sec/2017/q1/466 1. An dangerous integer underflow in io-icns.c [1] -------------------------------------------------- io-icns.c is the source code for the loader of Macintosh icons. An integer underflow I found allows an attacker to lead to different calls to gdk_pixbuf_loader_write with a huge (2^32-1) count (size of buffer) that can be bigger than the actual size of given buffer. It is possible to give the loader any data we want so we can call any desired loader that it's data is recognized. This may lead to various behaviors - multiple out-of-buffer reads, infinite loops, or allocation attempt with the size. Possibly other behaviors I did not test for (I didn't really check all available loaders). 1.1 The bug ----------- In the load_resources function (io-icns.c:63), inside the size switch (line 101), all the cases set plen or mlen to: blocklen - sizeof (IcnsBlockHeader); See lines 109, 117, 127, 134, 139, 146, 151, 158 and 163. blocklen is set in line 95: blocklen = GUINT32_FROM_BE (header->size); There are no checks on the size of blocklen and if it is set to less than sizeof (IcnsBlockHeader) (should be 8) there is an integer underflow. This is dangerous because it's value is later passed to gdk_pixbuf_loader_write (line 262) when size is 256. This allows an attacker to craft a file that will end up calling to a desired loader with a bogus size that is much larger than the actual buffer size. Possible exploits of the bug: 1. Adding a bmp, or a an ico image data after the header will cause an out-of-buffer read. 2. With a tiff image it would lead to an infinite loop (see bug 2). 3. With a gif, a tga or another icns after the header the code will try to allocate as much as count bytes (and most likely fail on a size of 2^32-1). Otherwise if the actual data size is less than 4096 there is an out-of-bounds read. 4. With another icns it is possible to reach another out-of-bounds 4.1 If this out-of-bounds read gets zeros we will have an infinite loop
CVE-2017-6313
https://bugzilla.gnome.org/show_bug.cgi?id=779016
bugbot adjusting priority
Created attachment 715695 [details] infinite.icns.icns QA REPRODUCER: (we will cause an infinite loop) eog infinite.icns.icns & top BEFORE: eog uses 100% CPU trying to decode this ICO file AFTER: eog display / errors on image
Created attachment 715696 [details] bad.ico.icns QA REPRODUCER 2: eog bad.ico.icns will crash with segmentation fault
no patch upstream yet
Hi Yifan, can you have someone on your team take this.
Hi Xiaoguang, Would you help to take care of this, thank you!
SUSE-SU-2017:2381-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027024,1027025,1027026,1048289,1048544,1049877 CVE References: CVE-2017-2862,CVE-2017-2870,CVE-2017-6312,CVE-2017-6313,CVE-2017-6314 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP3 (src): gdk-pixbuf-2.34.0-19.5.1 SUSE Linux Enterprise Software Development Kit 12-SP2 (src): gdk-pixbuf-2.34.0-19.5.1 SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src): gdk-pixbuf-2.34.0-19.5.1 SUSE Linux Enterprise Server 12-SP3 (src): gdk-pixbuf-2.34.0-19.5.1 SUSE Linux Enterprise Server 12-SP2 (src): gdk-pixbuf-2.34.0-19.5.1 SUSE Linux Enterprise Desktop 12-SP3 (src): gdk-pixbuf-2.34.0-19.5.1 SUSE Linux Enterprise Desktop 12-SP2 (src): gdk-pixbuf-2.34.0-19.5.1
openSUSE-SU-2017:2393-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1027024,1027025,1027026,1048289,1048544,1049877 CVE References: CVE-2017-2862,CVE-2017-2870,CVE-2017-6312,CVE-2017-6313,CVE-2017-6314 Sources used: openSUSE Leap 42.3 (src): gdk-pixbuf-2.34.0-10.1 openSUSE Leap 42.2 (src): gdk-pixbuf-2.34.0-7.3.1
Closing as fixed.
SUSE-SU-2018:2470-1: An update that solves 5 vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1027024,1027025,1027026,1039465,1048289,1048544 CVE References: CVE-2017-2862,CVE-2017-2870,CVE-2017-6312,CVE-2017-6313,CVE-2017-6314 Sources used: SUSE Linux Enterprise Software Development Kit 11-SP4 (src): gtk2-2.18.9-0.45.8.1 SUSE Linux Enterprise Server 11-SP4 (src): gtk2-2.18.9-0.45.8.1 SUSE Linux Enterprise Debuginfo 11-SP4 (src): gtk2-2.18.9-0.45.8.1
gdk-pixbuf for sle11 missing still here I think
Are you sure that this applies to SLE-11 gdk-pixbuf? io-icns.c is not present there.
Hi Marcus, Please refer to the comment immediately above.
I removed the affectedness fopr SLE11 and older.
I think that gtk2 is affected on SLE-11, but not the older gdk-pixbuf.