** Description changed: - There is a buffer overwrite in gdk-pixbuf. I will eventually create a - whole SRU document with how to reproduce and all, but I'll just say it - is a nasty one. Opening it on my old iMac from about 2007/2009 in Nemo - causes the entire system to run out of memory. (With firefox, 1612/3922 - MB - which says something.) + [Impact] - It may be possible all apps using gdk-pixbuf can have a problem handling - files like the PoC. + * A buffer overwrite exists in gdk-pixbuf's thumbnailer. - https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190 + * The GIF loader runs out of memory with specifically crafted files + with bad frame data (and images with its sizes) over the integer limit. + + * After gdk-pixbuf-thum runs out of memory, other apps can and on low + RAM systems like my old iMac, the system can completely run out of + memory. + + * Or, in other ways, bad gif files in other applications can open the + door for exploits. + + * Any app using gdk-pixbuf is affected, mainly file managers and image + viewers. + + [Test Plan] + + * Take the POC's - they can be found in the issue in the GNOME repo + + * Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with: + - Nautilus, GNOME's file manager + - Nemo, Cinnamon's file manager + - Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes + - PCManFM, LXDE's file manager which straight up crashes + I have not been able to produce any results with Caja (MATE's file manager) but have personally experienced issues with Nautilus. POC logs and crashes are attached. + + * If you or the system couldn't tell something is wrong, cat + /var/log/syslog and enjoy the segfaults or out of memory warnings or + even kernel spam. + + [Where problems could occur] + + * The patch itself is simple, but since gdk-pixbuf is often used with + GTK apps a mistake here could be problematic. + + * It is possible, and has happened in the past (which has been patched) + that other bad GIFs can cause other crashes. + + * That patch is essentially overflow checks - changes with GLib + (GNOME's, not to be confused with glibc) and the functions used in not + only the patch but all of gdk-pixbuf can cause problems + + * Other failures to properly handle GIFs and broken or intentionally + tampered GIFs can continue and always will open the door for security + holes for other bugs + + * Again, overall a simple patch but as long as the GIFs remain handled + properly, and no changes to the GLib functions are made and to other + apps that use gdk-pixbuf (and assuming are not affected by the change + and still work), the patch does not have much regression potential. + + [Other Info] + + * Besides Buffer overwrite/overflow issues, as aforementioned out of memory errors can happen. + * Files attached are examples or crashes + * Again, all apps using gdk-pixbuf are affected + * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121/ + * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.2 ProcVersionSignature: Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39 Uname: Linux 5.15.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: X-Cinnamon Date: Tue Jul 26 19:33:41 2022 InstallationDate: Installed on 2021-11-24 (244 days ago) InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826) SourcePackage: gdk-pixbuf UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gdk-pixbuf in Ubuntu. https://bugs.launchpad.net/bugs/1982898 Title: CVE-2021-46829: Buffer overwrite in io-gif-animation.c composite_frame() in gdk-pixbuf Status in gdk-pixbuf package in Ubuntu: In Progress Bug description: [Impact] * A buffer overwrite exists in gdk-pixbuf's thumbnailer. * The GIF loader runs out of memory with specifically crafted files with bad frame data (and images with its sizes) over the integer limit. * After gdk-pixbuf-thum runs out of memory, other apps can and on low RAM systems like my old iMac, the system can completely run out of memory. * Or, in other ways, bad gif files in other applications can open the door for exploits. * Any app using gdk-pixbuf is affected, mainly file managers and image viewers. [Test Plan] * Take the POC's - they can be found in the issue in the GNOME repo * Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with: - Nautilus, GNOME's file manager - Nemo, Cinnamon's file manager - Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes - PCManFM, LXDE's file manager which straight up crashes I have not been able to produce any results with Caja (MATE's file manager) but have personally experienced issues with Nautilus. POC logs and crashes are attached. * If you or the system couldn't tell something is wrong, cat /var/log/syslog and enjoy the segfaults or out of memory warnings or even kernel spam. [Where problems could occur] * The patch itself is simple, but since gdk-pixbuf is often used with GTK apps a mistake here could be problematic. * It is possible, and has happened in the past (which has been patched) that other bad GIFs can cause other crashes. * That patch is essentially overflow checks - changes with GLib (GNOME's, not to be confused with glibc) and the functions used in not only the patch but all of gdk-pixbuf can cause problems * Other failures to properly handle GIFs and broken or intentionally tampered GIFs can continue and always will open the door for security holes for other bugs * Again, overall a simple patch but as long as the GIFs remain handled properly, and no changes to the GLib functions are made and to other apps that use gdk-pixbuf (and assuming are not affected by the change and still work), the patch does not have much regression potential. [Other Info] * Besides Buffer overwrite/overflow issues, as aforementioned out of memory errors can happen. * Files attached are examples or crashes * Again, all apps using gdk-pixbuf are affected * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121/ * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.2 ProcVersionSignature: Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39 Uname: Linux 5.15.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: X-Cinnamon Date: Tue Jul 26 19:33:41 2022 InstallationDate: Installed on 2021-11-24 (244 days ago) InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826) SourcePackage: gdk-pixbuf UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/1982898/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
