** Also affects: gdk-pixbuf (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gdk-pixbuf in Ubuntu.
https://bugs.launchpad.net/bugs/1982898
Title:
CVE-2021-46829: Buffer overwrite in io-gif-animation.c
composite_frame() in gdk-pixbuf
Status in gdk-pixbuf package in Ubuntu:
In Progress
Status in gdk-pixbuf source package in Focal:
New
Bug description:
[Impact]
* A buffer overwrite exists in gdk-pixbuf's thumbnailer.
* The GIF loader runs out of memory with specifically crafted files
with bad frame data (and images with its sizes) over the integer
limit.
* After gdk-pixbuf-thum runs out of memory, other apps can and on low
RAM systems like my old iMac, the system can completely run out of
memory.
* Or, in other ways, bad gif files in other applications can open the
door for exploits.
* Any app using gdk-pixbuf is affected, mainly file managers and
image viewers.
[Test Plan]
* Take the POC's - they can be found in the issue in the GNOME repo
* Open them in an application that uses gdk-pixbuf. I have managed to
produce reactions with:
- Nautilus, GNOME's file manager
- Nemo, Cinnamon's file manager
- Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that
also inevitably fails and crashes
- PCManFM, LXDE's file manager which straight up crashes
- Caja, MATE's file manager causes libpixbufloader-gif to segfault (app
still usable, no memory issues)
- Eye of GNOME (eog) triggers the segfault in syslog
- Eye of MATE (eom) segfaults
* If you or the system couldn't tell something is wrong, cat
/var/log/syslog and enjoy the segfaults or out of memory warnings or
even kernel spam.
[Where problems could occur]
* The patch itself is simple, but since gdk-pixbuf is often used with
GTK apps a mistake here could be problematic.
* It is possible, and has happened in the past (which has been
patched) that other bad GIFs can cause other crashes.
* That patch is essentially overflow checks - changes with GLib
(GNOME's, not to be confused with glibc) and the functions used in not
only the patch but all of gdk-pixbuf can cause problems
* Other failures to properly handle GIFs and broken or intentionally
tampered GIFs can continue and always will open the door for security
holes for other bugs
* Again, overall a simple patch but as long as the GIFs remain handled
properly, and no changes to the GLib functions are made and to other
apps that use gdk-pixbuf (and assuming are not affected by the change
and still work), the patch does not have much regression potential.
[Other Info]
* Besides Buffer overwrite/overflow issues, as aforementioned out of memory
errors can happen.
* Files attached are examples or crashes
* Again, all apps using gdk-pixbuf are affected
* https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121/
* https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190
*
https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.2
ProcVersionSignature: Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39
Uname: Linux 5.15.0-43-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.24
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: X-Cinnamon
Date: Tue Jul 26 19:33:41 2022
InstallationDate: Installed on 2021-11-24 (244 days ago)
InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826)
SourcePackage: gdk-pixbuf
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/1982898/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
