Bug 22399

Summary: gdk-pixbuf2.0 new security issue CVE-2017-1000422
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, mageia, marja11, nicolas.salguero, sysadmin-bugs
Version: 6Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-64-OK
Source RPM: gdk-pixbuf2.0-2.36.10-1.1.mga6.src.rpm CVE: CVE-2017-1000422
Status comment:
Bug Depends on:    
Bug Blocks: 22422    

Description David Walser 2018-01-16 12:11:25 CET 
Debian and Ubuntu have issued advisories on January 15:
https://www.debian.org/security/2018/dsa-4088
https://usn.ubuntu.com/usn/usn-3532-1/

The issue appears to have been fixed upstream in 2.36.11, and Debian and Ubuntu have links to the upstream patch/commit:
https://security-tracker.debian.org/tracker/CVE-2017-1000422
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000422.html

Mageia 5 is also affected.
Comment 1 Marja Van Waes 2018-01-16 15:14:19 CET 
ggAssigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Comment 2 Nicolas Salguero 2018-01-18 09:27:17 CET 
Suggested advisory:
========================

The updated packages fix a security vulnerability:

Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution. (CVE-2017-1000422)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000422
https://www.debian.org/security/2018/dsa-4088
https://usn.ubuntu.com/usn/usn-3532-1/
========================

Updated packages in core/updates_testing:
========================
gdk-pixbuf2.0-2.36.10-1.2.mga6
lib(64)gdk_pixbuf2.0_0-2.36.10-1.2.mga6
lib(64)gdk_pixbuf2.0-devel-2.36.10-1.2.mga6
lib(64)gdk_pixbuf-gir2.0-2.36.10-1.2.mga6

from SRPMS:
gdk-pixbuf2.0-2.36.10-1.2.mga6.src.rpm

CC: (none) => nicolas.salguero
Source RPM: gdk-pixbuf2.0-2.36.10-1.mga6.src.rpm => gdk-pixbuf2.0-2.36.10-1.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2017-1000422
Status: NEW => ASSIGNED

Comment 3 PC LX 2018-01-19 03:34:14 CET 
Installed and minimally tested without issues.

Tested using gimp.

This lib is extensively used by Gnome DE and apps so someone using Gnome (I'm not) will easily be able to extensively test this update.

System: Mageia 6, Plasma DE, Intel CPU, nVidia GPU using proprietary nvidia340 driver.

$ uname -a
Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep pixbuf
gdk-pixbuf2.0-2.36.10-1.2.mga6
lib64gdk_pixbuf-gir2.0-2.36.10-1.2.mga6
lib64gdk_pixbuf2.0_0-2.36.10-1.2.mga6
$ rpm -ql lib64gdk_pixbuf2.0_0-2.36.10-1.2.mga6
/usr/lib64/gdk-pixbuf-2.0
/usr/lib64/gdk-pixbuf-2.0/2.10.0
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders.cache
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ani.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-icns.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-jasper.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-jpeg.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-pnm.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-qtif.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-tga.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-xbm.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-xpm.so
/usr/lib64/gdk-pixbuf-2.0/bin
/usr/lib64/gdk-pixbuf-2.0/bin/gdk-pixbuf-query-loaders
/usr/lib64/libgdk_pixbuf-2.0.so.0
/usr/lib64/libgdk_pixbuf-2.0.so.0.3610.0
/usr/lib64/libgdk_pixbuf_xlib-2.0.so.0
/usr/lib64/libgdk_pixbuf_xlib-2.0.so.0.3610.0
$ strace -o ~/tmp/strace.log gimp
<SNIP>
$ grep pixbuf strace.log 
open("/lib64/libgdk_pixbuf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libgdk_pixbuf-2.0.so.0.3610.0", O_RDONLY) = 3
stat("/usr/lib64/gegl-0.3/pixbuf.so", {st_mode=S_IFREG|0755, st_size=23744, ...}) = 0
stat("/usr/lib64/gegl-0.3/save-pixbuf.so", {st_mode=S_IFREG|0755, st_size=23728, ...}) = 0
stat("/usr/lib64/gegl-0.3/pixbuf.so", {st_mode=S_IFREG|0755, st_size=23744, ...}) = 0
stat("/usr/lib64/gegl-0.3/pixbuf.so", {st_mode=S_IFREG|0755, st_size=23744, ...}) = 0
open("/usr/lib64/gegl-0.3/pixbuf.so", O_RDONLY|O_CLOEXEC) = 4
stat("/usr/lib64/gegl-0.3/save-pixbuf.so", {st_mode=S_IFREG|0755, st_size=23728, ...}) = 0
stat("/usr/lib64/gegl-0.3/save-pixbuf.so", {st_mode=S_IFREG|0755, st_size=23728, ...}) = 0
open("/usr/lib64/gegl-0.3/save-pixbuf.so", O_RDONLY|O_CLOEXEC) = 4
open("/usr/share/locale/pt_PT/LC_MESSAGES/gdk-pixbuf.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/pt/LC_MESSAGES/gdk-pixbuf.mo", O_RDONLY) = 21
open("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders.cache", O_RDONLY) = 22
read(22, " 100\n\n\"/usr/lib64/gdk-pixbuf-2.0"..., 1024) = 1024
stat("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so", {st_mode=S_IFREG|0755, st_size=24368, ...}) = 0
open("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so", O_RDONLY|O_CLOEXEC) = 22
stat("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so", {st_mode=S_IFREG|0755, st_size=11448, ...}) = 0
open("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so", O_RDONLY|O_CLOEXEC) = 24

CC: (none) => mageia

Comment 4 Lewis Smith 2018-01-19 10:08:00 CET 
Advisory uploaded.
About to test this update, but heeding PC_LX's comment, will do it under Gnome.
For reference, previous basic & specific test are in:
 https://bugs.mageia.org/show_bug.cgi?id=19070 c3 c4
 https://bugs.mageia.org/show_bug.cgi?id=21658#c8

Keywords: (none) => advisory

Comment 5 Lewis Smith 2018-01-19 11:07:41 CET 
Testing Mageia 6 x64
After update & re-boot to ensure updated packages are used; using Gnome.
 gdk-pixbuf2.0-2.36.10-1.2.mga6
 lib64gdk_pixbuf-gir2.0-2.36.10-1.2.mga6
 lib64gdk_pixbuf2.0_0-2.36.10-1.2.mga6

First try the cured problem of Ristretto & Gpicview not properly showing greyscale JPGs:
 $ convert source-image.jpg -colorspace Gray tmp/grey.jpg
 $ ristretto tmp/grey.jpg       OK
 $ gpicview tmp/grey.jpg        OK
as expected.

Next poke Firefox 52 at various image formats.
This site has a useful mix: https://imagej.nih.gov/ij/images/
Mostly GIF (1 animated), JPG, few PNG; few TIF - which FF did *not* display, but offered Evince viewer. Many images are greyscale, but where there was colour, that displayed OK.
 https://developers.google.com/speed/webp/gallery2
shows PNGs alongside 2 new formats WebP-lossless & WebP-lossy (with alpha) which FF recognised & displayed correctly.

OKing & validating the update.

CC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_update

David Walser 2018-01-19 15:08:15 CET

Blocks: (none) => 22422

Comment 6 Mageia Robot 2018-01-20 00:12:43 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0087.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED