Bug 23128

Summary:	libgxps new security issue CVE-2018-10733
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:	Sec team <security>
Severity:	major
Priority:	Normal	CC:	lewyssmith, marja11, sysadmin-bugs, tarazed25
Version:	6	Keywords:	advisory, validated_update
Target Milestone:	---
Hardware:	All
OS:	Linux
Whiteboard:	MGA6-64-OK
Source RPM:	libgxps-0.3.0-1.mga7.src.rpm	CVE:
Status comment:	Patches available from upstream and Fedora

Description David Walser 2018-06-07 19:03:07 CEST

Fedora has issued an advisory on May 12:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YMI6TEEICL3TNCY4C2VVCZGZEAERZFDZ/

Patches are available from Fedora and upstream:
https://src.fedoraproject.org/cgit/rpms/libgxps.git/commit/?h=f27&id=76e3e1eb034adc7015ca485e41382126fe7d0070
https://bugzilla.redhat.com/show_bug.cgi?id=1576111

Mageia 5 and Mageia 6 are also affected.

David Walser 2018-06-07 19:03:22 CEST

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patches available from upstream and Fedora

Marja Van Waes 2018-06-08 21:16:53 CEST

Assignee: bugsquad => gnome
CC: (none) => marja11

Comment 1 David Walser 2018-06-26 23:17:04 CEST

Fedora has added an additional patch for an integer overflow today (June 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UY53OSYKXQJ4PBBGTBJFU7FLVWGGFV4J/

Comment 2 David Walser 2019-01-01 03:58:23 CET

Bug reference for Comment 1 issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1524378

Fixes included in libgxps-0.3.0-3.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Severity: normal => major
Version: Cauldron => 6

Comment 3 David Walser 2019-01-01 21:04:38 CET

Advisory:
========================

Updated libgxps packages fix security vulnerabilities:

A flaw was found in libgxps through 0.3.0. There is a heap-based buffer
over-read in the function ft_font_face_hash of gxps-fonts.c. A crafted input
will lead to a remote denial of service attack (CVE-2018-10733).

An integer overflow flaw exists within the "gxps_images_create_from_png()"
function in libgxps/gxps-images.c. An attacker can exploit this flaw to cause a
heap-based buffer overflow by tricking a user into opening a specially crafted
XPS document in an application using libgxps (rhbz#1524378).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10733
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YMI6TEEICL3TNCY4C2VVCZGZEAERZFDZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UY53OSYKXQJ4PBBGTBJFU7FLVWGGFV4J/
========================

Updated packages in core/updates_testing:
========================
libgxps2-0.2.5-1.2.mga6
libgxps-tools-0.2.5-1.2.mga6
libgxps-gir0.1-0.2.5-1.2.mga6
libgxps-devel-0.2.5-1.2.mga6

from libgxps-0.2.5-1.2.mga6.src.rpm

Assignee: gnome => qa-bugs

Comment 4 Len Lawrence 2019-01-02 20:51:07 CET

Mageia 6, x86_64

CVE-2018-10733
https://bugzilla.redhat.com/show_bug.cgi?id=1574844
$ file POC.xps 
POC.xps: Microsoft OOXML
$ xpstojpeg POC.xps  /dev/null
Segmentation fault (core dumped)

Updated the four packages.
The PoC file no longer forces a crash.
$ xpstojpeg POC.xps  /dev/null
Error rendering page 1: Error rendering page /Documents/1/Pages/1.fpage: ZIP uncompressed data is wrong size (read 186314, expected 186308)

Error opening output file /dev/null-1.jpg

$ apropos gxps-tools
gxps-tools: nothing appropriate.

The utilities deal in conversion of XPS files to image formats.
$ ls /bin/*xps*
/bin/fixps*   /bin/xpstojpeg*  /bin/xpstopng*  /bin/xpstosvg*
/bin/xpstat*  /bin/xpstopdf*   /bin/xpstops*

$ strace -o trace xpstojpeg sample1.xps
$ cat trace | grep lib | grep gxps
open("/usr/lib64/tls/x86_64/libgxps.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libgxps.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libgxps.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libgxps.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libgxps.so.2.2.1", O_RDONLY) = 3

$ xpstopdf sample1.xps
$ xpstopng sample1.xps
$ xpstops sample1.xps
DBG: paper size: (null) 0, 0
$ xpstosvg sample1.xps
$ ls
page-1.jpg  POC.xps           sample1.pdf  sample1.svg  trace
page-1.png  '#report.23128#'  sample1.ps   sample1.xps

The page-1.* images displayed properly (ImageMagick display).
$ file sample1.ps
sample1.ps: PostScript document text conforming DSC level 3.0, Level 2
That displayed fine with gs.
okular handled sample1.pdf OK.  The image was displayed correctly.
$ okular sample1.pdf
org.kde.kwindowsystem: Could not find any platform plugin

The svg file displayed OK.
$ head sample1.svg
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="816pt" height="1056pt" viewBox="0 0 816 1056" version="1.2">
<defs>
<g>
<symbol overflow="visible" id="glyph0-0">
<path style="stroke:none;" d="M 1.5 0 L 1.5 -7.5 L 7.5 
[...]

This update is good for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 5 Lewis Smith 2019-01-02 21:22:41 CET

I need a hotkey for "Thank you Len for the testing"!
Validating. Advisoried from comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2019-01-05 19:31:39 CET

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0003.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED