16869 – gdk-pixbuf2.0 more heap overflow issues (CVE-2015-7673, CVE-2015-7674)

Bug 16869 - gdk-pixbuf2.0 more heap overflow issues (CVE-2015-7673, CVE-2015-7674)

Summary: gdk-pixbuf2.0 more heap overflow issues (CVE-2015-7673, CVE-2015-7674)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	i586 Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/659284/
Whiteboard:	has_procedure advisory MGA5-32-OK MGA...
Keywords:	validated_update

Depends on:
Blocks:

Reported:	2015-10-01 17:14 CEST by David Walser
Modified:	2015-10-05 23:03 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	gdk-pixbuf2.0-2.31.2-2.1.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2015-10-01 17:14:56 CEST

CVEs were requested for two more heap overflow issues in gdk-pixbuf2.0:
http://openwall.com/lists/oss-security/2015/10/01/3
http://openwall.com/lists/oss-security/2015/10/01/4

However, I'm not sure that two requests were appropriate, because they may be the same issue.  The only commit between 2.32.0 and 2.32.1 (where they say the issues were fixed) that could be relevant is this one:
https://git.gnome.org/browse/gdk-pixbuf/commit/?h=gdk-pixbuf-2-32&id=e9a5704edaa9aee9498f1fbf6e1b70fcce2e55aa

The other commits are translation and build system updates, as well as dropping support for a few image formats.

Anyway, 2.31.x was the development branch that led up to the stable 2.32 branch, so I've updated both Mageia 5 and Cauldron to 2.32.1.

Advisory to come later pending the results of the CVE requests.

Something's wrong with the build system right now too, so I'll assign this to QA after it actually builds.

Reproducible: 

Steps to Reproduce:

Comment 1 David Walser 2015-10-01 18:19:22 CEST

The requests were clarified.  The commit I identified fixes the second issue with gif files.  The first issue with tga files was actually fixed in 2.32.0 with a few commits, so this update was necessary to pull those fixes in:
http://openwall.com/lists/oss-security/2015/10/01/6
http://openwall.com/lists/oss-security/2015/10/01/7

Advisory pending CVE requests.

Advisory:
========================

Updated gdk-pixbuf packages fix security vulnerabilities:

Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf
before 2.32.0. This issue is triggered by the scaling of a malformed tga
format image and results in a potentially exploitable crash.

Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf
before 2.32.1. This issue is triggered by the scaling of a malformed gif
format image.

References:
http://openwall.com/lists/oss-security/2015/10/01/3
http://openwall.com/lists/oss-security/2015/10/01/4
========================

Updated packages in core/updates_testing:
========================
gdk-pixbuf2.0-2.32.1-1.mga5
libgdk_pixbuf2.0_0-2.32.1-1.mga5
libgdk_pixbuf2.0-devel-2.32.1-1.mga5
libgdk_pixbuf-gir2.0-2.32.1-1.mga5

from gdk-pixbuf2.0-2.32.1-1.mga5.src.rpm

Assignee: bugsquad => qa-bugs

Comment 2 David Walser 2015-10-01 23:32:22 CEST

Working fine Mageia 5 i586.  Searched for bunnies in Google Image Search :o)

Whiteboard: (none) => has_procedure MGA5-32-OK

Comment 3 David Walser 2015-10-02 21:26:27 CEST

CVE assignments:
http://openwall.com/lists/oss-security/2015/10/02/9
http://openwall.com/lists/oss-security/2015/10/02/10

Advisory:
========================

Updated gdk-pixbuf packages fix security vulnerabilities:

Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf
before 2.32.0. This issue is triggered by the scaling of a malformed tga
format image and results in a potentially exploitable crash (CVE-2015-7673).

Security researcher Gustavo Grieco reported a heap overflow in gdk-pixbuf
before 2.32.1. This issue is triggered by the scaling of a malformed gif
format image (CVE-2015-7674).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7673
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7674
http://openwall.com/lists/oss-security/2015/10/02/9
http://openwall.com/lists/oss-security/2015/10/02/10

David Walser 2015-10-02 21:26:40 CEST

Summary: gdk-pixbuf2.0 more heap overflow issues => gdk-pixbuf2.0 more heap overflow issues (CVE-2015-7673, CVE-2015-7674)

Comment 4 Yann Cantin 2015-10-02 22:06:30 CEST

mga5 x86_64

Installed packages :
 lib64gdk_pixbuf-gir2.0-2.32.1-1.mga5.x86_64.rpm
 lib64gdk_pixbuf2.0_0-2.32.1-1.mga5.x86_64.rpm               
 lib64gdk_pixbuf2.0-devel-2.32.1-1.mga5.x86_64.rpm           
 gdk-pixbuf2.0-2.32.1-1.mga5.x86_64.rpm                      

Bunnies looks fine.

Update OK.

Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => yann.cantin

Comment 5 claire robinson 2015-10-02 23:25:56 CEST

Bunnies ftw \o/

Validating. Advisory uploaded.

Please push to 5 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure advisory MGA5-32-OK MGA5-64-OK
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2015-10-03 01:53:07 CEST

An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0388.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 7 David Walser 2015-10-05 22:53:48 CEST

FYI, we have some actual PoCs now:
http://seclists.org/oss-sec/2015/q4/31
http://seclists.org/oss-sec/2015/q4/32

David Walser 2015-10-05 23:03:24 CEST

URL: (none) => http://lwn.net/Vulnerabilities/659284/

Note You need to log in before you can comment on or make changes to this bug.