Bug 23128 - libgxps new security issue CVE-2018-10733
Summary: libgxps new security issue CVE-2018-10733
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-07 19:03 CEST by David Walser
Modified: 2019-01-05 19:31 CET (History)
4 users (show)

See Also:
Source RPM: libgxps-0.3.0-1.mga7.src.rpm
CVE:
Status comment: Patches available from upstream and Fedora

Attachments
Add an attachment (proposed patch, testcase, etc.)

David Walser 2018-06-07 19:03:22 CEST

Whiteboard: (none) => MGA6TOO
Status comment: (none) => Patches available from upstream and Fedora

Marja Van Waes 2018-06-08 21:16:53 CEST

Assignee: bugsquad => gnome
CC: (none) => marja11

Comment 1 David Walser 2018-06-26 23:17:04 CEST 
Fedora has added an additional patch for an integer overflow today (June 26):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UY53OSYKXQJ4PBBGTBJFU7FLVWGGFV4J/
Comment 2 David Walser 2019-01-01 03:58:23 CET 
Bug reference for Comment 1 issue:
https://bugzilla.redhat.com/show_bug.cgi?id=1524378

Fixes included in libgxps-0.3.0-3.mga7 in Cauldron.

Whiteboard: MGA6TOO => (none)
Severity: normal => major
Version: Cauldron => 6

Comment 3 David Walser 2019-01-01 21:04:38 CET 
Advisory:
========================

Updated libgxps packages fix security vulnerabilities:

A flaw was found in libgxps through 0.3.0. There is a heap-based buffer
over-read in the function ft_font_face_hash of gxps-fonts.c. A crafted input
will lead to a remote denial of service attack (CVE-2018-10733).

An integer overflow flaw exists within the "gxps_images_create_from_png()"
function in libgxps/gxps-images.c. An attacker can exploit this flaw to cause a
heap-based buffer overflow by tricking a user into opening a specially crafted
XPS document in an application using libgxps (rhbz#1524378).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10733
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/YMI6TEEICL3TNCY4C2VVCZGZEAERZFDZ/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/UY53OSYKXQJ4PBBGTBJFU7FLVWGGFV4J/
========================

Updated packages in core/updates_testing:
========================
libgxps2-0.2.5-1.2.mga6
libgxps-tools-0.2.5-1.2.mga6
libgxps-gir0.1-0.2.5-1.2.mga6
libgxps-devel-0.2.5-1.2.mga6

from libgxps-0.2.5-1.2.mga6.src.rpm

Assignee: gnome => qa-bugs

Comment 4 Len Lawrence 2019-01-02 20:51:07 CET 
Mageia 6, x86_64

CVE-2018-10733
https://bugzilla.redhat.com/show_bug.cgi?id=1574844
$ file POC.xps 
POC.xps: Microsoft OOXML
$ xpstojpeg POC.xps  /dev/null
Segmentation fault (core dumped)

Updated the four packages.
The PoC file no longer forces a crash.
$ xpstojpeg POC.xps  /dev/null
Error rendering page 1: Error rendering page /Documents/1/Pages/1.fpage: ZIP uncompressed data is wrong size (read 186314, expected 186308)

Error opening output file /dev/null-1.jpg

$ apropos gxps-tools
gxps-tools: nothing appropriate.

The utilities deal in conversion of XPS files to image formats.
$ ls /bin/*xps*
/bin/fixps*   /bin/xpstojpeg*  /bin/xpstopng*  /bin/xpstosvg*
/bin/xpstat*  /bin/xpstopdf*   /bin/xpstops*

$ strace -o trace xpstojpeg sample1.xps
$ cat trace | grep lib | grep gxps
open("/usr/lib64/tls/x86_64/libgxps.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libgxps.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libgxps.so.2", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libgxps.so.2", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libgxps.so.2.2.1", O_RDONLY) = 3

$ xpstopdf sample1.xps
$ xpstopng sample1.xps
$ xpstops sample1.xps
DBG: paper size: (null) 0, 0
$ xpstosvg sample1.xps
$ ls
page-1.jpg  POC.xps           sample1.pdf  sample1.svg  trace
page-1.png  '#report.23128#'  sample1.ps   sample1.xps

The page-1.* images displayed properly (ImageMagick display).
$ file sample1.ps
sample1.ps: PostScript document text conforming DSC level 3.0, Level 2
That displayed fine with gs.
okular handled sample1.pdf OK.  The image was displayed correctly.
$ okular sample1.pdf
org.kde.kwindowsystem: Could not find any platform plugin

The svg file displayed OK.
$ head sample1.svg
<?xml version="1.0" encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" width="816pt" height="1056pt" viewBox="0 0 816 1056" version="1.2">
<defs>
<g>
<symbol overflow="visible" id="glyph0-0">
<path style="stroke:none;" d="M 1.5 0 L 1.5 -7.5 L 7.5 
[...]

This update is good for 64-bits.

Whiteboard: (none) => MGA6-64-OK
CC: (none) => tarazed25

Comment 5 Lewis Smith 2019-01-02 21:22:41 CET 
I need a hotkey for "Thank you Len for the testing"!
Validating. Advisoried from comment 3.

Keywords: (none) => advisory, validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 6 Mageia Robot 2019-01-05 19:31:39 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0003.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.