Bug 27908 - pix new security issue CVE-2019-20326
Summary: pix new security issue CVE-2019-20326
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2020-12-23 08:19 CET by Zombie Ryushu
Modified: 2021-01-08 12:00 CET (History)
3 users (show)

See Also:
Source RPM: pix-2.0.3-2.mga7.src.rpm
CVE: CVE-2019-20326
Status comment:


Attachments

Description Zombie Ryushu 2020-12-23 08:19:27 CET
A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file.
Zombie Ryushu 2020-12-23 08:19:41 CET

CVE: (none) => CVE-2019-20326

Comment 1 David Walser 2020-12-23 17:51:22 CET
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20326

Also fixed in gthumb in Bug 26084.

Summary: pix security issue CVE-2019-20326 => pix new security issue CVE-2019-20326
Assignee: bugsquad => geiger.david68210
CC: (none) => joequant

Comment 2 Nicolas Lécureuil 2020-12-24 00:27:45 CET
i updated to the latest version of the 2.4 branch:

src: pix-2.4.11-1.mga7

Assignee: geiger.david68210 => qa-bugs
CC: (none) => mageia

Comment 3 David Walser 2020-12-24 00:45:09 CET
Advisory:
========================

Updated pix packages fix security vulnerability:

A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in
extensions/cairo_io/cairo-image-surface-jpeg.c in Linux Mint Pix before 2.4.5
allows attackers to cause a crash and potentially execute arbitrary code via a
crafted JPEG file (CVE-2019-20326).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20326
========================

Updated packages in core/updates_testing:
========================
pix-2.4.11-1.mga7
pix-devel-2.4.11-1.mga7

from pix-2.4.11-1.mga7.src.rpm
Comment 4 Len Lawrence 2020-12-24 09:45:51 CET
mga7, x64

Before updating:
CVE-2019-20326
https://github.com/Fysac/CVE-2019-20326/blob/master/poc.min.jpg
$ gthumb poc.min.jpg
(gthumb:8793): Gtk-WARNING **: 08:20:07.933: Theme parsing error: gtk.css:2:33: Failed to import: Error opening file /home/lcl/.config/gtk-3.0/window_decorations.css: No such file or directory
Gtk-Message: 08:20:07.954: Failed to load module "colorreload-gtk-module"
gthumb: cairo-surface.c:930: cairo_surface_reference: Assertion `CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count)' failed.
Aborted (core dumped)

Note that the warning message always occurs here with applications using Gtk.  I always ignore it.

After update:
CVE-2019-20326
$ gthumb poc.min.jpg
<Gtk warning ...>
gthumb: cairo-surface.c:930: cairo_surface_reference: Assertion `CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count)' failed.
Aborted (core dumped)

No change there.
$ rpm -q pix
pix-2.4.11-1.mga7
$ rpm -q pix-devel
pix-devel-2.4.11-1.mga7

Is this expected to exit gracefully?

CC: (none) => tarazed25
Keywords: (none) => feedback

Comment 5 David Walser 2020-12-24 15:54:38 CET
Indeed, that looks bad.
Comment 6 Len Lawrence 2021-01-08 12:00:24 CET
Meanwhile, running gthumb without any apparent regressions.
$ grep bin/pix gthumb.trace | egrep -v "local|rbenv"
access("/usr/bin/pix", X_OK)            = 0
stat("/usr/bin/pix", {st_mode=S_IFREG|0755, st_size=993888, ...}) = 0
access("/usr/bin/pix", X_OK)            = 0
stat("/usr/bin/pix", {st_mode=S_IFREG|0755, st_size=993888, ...}) = 0
access("/usr/bin/pix", X_OK)            = 0
stat("/usr/bin/pix", {st_mode=S_IFREG|0755, st_size=993888, ...}) = 0
....

Nothing else, apart from task-xapps, appears to need pix.
So, all that is needed is an acknowledgement of a possible problem related to the patch.  Otherwise there is no point in pushing this version.

Note You need to log in before you can comment on or make changes to this bug.