[GDK] patch - avoid integer overflow when allocating a large block of memory

Bug #1540811 reported by Vlad Orlov on 2016-02-02
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GTK+
Fix Released
Low
gtk+2.0 (Debian)
Fix Released
Unknown
gtk+2.0 (Ubuntu)
High
Unassigned
Precise
Medium
Marc Deslauriers
Trusty
Medium
Marc Deslauriers
Wily
Medium
Marc Deslauriers
Xenial
High
Unassigned
gtk+3.0 (Ubuntu)
Medium
Unassigned
Precise
Medium
Marc Deslauriers
Trusty
Medium
Unassigned
Wily
Medium
Unassigned
Xenial
Medium
Unassigned

Bug Description

[Impact]

Due to a logic error, an attempt to allocate a large block of memory fails in gdk_cairo_set_source_pixbuf, leading to a crash of the app that called it, for example, eom [1].

This issue had been fixed [2] in GTK+3, but GTK+2 apps that use the mentioned function still crash when trying to allocate a lot of memory. An example of such app is eom (Eye of MATE), an image viewer, which crashes when trying to load a large image.

I propose fixing it in current Ubuntu releases with the patch which fixes the crash.
The debdiffs are in the attachments in the comments below.

[Test Case]

Steps to reproduce:

1. Have a 64-bit installation of Ubuntu.
2. Install eom if it isn't installed.
3. Download the archive from the attachment of this post and unpack it. (Firefox doesn't allow me to upload image as is - tries to make thumbnail of it right in the file open dialog, then crashes.)
4. Open the unpacked image (27000_27000_1437947845.png) in eom.
5. eom crashes. The full backtrace is at [3].

You'll also see an error message: "failed to allocate 18446744072330584320 bytes". This huge number appears due to overflow during multiplication of two 32-bit signed integers. In the patch, this error is avoided by using a different memory allocation function.

[Regression Potential]

After several months of testing the patch in Debian Jessie, Debian Testing and Ubuntu 14.04, I haven't noticed any regressions.

[1] https://github.com/mate-desktop/eom/issues/93
[2] https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6
[3] https://github.com/mate-desktop/eom/issues/93#issuecomment-141035799

CVE References

Vlad Orlov (monsta) wrote :
Vlad Orlov (monsta) wrote :
Vlad Orlov (monsta) wrote :
Vlad Orlov (monsta) wrote :
Vlad Orlov (monsta) wrote :
Changed in gtk+2.0 (Debian):
status: Unknown → New

The attachment "debdiff with the fix for Precise" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Changed in gtk+2.0 (Ubuntu):
importance: Undecided → High
status: New → Triaged
Changed in gtk:
importance: Unknown → Low
status: Unknown → Fix Released
Sebastien Bacher (seb128) wrote :

Thank you for your work. I've sponsored the xenial update (with a modified changelog, we don't have designed maintainers/NMUs in Ubuntu, also I tweaked the version number to not be .1 and listed the bug reference).

Once the update gets some testing in xenial we can look at the SRUs

Note that it would be nice to suggest to upstream that they backport the change to gtk-2-24 since they still roll updates to gtk2 sometimes and it could benefit users of other distros that way

Changed in gtk+2.0 (Ubuntu):
status: Triaged → Fix Committed
Seth Arnold (seth-arnold) wrote :

Do you know if this issue has a CVE assigned yet? I didn't see one in the linked bug reports but those references may not have migrated to those sources yet.

Thanks

information type: Public → Public Security
Seth Arnold (seth-arnold) wrote :

I've requested CVEs here http://www.openwall.com/lists/oss-security/2016/02/10/2

It appears this flaw was copy-pasted to a lot of programs.

Thanks

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+2.0 - 2.24.29-1ubuntu2

---------------
gtk+2.0 (2.24.29-1ubuntu2) xenial; urgency=medium

  * gdkcairo-Avoid-integer-overflow.patch: new patch. Cherry-pick upstream
    commit from GTK+3 to avoid integer overflow when allocating a large block
    of memory in gdk_cairo_set_source_pixbuf. (lp: #1540811)

 -- Vlad Orlov <email address hidden> Tue, 02 Feb 2016 10:52:16 +0300

Changed in gtk+2.0 (Ubuntu):
status: Fix Committed → Fix Released
Marc Deslauriers (mdeslaur) wrote :

Since this is a security update, I'll sponsor these as security updates, and not as SRUs.

Changed in gtk+2.0 (Ubuntu Precise):
status: New → Confirmed
Changed in gtk+2.0 (Ubuntu Trusty):
status: New → Confirmed
Changed in gtk+2.0 (Ubuntu Wily):
status: New → Confirmed
Changed in gtk+2.0 (Ubuntu Precise):
importance: Undecided → Medium
Changed in gtk+2.0 (Ubuntu Trusty):
importance: Undecided → Medium
Changed in gtk+2.0 (Ubuntu Wily):
importance: Undecided → Medium
Changed in gtk+2.0 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gtk+2.0 (Ubuntu Trusty):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gtk+2.0 (Ubuntu Wily):
assignee: nobody → Marc Deslauriers (mdeslaur)
Changed in gtk+3.0 (Ubuntu Precise):
assignee: nobody → Marc Deslauriers (mdeslaur)
importance: Undecided → Medium
status: New → Confirmed
Changed in gtk+3.0 (Ubuntu Trusty):
status: New → Fix Released
Changed in gtk+3.0 (Ubuntu Wily):
status: New → Fix Released
Changed in gtk+3.0 (Ubuntu Xenial):
status: New → Fix Released
Changed in gtk+2.0 (Debian):
status: New → Confirmed
Changed in gtk+3.0 (Ubuntu Trusty):
importance: Undecided → Medium
Changed in gtk+3.0 (Ubuntu Wily):
importance: Undecided → Medium
Changed in gtk+3.0 (Ubuntu Xenial):
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+2.0 - 2.24.10-0ubuntu6.3

---------------
gtk+2.0 (2.24.10-0ubuntu6.3) precise-security; urgency=low

  * gdkcairo-Avoid-integer-overflow.patch: new patch. Cherry-pick upstream
    commit from GTK+3 to avoid integer overflow when allocating a large block
    of memory in gdk_cairo_set_source_pixbuf. (LP: #1540811)
    - CVE-2013-7447

 -- Vlad Orlov <email address hidden> Tue, 22 Sep 2015 09:51:11 +0300

Changed in gtk+2.0 (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+2.0 - 2.24.23-0ubuntu1.4

---------------
gtk+2.0 (2.24.23-0ubuntu1.4) trusty-security; urgency=medium

  * gdkcairo-Avoid-integer-overflow.patch: new patch. Cherry-pick upstream
    commit from GTK+3 to avoid integer overflow when allocating a large block
    of memory in gdk_cairo_set_source_pixbuf. (LP: #1540811)
    - CVE-2013-7447

 -- Vlad Orlov <email address hidden> Tue, 22 Sep 2015 11:09:21 +0300

Changed in gtk+2.0 (Ubuntu Trusty):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+3.0 - 3.4.2-0ubuntu0.9

---------------
gtk+3.0 (3.4.2-0ubuntu0.9) precise-security; urgency=medium

  * SECURITY UPDATE: integer overflow via large sized image (LP: #1540811)
    - debian/patches/CVE-2013-7447.patch: use g_malloc_n in
      gdk_cairo_set_source_pixbuf in gdk/gdkcairo.c.
    - CVE-2013-7447

 -- Marc Deslauriers <email address hidden> Fri, 12 Feb 2016 08:37:18 -0500

Changed in gtk+3.0 (Ubuntu Precise):
status: Confirmed → Fix Released
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gtk+2.0 - 2.24.28-1ubuntu1.1

---------------
gtk+2.0 (2.24.28-1ubuntu1.1) wily-security; urgency=medium

  * gdkcairo-Avoid-integer-overflow.patch: new patch. Cherry-pick upstream
    commit from GTK+3 to avoid integer overflow when allocating a large block
    of memory in gdk_cairo_set_source_pixbuf. (LP: #1540811)
    - CVE-2013-7447

 -- Vlad Orlov <email address hidden> Tue, 22 Sep 2015 13:27:04 +0300

Changed in gtk+2.0 (Ubuntu Wily):
status: Confirmed → Fix Released
Vlad Orlov (monsta) wrote :

Thank you guys!
Hope someone from Debian maintainers will take care of it as well...

Changed in gtk+2.0 (Debian):
status: Confirmed → Fix Committed
Changed in gtk+2.0 (Debian):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.