CVE-2021-46829: Buffer overwrite in io-gif-animation.c composite_frame() in gdk-pixbuf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gdk-pixbuf (Ubuntu) |
Fix Released
|
Undecided
|
Joshua Peisach | ||
Focal |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
* A buffer overwrite exists in gdk-pixbuf's thumbnailer.
* The GIF loader runs out of memory with specifically crafted files with bad frame data (and images with its sizes) over the integer limit.
* After gdk-pixbuf-thum runs out of memory, other apps can and on low RAM systems like my old iMac, the system can completely run out of memory.
* Or, in other ways, bad gif files in other applications can open the door for exploits.
* Any app using gdk-pixbuf is affected, mainly file managers and image viewers.
[Test Plan]
* Take the POC's - they can be found in the issue in the GNOME repo
* Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with:
- Nautilus, GNOME's file manager
- Nemo, Cinnamon's file manager
- Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes
- PCManFM, LXDE's file manager which straight up crashes
- Caja, MATE's file manager causes libpixbufloader-gif to segfault (app still usable, no memory issues)
- Eye of GNOME (eog) triggers the segfault in syslog
- Eye of MATE (eom) segfaults
* If you or the system couldn't tell something is wrong, cat /var/log/syslog and enjoy the segfaults or out of memory warnings or even kernel spam.
[Where problems could occur]
* The patch itself is simple, but since gdk-pixbuf is often used with GTK apps a mistake here could be problematic.
* It is possible, and has happened in the past (which has been patched) that other bad GIFs can cause other crashes.
* That patch is essentially overflow checks - changes with GLib (GNOME's, not to be confused with glibc) and the functions used in not only the patch but all of gdk-pixbuf can cause problems
* Other failures to properly handle GIFs and broken or intentionally tampered GIFs can continue and always will open the door for security holes for other bugs
* Again, overall a simple patch but as long as the GIFs remain handled properly, and no changes to the GLib functions are made and to other apps that use gdk-pixbuf (and assuming are not affected by the change and still work), the patch does not have much regression potential.
[Other Info]
* Besides Buffer overwrite/overflow issues, as aforementioned out of memory errors can happen.
* Files attached are examples or crashes
* Again, all apps using gdk-pixbuf are affected
* https:/
* https:/
* https:/
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libgdk-pixbuf2.0-0 2.40.0+
ProcVersionSign
Uname: Linux 5.15.0-43-generic x86_64
ApportVersion: 2.20.11-
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: X-Cinnamon
Date: Tue Jul 26 19:33:41 2022
InstallationDate: Installed on 2021-11-24 (244 days ago)
InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826)
SourcePackage: gdk-pixbuf
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
description: | updated |
description: | updated |
description: | updated |
Changed in gdk-pixbuf (Ubuntu): | |
status: | In Progress → Fix Released |
Here is what it did to my iMac.