[CVE-2019-20326] gthumb crashes when trying to load an image with a height above 32767 px (heap-based buffer overflow)
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gthumb (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[For some reason, the autoreporter wasn't opening Launchpad so I'm bugging this manually]
CVE-2019-20326 - if gThumb tries to load an image greater than Cairo's max drawing size, it will crash. This is a heap-based buffer overflow an attacker could execute harmful code.
Fysac on GitHub made a good writeup about this - https:/
I have a patch for 20.04 Focal.
[Impact]
* When gthumb opens or the user tries to open larger than 32767 px, it overflows Cairo's max image size. Thus, a heap buffer overflow crashes gthumb.
* An attacker could use this to execute arbitrary code.
[Test Plan]
* Get or craft a JPEG image that has a height larger than 32767 pixels.
* Clone this repo if you need the image: https:/
* Open it in gthumb, or just run 'gthumb poc.min.jpg'
[Where problems could occur]
* The code is in C - a great time for other regressions to open (thanks NULL)
* If an update is made to the cairo library, this can break the patch and break
gthumb; not only this patch but the software as a whole
* This issue may still be reproducible across other formats - png, svg, etc.
* The type of image rendering may still make this vulnerable (see how the buffer was fixed every case in the patch)
[Additional commit needed]
* This patch alone does not fix the issue; it does prevent heap-buffer overflow but still results in gthumb crashing.
gthumb: ../../.
* A trivial fix I found for this was in gth_image_
* An appropriate fix for this would be https:/
* Applying this fix allows for a greater risk of regression.
* If the value for whether gthumb is finished loading the jpeg is not finished, gthumb will set the value to 'finished' anyways. Then it proceeds to other cairo surface NULL checks.
* This would just have Gtk set an error and call it a day. (line 607 in the commit mentioned above).
[Other Info]
* Desktop, ubuntu 20.04
* Not sure if I want to do Ubuntu 18.04, but cinnamon users may use gthumb so for ubuntu cinnamon i feel like its important and 20.04 its still in service for UCR
* I think it's possible that this may occur throughout other types of image formats with the same setup. This may be reproducible on png's.
** There has been LOTS of stability commits and fixes for gthumb upstream; especially near the gthumb 3.8.3 release. It may be good if I later come back to fix them after this.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gthumb 3:3.8.0-2.1build1
ProcVersionSign
Uname: Linux 5.13.0-46-generic x86_64
ApportVersion: 2.20.11-
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: X-Cinnamon
Date: Sun May 29 12:20:58 2022
InstallationDate: Installed on 2021-11-24 (185 days ago)
InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826)
SourcePackage: gthumb
UpgradeStatus: No upgrade log present (probably fresh install)
CVE References
tags: | added: focal-security |
description: | updated |
description: | updated |
Changed in gthumb (Ubuntu): | |
assignee: | Joshua Peisach (itzswirlz) → Fabian Toepfer (fabiantoepfer) |
Changed in gthumb (Ubuntu): | |
assignee: | Fabian Toepfer (fabiantoepfer) → Joshua Peisach (itzswirlz) |
Changed in gthumb (Ubuntu): | |
assignee: | Joshua Peisach (itzswirlz) → nobody |
focal patch