| 2022-05-29 16:27:34 |
Joshua Peisach |
bug |
|
|
added bug |
| 2022-05-29 16:28:20 |
Joshua Peisach |
attachment added |
|
syslog.txt https://bugs.launchpad.net/ubuntu/+source/gthumb/+bug/1976189/+attachment/5593641/+files/syslog.txt |
|
| 2022-05-29 16:30:04 |
Joshua Peisach |
information type |
Private Security |
Public Security |
|
| 2022-05-29 16:30:53 |
Joshua Peisach |
gthumb (Ubuntu): status |
New |
In Progress |
|
| 2022-05-29 16:30:55 |
Joshua Peisach |
gthumb (Ubuntu): assignee |
|
Joshua Peisach (itzswirlz) |
|
| 2022-05-29 16:37:50 |
Joshua Peisach |
cve linked |
|
2019-20326 |
|
| 2022-05-29 16:38:14 |
Joshua Peisach |
tags |
amd64 apport-bug focal third-party-packages |
amd64 apport-bug focal focal-security third-party-packages |
|
| 2022-05-29 16:38:28 |
Joshua Peisach |
bug |
|
|
added subscriber Ubuntu Security Team |
| 2022-05-29 17:15:04 |
Joshua Peisach |
attachment added |
|
gthumb_3.8.0-2.1ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/gthumb/+bug/1976189/+attachment/5593642/+files/gthumb_3.8.0-2.1ubuntu0.1.debdiff |
|
| 2022-05-29 17:23:45 |
Joshua Peisach |
description |
[For some reason, the autoreporter wasn't opening Launchpad so I'm bugging this manually]
CVE-2019-20326 - if gThumb tries to load an image greater than Cairo's max drawing size, it will crash. This is a heap-based buffer overflow an attacker could execute harmful code.
Fysac on GitHub made a good writeup about this - https://github.com/Fysac/CVE-2019-20326
I have a patch for 20.04 Focal.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gthumb 3:3.8.0-2.1build1
ProcVersionSignature: Ubuntu 5.13.0-46.51~20.04.1-generic 5.13.19
Uname: Linux 5.13.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.24
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: X-Cinnamon
Date: Sun May 29 12:20:58 2022
InstallationDate: Installed on 2021-11-24 (185 days ago)
InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826)
SourcePackage: gthumb
UpgradeStatus: No upgrade log present (probably fresh install) |
[For some reason, the autoreporter wasn't opening Launchpad so I'm bugging this manually]
CVE-2019-20326 - if gThumb tries to load an image greater than Cairo's max drawing size, it will crash. This is a heap-based buffer overflow an attacker could execute harmful code.
Fysac on GitHub made a good writeup about this - https://github.com/Fysac/CVE-2019-20326
I have a patch for 20.04 Focal.
[Impact]
* When gthumb opens or the user tries to open larger than 32767 px, it overflows Cairo's max image size. Thus, a heap buffer overflow crashes gthumb.
* An attacker could use this to execute arbitrary code.
[Test Plan]
* Get or craft a JPEG image that has a height larger than 32767 pixels.
* Clone this repo if you need the image: https://github.com/Fysac/CVE-2019-20326
* Open it in gthumb, or just run 'gthumb poc.min.jpg'
[Where problems could occur]
* The code is in C - a great time for other regressions to open (thanks NULL)
* If an update is made to the cairo library, this can break the patch and break
gthumb; not only this patch but the software as a whole
* This issue may still be reproducible across other formats - png, svg, etc.
* The type of image rendering may still make this vulnerable (see how the buffer was fixed every case in the patch)
[Other Info]
* Desktop, ubuntu 20.04
* Not sure if I want to do Ubuntu 18.04, but cinnamon users may use gthumb so for ubuntu cinnamon i feel like its important and 20.04 its still in service for UCR
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gthumb 3:3.8.0-2.1build1
ProcVersionSignature: Ubuntu 5.13.0-46.51~20.04.1-generic 5.13.19
Uname: Linux 5.13.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.24
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: X-Cinnamon
Date: Sun May 29 12:20:58 2022
InstallationDate: Installed on 2021-11-24 (185 days ago)
InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826)
SourcePackage: gthumb
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2022-05-29 17:26:07 |
Steve Beattie |
bug |
|
|
added subscriber Ubuntu Security Sponsors Team |
| 2022-05-31 17:21:27 |
Joshua Peisach |
description |
[For some reason, the autoreporter wasn't opening Launchpad so I'm bugging this manually]
CVE-2019-20326 - if gThumb tries to load an image greater than Cairo's max drawing size, it will crash. This is a heap-based buffer overflow an attacker could execute harmful code.
Fysac on GitHub made a good writeup about this - https://github.com/Fysac/CVE-2019-20326
I have a patch for 20.04 Focal.
[Impact]
* When gthumb opens or the user tries to open larger than 32767 px, it overflows Cairo's max image size. Thus, a heap buffer overflow crashes gthumb.
* An attacker could use this to execute arbitrary code.
[Test Plan]
* Get or craft a JPEG image that has a height larger than 32767 pixels.
* Clone this repo if you need the image: https://github.com/Fysac/CVE-2019-20326
* Open it in gthumb, or just run 'gthumb poc.min.jpg'
[Where problems could occur]
* The code is in C - a great time for other regressions to open (thanks NULL)
* If an update is made to the cairo library, this can break the patch and break
gthumb; not only this patch but the software as a whole
* This issue may still be reproducible across other formats - png, svg, etc.
* The type of image rendering may still make this vulnerable (see how the buffer was fixed every case in the patch)
[Other Info]
* Desktop, ubuntu 20.04
* Not sure if I want to do Ubuntu 18.04, but cinnamon users may use gthumb so for ubuntu cinnamon i feel like its important and 20.04 its still in service for UCR
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gthumb 3:3.8.0-2.1build1
ProcVersionSignature: Ubuntu 5.13.0-46.51~20.04.1-generic 5.13.19
Uname: Linux 5.13.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.24
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: X-Cinnamon
Date: Sun May 29 12:20:58 2022
InstallationDate: Installed on 2021-11-24 (185 days ago)
InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826)
SourcePackage: gthumb
UpgradeStatus: No upgrade log present (probably fresh install) |
[For some reason, the autoreporter wasn't opening Launchpad so I'm bugging this manually]
CVE-2019-20326 - if gThumb tries to load an image greater than Cairo's max drawing size, it will crash. This is a heap-based buffer overflow an attacker could execute harmful code.
Fysac on GitHub made a good writeup about this - https://github.com/Fysac/CVE-2019-20326
I have a patch for 20.04 Focal.
[Impact]
* When gthumb opens or the user tries to open larger than 32767 px, it overflows Cairo's max image size. Thus, a heap buffer overflow crashes gthumb.
* An attacker could use this to execute arbitrary code.
[Test Plan]
* Get or craft a JPEG image that has a height larger than 32767 pixels.
* Clone this repo if you need the image: https://github.com/Fysac/CVE-2019-20326
* Open it in gthumb, or just run 'gthumb poc.min.jpg'
[Where problems could occur]
* The code is in C - a great time for other regressions to open (thanks NULL)
* If an update is made to the cairo library, this can break the patch and break
gthumb; not only this patch but the software as a whole
* This issue may still be reproducible across other formats - png, svg, etc.
* The type of image rendering may still make this vulnerable (see how the buffer was fixed every case in the patch)
[Additional commit needed]
* This patch alone does not fix the issue; it does prevent heap-buffer overflow but still results in gthumb crashing.
gthumb: ../../../../src/cairo-surface.c:930: cairo_surface_reference: Assertion 'CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count)' failed.
* A trivial fix I found for this was in gth_image_set_cairo_surface() to remove the call to _gth_image_free_data (https://gitlab.gnome.org/GNOME/gthumb/-/blob/gthumb-3-8/gthumb/gth-image.c). This would make prevent the crash (not remove the data in image->priv->data) but then other parts of GTK's drawing seems to freak out.
* An appropriate fix for this would be https://gitlab.gnome.org/GNOME/gthumb/-/commit/9729b8688d5d67c01deabea46ad469ec517250c5.
* Applying this fix allows for a greater risk of regression.
* If the value for whether gthumb is finished loading the jpeg is not finished, gthumb will set the value to 'finished' anyways. Then it proceeds to other cairo surface NULL checks.
* This would just have Gtk set an error and call it a day. (line 607 in the commit mentioned above).
[Other Info]
* Desktop, ubuntu 20.04
* Not sure if I want to do Ubuntu 18.04, but cinnamon users may use gthumb so for ubuntu cinnamon i feel like its important and 20.04 its still in service for UCR
* I think it's possible that this may occur throughout other types of image formats with the same setup. This may be reproducible on png's.
** There has been LOTS of stability commits and fixes for gthumb upstream; especially near the gthumb 3.8.3 release. It may be good if I later come back to fix them after this.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: gthumb 3:3.8.0-2.1build1
ProcVersionSignature: Ubuntu 5.13.0-46.51~20.04.1-generic 5.13.19
Uname: Linux 5.13.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.24
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: X-Cinnamon
Date: Sun May 29 12:20:58 2022
InstallationDate: Installed on 2021-11-24 (185 days ago)
InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826)
SourcePackage: gthumb
UpgradeStatus: No upgrade log present (probably fresh install) |
|
| 2022-07-11 10:21:27 |
Fabian Toepfer |
gthumb (Ubuntu): assignee |
Joshua Peisach (itzswirlz) |
Fabian Toepfer (fabiantoepfer) |
|
| 2022-07-11 10:29:57 |
Fabian Toepfer |
cve linked |
|
2020-36427 |
|
| 2022-07-14 12:26:40 |
Fabian Toepfer |
bug watch added |
|
https://gitlab.gnome.org/GNOME/gthumb/-/issues/106 |
|
| 2022-08-12 15:08:35 |
Fabian Toepfer |
gthumb (Ubuntu): assignee |
Fabian Toepfer (fabiantoepfer) |
Joshua Peisach (itzswirlz) |
|
| 2022-08-29 12:39:44 |
Fabian Toepfer |
attachment added |
|
gthumb_3.8.0-2.1ubuntu0.1.debdiff https://bugs.launchpad.net/ubuntu/+source/gthumb/+bug/1976189/+attachment/5612375/+files/gthumb_3.8.0-2.1ubuntu0.1.debdiff |
|
| 2022-10-14 00:31:32 |
Launchpad Janitor |
gthumb (Ubuntu): status |
In Progress |
Fix Released |
|
| 2022-10-14 00:45:03 |
Fabian Toepfer |
gthumb (Ubuntu): assignee |
Joshua Peisach (itzswirlz) |
|
|
