Bug 1037975 (CVE-2013-6425)
| Summary: | CVE-2013-6425 pixman: integer underflow when handling trapezoids | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Murray McAllister <mmcallis> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | ajax, erik-fedora, fedora-mingw, jkurik, jrusnack, kraxel, lfarkas, marcandre.lureau, pfrields, ratulg, rjones, sandmann, vdanen |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-24 05:30:31 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1043743, 1043744, 1043745, 1043746, 1043757, 1043758, 1043759, 1043760, 1043765, 1043766 | ||
| Bug Blocks: | 1037980 | ||
|
Description
Murray McAllister
2013-12-04 08:00:42 UTC
Adam, If you look at the valgrind output from the above reproducer, there is an invalid read and an invalid write on the heap, which really seems to be user controllable. Looking at the code the issue is in pixman/pixman-edge.c: 210 WRITE (image, ap + lxi, 211 clip255 (READ (image, ap + lxi) + rxs - lxs)); This leads me to conclude that there could be a possible of arbitrary user-controlled code execution. (which means i need to raise the impact to important etc). Was wondering if you could take a look and let me know if you think otherwise? (In reply to Huzaifa S. Sidhpurwala from comment #4) > This leads me to conclude that there could be a possible of arbitrary > user-controlled code execution. (which means i need to raise the impact to > important etc). Was wondering if you could take a look and let me know if > you think otherwise? I'm not especially familiar with this part of pixman, but I can't rule this out from a quick read. I'd play it safe and raise the impact. After closer investigation of this issue, it seems that arbitrary code execution via user controlled data may be possible in this particular flaw. Created mingw-pixman tracking bugs for this issue: Affects: fedora-all [bug 1043744] Created mingw32-pixman tracking bugs for this issue: Affects: epel-5 [bug 1043745] Created pixman tracking bugs for this issue: Affects: fedora-all [bug 1043743] Upstream patch: http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c http://cgit.freedesktop.org/pixman/commit/?id=2f876cf86718d3dd9b3b04ae9552530edafe58a1 This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1869 https://rhn.redhat.com/errata/RHSA-2013-1869.html pixman-0.30.0-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. pixman-0.30.0-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report. pixman-0.30.0-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. |