Bug 1124500 (CVE-2014-5116)
| Summary: | CVE-2014-5116 cairo: NULL pointer dereference in cairo_image_surface_get_data() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Vasyl Kaigorodov <vkaigoro> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | acathrow, alonbl, bazulay, bmcclain, cfergeau, dblechte, ecohen, erik-fedora, fedora-mingw, fedora, idith, iheim, jrusnack, lfarkas, lveyde, marcandre.lureau, otte, rh-spice-bugs, rjones, sisharma, yeylon |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2014-08-14 06:53:28 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1127269, 1127274 | ||
| Bug Blocks: | 1124503 | ||
|
Description
Vasyl Kaigorodov
2014-07-29 15:59:02 UTC
removed by mistake, not sure how. Hi, What exact cairo pvr is a fix for this issue? Thanks! Explanation: Wireshark crashed before it hits the function in cairo because the the higher value inside the text box in wireshark -> Statistics -> IP Addresses or IP Destination cause the window to be painted much bigger than the Main X Window and it crashes which is right on part of Window Manager Implementation and X Window System. It doesnt affect linux system as descrbed in the CVE-2014-5116 assigned.Wireshark should be sanitizing the input from: wireshark -> Statistics -> IP Destination wireshark -> Statistics -> IP Addresses Things like this are supposed to be taken care by the application by itself. In the process of reproducing this issue this resulted in (wireshark:9541): Gdk-WARNING **: Native Windows wider or taller than 32767 pixels are not supported (wireshark:9541): Gdk-ERROR **: The program 'wireshark' received an X Window System error. following code in simple_dialog.c which is part of wireshark, causes crash the argument ap is va_list (Variable Argument Lists) which is used when a function can accept any number of values, the number of arguments are unkown at compile time. putting 50,000 "A" s causes the corruption in va_list which lead to crash of program while executing the code message = g_strdup_vprintf(msg_format, ap); $17 = {_flags = 219, _IO_read_ptr = 0x7fc291d9f30e "g_strdup_vprintf", _IO_read_end = 0x7fc291d89188 "", _IO_read_base = 0x0, _IO_write_base = 0x0, _IO_write_ptr = 0x7fc291d86b38 "", _IO_write_end = 0x7fc291d9d829 "report_failure", _IO_buf_base = 0x7fc28dbc61f8 "", _IO_buf_end = 0x7fc291d8f2d0 "\251\024", _IO_save_base = 0x500000000 <Address 0x500000000 out of bounds>, _IO_backup_base = 0x100000315 <Address 0x100000315 out of bounds>, _IO_save_end = 0x20 <Address 0x20 out of bounds>, _markers = 0x7fc28b541e80, _chain = 0x7fc291d894e0, _fileno = -1950316992, _flags2 = 32706, _old_offset = 140473647167928, _cur_column = 37256, _vtable_offset = -40 '\330', _shortbuf = "\221", _lock = 0x0, _offset = 3562113576, _codecvt = 0x5, _wide_data = 0x4512f0, _freeres_list = 0x0, _freeres_buf = 0x7fc2947ba9f0, _freeres_size = 140473670547440, _mode = -1848074240, _unused2 = "\302\177\000\000\360_\267\221\302\177\000\000\005\000\000\000\000\000\000"} Submitting 50,000 A's into the the filter text box causes corruption scrambling the text on the Wireshark GUI this is because the va_list which stores all the strings are corrupted. Statement: We do not consider a user-assisted crash of a client application such as Wireshark to be a security issue. For more information please see https://bugzilla.redhat.com/show_bug.cgi?id=1124500#c5 |