Bug 1427217 (CVE-2017-6313)

Summary: CVE-2017-6313 gdk-pixbuf: Integer underflow in io-icns.c
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bmcclain, cfergeau, dblechte, dkholia, eedri, erik-fedora, fedora, klember, lsurette, mclasen, mgoldboi, michal.skrivanek, otte, rbalakri, rh-spice-bugs, rjones, sherold, srevivo, ykaul, ylavi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-07-31 03:50:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1427225, 1427226, 1427229    
Bug Blocks: 1427223    

Description Andrej Nemec 2017-02-27 15:44:06 UTC 
An integer underflow was found in gdk-pixbuf that allows an attacker to make different calls
to gdk_pixbuf_loader_write with a huge (2^32-1) count (size of buffer) that can be bigger than the actual size of given buffer. It is possible to give the loader any data we want so we can call any desired loader that it's data is recognized. This may lead to various behaviors - multiple out-of-buffer reads, infinite loops, or allocation attempt with the size.

References:

http://seclists.org/oss-sec/2017/q1/466
http://mov.sx/2017/02/21/bug-hunting-gdk-pixbuf.html

Upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=779016
Comment 1 Andrej Nemec 2017-02-27 16:01:41 UTC 
Created gdk-pixbuf2 tracking bugs for this issue:

Affects: fedora-all [bug 1427225]


Created mingw-gdk-pixbuf tracking bugs for this issue:

Affects: fedora-all [bug 1427226]
Comment 2 Andrej Nemec 2017-02-27 16:12:33 UTC 
Created mingw-gdk-pixbuf tracking bugs for this issue:

Affects: epel-7 [bug 1427229]