Bug 856300 (CVE-2012-4433)

Summary: CVE-2012-4433 gegl: Integer overflow, leading to heap-based buffer overflow by parsing PPM image headers
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jrusnack, nphilipp, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20121105,reported=20120911,source=redhat,cvss2=6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P,rhel-6/gegl=notaffected,rhel-7/gegl=notaffected,fedora-all/gegl=affected,cwe=CWE-190->CWE-122
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-10-29 12:39:14 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 870951, 870953, 873182, 912715, 979243    
Bug Blocks: 856302    
Attachments:
Description Flags
quick fix, implements a safemultiply function, not sure if its portable though
none
quick fix, implements a safemultiply function, not sure if its portable though
none
Proposed patch against gegl git master none

Description Jan Lieskovsky 2012-09-11 13:04:04 EDT
An integer overflow, leading to heap-based buffer overflow was found in the way portable pixmap format (PPM) image file format handler of GEGL, a graph based image processing framework, processed certain input PPM image file headers. A remote attacker could provide a specially-crafted PPM image that when opened in gegl executable would lead to crash, or, potentially arbitrary code execution with the privileges of the user running the binary.

This issue was found by Murray McAllister, Red Hat Security Response Team.
Comment 2 Jan Lieskovsky 2012-09-11 13:08:23 EDT
This issue affects the version of the gegl package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the gegl package, as shipped with Fedora release of 16 and 17.
Comment 4 Huzaifa S. Sidhpurwala 2012-09-18 05:21:24 EDT
This issue has been assigned CVE-2012-4433
Comment 5 Huzaifa S. Sidhpurwala 2012-09-19 01:11:53 EDT
Looked at other places in the code, some of the multiplications going on there seems to be un-safe, but cant find a way to trigger an overflow yet.

For example in png-load.c:

  pixels = g_malloc0 (width*bpp);

Here width = gint (4 bytes on x86-32) and g_malloc0's argument is gsize which is again 4 bytes on x86-32, so there is a potential for an overflow here.

However libpng in some one seems to cap the value of width here to < 32 bits so i am not able to trigger an overflow via crafted png files.

I observed similar things for jpeg and other formats gegl reads.
Comment 7 Huzaifa S. Sidhpurwala 2012-09-19 01:23:57 EDT
Created attachment 614202 [details]
quick fix, implements a safemultiply function,  not sure if its portable though
Comment 8 Huzaifa S. Sidhpurwala 2012-09-19 01:51:13 EDT
Created attachment 614203 [details]
quick fix, implements a safemultiply function, not sure if its portable though

New patch, use unsigned.
Comment 9 Nils Philippsen 2012-10-26 10:59:28 EDT
Created attachment 633906 [details]
Proposed patch against gegl git master

These 3 cumulative patches against git master make gegl crash with a SIGTRAP in a controlled fashion when it fails to g_malloc() about 12 Exabytes of memory. Ideally it would use g_try_malloc() to avoid a crash, but error propagation doesn't seem to work reliably in gegl -- so rather crash deterministically  here than in an uncontrolled fashion somewhere else.

The first patch checks values before doing potentially overflowing calculations and checks the allocated memory before using it (which is a no-op until error propagation works and g_try_malloc() is used). The second patch uses long ints as operands (to avoid overflowing memory size calculations) and checks if calls to strtol() fail or contain non-decimal values (violating the file format). The third patch corrects a comment concerning interpretation of certain file format header fields.
Comment 16 Huzaifa S. Sidhpurwala 2012-11-05 04:42:51 EST
Created gegl tracking bugs for this issue

Affects: fedora-all [bug 873182]
Comment 17 Huzaifa S. Sidhpurwala 2012-11-05 04:47:25 EST
Acknowledgements:

This issue was discovered by Murray McAllister of Red Hat Security Response Team.
Comment 18 errata-xmlrpc 2012-11-12 13:26:51 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1455 https://rhn.redhat.com/errata/RHSA-2012-1455.html
Comment 21 Fedora Update System 2013-07-11 23:06:25 EDT
gegl-0.2.0-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2013-07-11 23:13:10 EDT
gegl-0.2.0-11.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2013-07-11 23:16:49 EDT
gegl-0.2.0-11.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.