Bug 1037975 (CVE-2013-6425) - CVE-2013-6425 pixman: integer underflow when handling trapezoids
Summary: CVE-2013-6425 pixman: integer underflow when handling trapezoids
Status: CLOSED ERRATA
Alias: CVE-2013-6425
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20130716,repo...
Keywords: Security
Depends On: 1043743 1043744 1043745 1043746 1043757 1043758 1043759 1043760 1043765 1043766
Blocks: 1037980
TreeView+ depends on / blocked
 
Reported: 2013-12-04 08:00 UTC by Murray McAllister
Modified: 2019-06-08 19:49 UTC (History)
13 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2013-12-24 05:30:31 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1869 normal SHIPPED_LIVE Important: pixman security update 2013-12-20 15:48:08 UTC

Description Murray McAllister 2013-12-04 08:00:42 UTC
An integer underflow flaw was found in pixman when handling trapezoids. If an application used pixman opened a crafted document, it could cause the application to crash.

References:
http://seclists.org/oss-sec/2013/q4/399
https://bugs.freedesktop.org/show_bug.cgi?id=67484
https://bugs.freedesktop.org/attachment.cgi?id=87925

Comment 1 Murray McAllister 2013-12-04 08:04:48 UTC
CVE request: http://www.openwall.com/lists/oss-security/2013/12/03/8

Comment 4 Huzaifa S. Sidhpurwala 2013-12-16 07:27:01 UTC
Adam,

If you look at the valgrind output from the above reproducer, there is an invalid read and an invalid write on the heap, which really seems to be user controllable. Looking at the code the issue is in pixman/pixman-edge.c:

210                 WRITE (image, ap + lxi,
211                        clip255 (READ (image, ap + lxi) + rxs - lxs));

This leads me to conclude that there could be a possible of arbitrary user-controlled code execution. (which means i need to raise the impact to important etc). Was wondering if you could take a look and let me know if you think otherwise?

Comment 5 Adam Jackson 2013-12-16 16:56:36 UTC
(In reply to Huzaifa S. Sidhpurwala from comment #4)

> This leads me to conclude that there could be a possible of arbitrary
> user-controlled code execution. (which means i need to raise the impact to
> important etc). Was wondering if you could take a look and let me know if
> you think otherwise?

I'm not especially familiar with this part of pixman, but I can't rule this out from a quick read.  I'd play it safe and raise the impact.

Comment 6 Huzaifa S. Sidhpurwala 2013-12-17 04:18:44 UTC
After closer investigation of this issue, it seems that arbitrary code execution via user controlled data may be possible in this particular flaw.

Comment 8 Huzaifa S. Sidhpurwala 2013-12-17 04:22:01 UTC
Created mingw-pixman tracking bugs for this issue:

Affects: fedora-all [bug 1043744]

Comment 9 Huzaifa S. Sidhpurwala 2013-12-17 04:22:05 UTC
Created mingw32-pixman tracking bugs for this issue:

Affects: epel-5 [bug 1043745]

Comment 10 Huzaifa S. Sidhpurwala 2013-12-17 04:22:08 UTC
Created pixman tracking bugs for this issue:

Affects: fedora-all [bug 1043743]

Comment 16 errata-xmlrpc 2013-12-20 10:49:14 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1869 https://rhn.redhat.com/errata/RHSA-2013-1869.html

Comment 17 Fedora Update System 2014-08-07 15:29:36 UTC
pixman-0.30.0-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 18 Fedora Update System 2014-08-16 00:25:56 UTC
pixman-0.30.0-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 19 Fedora Update System 2014-08-30 03:55:37 UTC
pixman-0.30.0-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.