Bug 1037975 - (CVE-2013-6425) CVE-2013-6425 pixman: integer underflow when handling trapezoids
CVE-2013-6425 pixman: integer underflow when handling trapezoids
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
impact=important,public=20130716,repo...
: Security
Depends On: 1043743 1043744 1043745 1043746 1043757 1043758 1043759 1043760 1043765 1043766
Blocks: 1037980
  Show dependency treegraph
 
Reported: 2013-12-04 03:00 EST by Murray McAllister
Modified: 2015-10-15 14:07 EDT (History)
13 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-24 00:30:31 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Murray McAllister 2013-12-04 03:00:42 EST
An integer underflow flaw was found in pixman when handling trapezoids. If an application used pixman opened a crafted document, it could cause the application to crash.

References:
http://seclists.org/oss-sec/2013/q4/399
https://bugs.freedesktop.org/show_bug.cgi?id=67484
https://bugs.freedesktop.org/attachment.cgi?id=87925
Comment 1 Murray McAllister 2013-12-04 03:04:48 EST
CVE request: http://www.openwall.com/lists/oss-security/2013/12/03/8
Comment 4 Huzaifa S. Sidhpurwala 2013-12-16 02:27:01 EST
Adam,

If you look at the valgrind output from the above reproducer, there is an invalid read and an invalid write on the heap, which really seems to be user controllable. Looking at the code the issue is in pixman/pixman-edge.c:

210                 WRITE (image, ap + lxi,
211                        clip255 (READ (image, ap + lxi) + rxs - lxs));

This leads me to conclude that there could be a possible of arbitrary user-controlled code execution. (which means i need to raise the impact to important etc). Was wondering if you could take a look and let me know if you think otherwise?
Comment 5 Adam Jackson 2013-12-16 11:56:36 EST
(In reply to Huzaifa S. Sidhpurwala from comment #4)

> This leads me to conclude that there could be a possible of arbitrary
> user-controlled code execution. (which means i need to raise the impact to
> important etc). Was wondering if you could take a look and let me know if
> you think otherwise?

I'm not especially familiar with this part of pixman, but I can't rule this out from a quick read.  I'd play it safe and raise the impact.
Comment 6 Huzaifa S. Sidhpurwala 2013-12-16 23:18:44 EST
After closer investigation of this issue, it seems that arbitrary code execution via user controlled data may be possible in this particular flaw.
Comment 8 Huzaifa S. Sidhpurwala 2013-12-16 23:22:01 EST
Created mingw-pixman tracking bugs for this issue:

Affects: fedora-all [bug 1043744]
Comment 9 Huzaifa S. Sidhpurwala 2013-12-16 23:22:05 EST
Created mingw32-pixman tracking bugs for this issue:

Affects: epel-5 [bug 1043745]
Comment 10 Huzaifa S. Sidhpurwala 2013-12-16 23:22:08 EST
Created pixman tracking bugs for this issue:

Affects: fedora-all [bug 1043743]
Comment 16 errata-xmlrpc 2013-12-20 05:49:14 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1869 https://rhn.redhat.com/errata/RHSA-2013-1869.html
Comment 17 Fedora Update System 2014-08-07 11:29:36 EDT
pixman-0.30.0-4.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 18 Fedora Update System 2014-08-15 20:25:56 EDT
pixman-0.30.0-5.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 19 Fedora Update System 2014-08-29 23:55:37 EDT
pixman-0.30.0-5.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.