An integer underflow flaw was found in pixman when handling trapezoids. If an application used pixman opened a crafted document, it could cause the application to crash. References: http://seclists.org/oss-sec/2013/q4/399 https://bugs.freedesktop.org/show_bug.cgi?id=67484 https://bugs.freedesktop.org/attachment.cgi?id=87925
CVE request: http://www.openwall.com/lists/oss-security/2013/12/03/8
Adam, If you look at the valgrind output from the above reproducer, there is an invalid read and an invalid write on the heap, which really seems to be user controllable. Looking at the code the issue is in pixman/pixman-edge.c: 210 WRITE (image, ap + lxi, 211 clip255 (READ (image, ap + lxi) + rxs - lxs)); This leads me to conclude that there could be a possible of arbitrary user-controlled code execution. (which means i need to raise the impact to important etc). Was wondering if you could take a look and let me know if you think otherwise?
(In reply to Huzaifa S. Sidhpurwala from comment #4) > This leads me to conclude that there could be a possible of arbitrary > user-controlled code execution. (which means i need to raise the impact to > important etc). Was wondering if you could take a look and let me know if > you think otherwise? I'm not especially familiar with this part of pixman, but I can't rule this out from a quick read. I'd play it safe and raise the impact.
After closer investigation of this issue, it seems that arbitrary code execution via user controlled data may be possible in this particular flaw.
Created mingw-pixman tracking bugs for this issue: Affects: fedora-all [bug 1043744]
Created mingw32-pixman tracking bugs for this issue: Affects: epel-5 [bug 1043745]
Created pixman tracking bugs for this issue: Affects: fedora-all [bug 1043743]
Upstream patch: http://cgit.freedesktop.org/pixman/commit/?id=5e14da97f16e421d084a9e735be21b1025150f0c http://cgit.freedesktop.org/pixman/commit/?id=2f876cf86718d3dd9b3b04ae9552530edafe58a1
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1869 https://rhn.redhat.com/errata/RHSA-2013-1869.html
pixman-0.30.0-4.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
pixman-0.30.0-5.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
pixman-0.30.0-5.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.