Bug 1124500 (CVE-2014-5116) - CVE-2014-5116 cairo: NULL pointer dereference in cairo_image_surface_get_data()
Summary: CVE-2014-5116 cairo: NULL pointer dereference in cairo_image_surface_get_data()
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2014-5116
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1127269 1127274
Blocks: 1124503
TreeView+ depends on / blocked
 
Reported: 2014-07-29 15:59 UTC by Vasyl Kaigorodov
Modified: 2021-02-17 06:20 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-08-14 06:53:28 UTC
Embargoed:


Attachments (Terms of Use)

Description Vasyl Kaigorodov 2014-07-29 15:59:02 UTC
From the todays CVE candidates:

  Name: CVE-2014-5116
  Status: Candidate
  URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5116
  Final-Decision:
  Interim-Decision:
  Modified:
  Proposed:
  Assigned: 20140729
  Category:
  Reference: EXPLOIT-DB:33384
  Reference: URL:http://www.exploit-db.com/exploits/33384
  Reference: CONFIRM:https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=9761
  Reference: OSVDB:107083
  Reference: URL:http://www.osvdb.org/107083
  
  The cairo_image_surface_get_data function in Cairo 1.10.2, as used in
  GTK+ and Wireshark, allows context-dependent attackers to cause a
  denial of service (NULL pointer dereference) via a large string.

Comment 1 Alon Bar-Lev 2014-08-05 17:21:08 UTC
removed by mistake, not sure how.

Comment 2 Alon Bar-Lev 2014-08-06 13:59:13 UTC
Hi,

What exact cairo pvr is a fix for this issue?

Thanks!

Comment 5 Siddharth Sharma 2014-08-14 06:51:37 UTC
Explanation:

Wireshark crashed before it hits the function in cairo because the the 
higher value inside the text box  in wireshark -> Statistics -> IP Addresses or 
IP Destination cause the window to be painted much bigger than the Main X Window 
and it crashes which is right on part of Window Manager Implementation and X 
Window System. It doesnt affect linux system as descrbed in the CVE-2014-5116 
assigned.Wireshark should be sanitizing the input from:

wireshark -> Statistics -> IP Destination
wireshark -> Statistics -> IP Addresses

Things like this are supposed to be taken care by the application by itself.

In the process of reproducing this issue this resulted in

(wireshark:9541): Gdk-WARNING **: Native Windows wider or taller than 32767 pixels are not supported
(wireshark:9541): Gdk-ERROR **: The program 'wireshark' received an X Window System error.


following code in simple_dialog.c which is part of wireshark, causes crash the argument ap is va_list (Variable Argument Lists) which is used when a function can accept any number of values, the number of arguments are unkown at compile time. putting 50,000 "A" s causes the corruption in va_list which lead to crash of program while executing the code

message = g_strdup_vprintf(msg_format, ap);

$17 = {_flags = 219, _IO_read_ptr = 0x7fc291d9f30e "g_strdup_vprintf", _IO_read_end = 0x7fc291d89188 "", _IO_read_base = 0x0, _IO_write_base = 0x0, _IO_write_ptr = 0x7fc291d86b38 "", _IO_write_end = 0x7fc291d9d829 "report_failure", _IO_buf_base = 0x7fc28dbc61f8 "", 
  _IO_buf_end = 0x7fc291d8f2d0 "\251\024", _IO_save_base = 0x500000000 <Address 0x500000000 out of bounds>, _IO_backup_base = 0x100000315 <Address 0x100000315 out of bounds>, _IO_save_end = 0x20 <Address 0x20 out of bounds>, _markers = 0x7fc28b541e80, _chain = 
    0x7fc291d894e0, _fileno = -1950316992, _flags2 = 32706, _old_offset = 140473647167928, _cur_column = 37256, _vtable_offset = -40 '\330', _shortbuf = "\221", _lock = 0x0, _offset = 3562113576, _codecvt = 0x5, _wide_data = 0x4512f0, _freeres_list = 0x0, _freeres_buf = 
    0x7fc2947ba9f0, _freeres_size = 140473670547440, _mode = -1848074240, _unused2 = "\302\177\000\000\360_\267\221\302\177\000\000\005\000\000\000\000\000\000"}

Submitting 50,000 A's into the the filter text box causes corruption scrambling the text on the Wireshark GUI this is because the va_list which stores all the strings are corrupted.

Comment 6 Siddharth Sharma 2014-08-14 06:53:28 UTC
Statement:

We do not consider a user-assisted crash of a client application such as Wireshark to be a security issue. For more information please see https://bugzilla.redhat.com/show_bug.cgi?id=1124500#c5


Note You need to log in before you can comment on or make changes to this bug.