Bug 1251749 - (CVE-2015-6673) CVE-2015-6673 libpgf: Use-after-free bug in Decoder.cpp
CVE-2015-6673 libpgf: Use-after-free bug in Decoder.cpp
Status: CLOSED NEXTRELEASE
Product: Fedora
Classification: Fedora
Component: libpgf (Show other bugs)
rawhide
All All
unspecified Severity medium
: ---
: ---
Assigned To: Rex Dieter
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2015-08-09 11:22 EDT by pcheng
Modified: 2016-11-08 11:13 EST (History)
3 users (show)

See Also:
Fixed In Version: 6.14.12-4.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-08-19 03:55:01 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
sample for reproducing crash (1.03 KB, application/octet-stream)
2015-08-09 11:22 EDT, pcheng
no flags Details

  None (edit)
Description pcheng 2015-08-09 11:22:29 EDT
Created attachment 1060748 [details]
sample for reproducing crash

Description of problem:
Recently I reported an use-after-free issue in Decoder.cpp to upstream. And it's fixed by the upstream. The problem is due to lack of validation of ColorTableSize. 

The bug was fixed by upstream:
https://sourceforge.net/p/libpgf/code/147/
https://sourceforge.net/p/libpgf/code/148/

Version-Release number of selected component (if applicable):
Versions before 6.15.32

How reproducible:
In the upstream's repo, there is a proof-of-concept utility(https://sourceforge.net/p/libpgf/code/HEAD/tree/trunk/pgf ,    note: the bug is in the library, not in this utility). Issuing the following commands with the attached crash.pgf:

$ ./libpgf-code-136-trunk/pgf/build/src/pgf -d crash.pgf out.gif
Comment 1 Fedora Update System 2015-08-10 13:33:38 EDT
libpgf-6.14.12-4.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/libpgf-6.14.12-4.fc23
Comment 2 Fedora Update System 2015-08-10 14:37:11 EDT
libpgf-6.14.12-4.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/libpgf-6.14.12-4.el7
Comment 3 Fedora Update System 2015-08-11 02:17:38 EDT
Package libpgf-6.14.12-4.el7:
* should fix your issue,
* was pushed to the Fedora EPEL 7 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing libpgf-6.14.12-4.el7'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-7600/libpgf-6.14.12-4.el7
then log in and leave karma (feedback).
Comment 4 Fedora Update System 2015-08-19 03:55:01 EDT
libpgf-6.14.12-4.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 5 Adam Mariš 2015-08-26 05:01:28 EDT
CVE assignment:

http://seclists.org/oss-sec/2015/q3/437
Comment 6 Fedora Update System 2015-08-26 18:25:13 EDT
libpgf-6.14.12-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.