Bug 1251749 (CVE-2015-6673) - CVE-2015-6673 libpgf: Use-after-free bug in Decoder.cpp
Summary: CVE-2015-6673 libpgf: Use-after-free bug in Decoder.cpp
Status: CLOSED NEXTRELEASE
Alias: CVE-2015-6673
Product: Fedora
Classification: Fedora
Component: libpgf
Version: rawhide
Hardware: All
OS: All
unspecified
medium
Target Milestone: ---
Assignee: Rex Dieter
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Keywords:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2015-08-09 15:22 UTC by pcheng
Modified: 2016-11-08 16:13 UTC (History)
3 users (show)

(edit)
Clone Of:
(edit)
Last Closed: 2015-08-19 07:55:01 UTC


Attachments (Terms of Use)
sample for reproducing crash (1.03 KB, application/octet-stream)
2015-08-09 15:22 UTC, pcheng
no flags Details

Description pcheng 2015-08-09 15:22:29 UTC
Created attachment 1060748 [details]
sample for reproducing crash

Description of problem:
Recently I reported an use-after-free issue in Decoder.cpp to upstream. And it's fixed by the upstream. The problem is due to lack of validation of ColorTableSize. 

The bug was fixed by upstream:
https://sourceforge.net/p/libpgf/code/147/
https://sourceforge.net/p/libpgf/code/148/

Version-Release number of selected component (if applicable):
Versions before 6.15.32

How reproducible:
In the upstream's repo, there is a proof-of-concept utility(https://sourceforge.net/p/libpgf/code/HEAD/tree/trunk/pgf ,    note: the bug is in the library, not in this utility). Issuing the following commands with the attached crash.pgf:

$ ./libpgf-code-136-trunk/pgf/build/src/pgf -d crash.pgf out.gif

Comment 1 Fedora Update System 2015-08-10 17:33:38 UTC
libpgf-6.14.12-4.fc23 has been submitted as an update for Fedora 23.
https://admin.fedoraproject.org/updates/libpgf-6.14.12-4.fc23

Comment 2 Fedora Update System 2015-08-10 18:37:11 UTC
libpgf-6.14.12-4.el7 has been submitted as an update for Fedora EPEL 7.
https://admin.fedoraproject.org/updates/libpgf-6.14.12-4.el7

Comment 3 Fedora Update System 2015-08-11 06:17:38 UTC
Package libpgf-6.14.12-4.el7:
* should fix your issue,
* was pushed to the Fedora EPEL 7 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=epel-testing libpgf-6.14.12-4.el7'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-EPEL-2015-7600/libpgf-6.14.12-4.el7
then log in and leave karma (feedback).

Comment 4 Fedora Update System 2015-08-19 07:55:01 UTC
libpgf-6.14.12-4.fc23 has been pushed to the Fedora 23 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 5 Adam Mariš 2015-08-26 09:01:28 UTC
CVE assignment:

http://seclists.org/oss-sec/2015/q3/437

Comment 6 Fedora Update System 2015-08-26 22:25:13 UTC
libpgf-6.14.12-4.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.