Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
First Last Prev Next    This bug is not in your last search results.
Bug 1312337 - (CVE-2016-9082) CVE-2016-9082 cairo: Out of bounds read in read_png/write_png in cairo-png.c
CVE-2016-9082 cairo: Out of bounds read in read_png/write_png in cairo-png.c
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20161005,reported=2...
: Security
: 1382656 1382658 1382659 1382662 (view as bug list)
Depends On: 1384554 1384556 1384555
Blocks: 1312341 1382656 1382664
  Show dependency treegraph
 
Reported: 2016-02-26 08:10 EST by Adam Mariš
Modified: 2017-04-06 05:13 EDT (History)
18 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2016-10-19 15:58:58 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Backtrace report (1.35 KB, text/plain)
2016-02-26 08:14 EST, Adam Mariš 		no flags Details
Add an attachment (proposed patch, testcase, etc.)

  None (edit)
Description Adam Mariš 2016-02-26 08:10:34 EST 
It was found that specially crafted SVG file can trigger crash in png_write_row when converting the given SVG using librsvg2 and cairo. Crash happens inside libpng when trying to access invalid pointer.

Acknowledgements:

Name: Gustavo Grieco
Comment 1 Adam Mariš 2016-02-26 08:14 EST 
Created attachment 1130832 [details]
Backtrace report
Comment 3 Adam Mariš 2016-10-13 06:17:21 EDT 
*** Bug 1382656 has been marked as a duplicate of this bug. ***
Comment 4 Adam Mariš 2016-10-13 06:38:05 EDT 
CVE request:

http://seclists.org/oss-sec/2016/q4/44

Upstream bug:

https://bugs.freedesktop.org/show_bug.cgi?id=98165
Comment 5 Adam Mariš 2016-10-13 10:21:05 EDT 
Created cairo tracking bugs for this issue:

Affects: fedora-all [bug 1384554]
Comment 6 Adam Mariš 2016-10-13 10:21:17 EDT 
Created mingw-cairo tracking bugs for this issue:

Affects: fedora-all [bug 1384555]
Affects: epel-7 [bug 1384556]
Comment 7 Stefan Cornelius 2016-10-19 15:54:29 EDT 
The upstream bug mentions a separate issue that may cause out-of-bounds writes. While this looks correct initially, I don't think that this is feasible:
The memory is allocated using _cairo_malloc_ab(), which has a built-in overflow check. As far as I can tell, this will catch the problem before we can reach the problematic code.

This leaves only the out-of-bounds read, which, all things considered, isn't really that dangerous.
Comment 8 Paul Howarth 2016-10-21 06:17:11 EDT 
*** Bug 1382658 has been marked as a duplicate of this bug. ***
Comment 9 Paul Howarth 2016-10-21 06:18:31 EDT 
*** Bug 1382659 has been marked as a duplicate of this bug. ***
Comment 10 Paul Howarth 2016-10-21 06:20:10 EDT 
*** Bug 1382662 has been marked as a duplicate of this bug. ***
Comment 11 Adam Mariš 2016-10-27 07:26:23 EDT 
Proposed patch:

https://bugs.freedesktop.org/attachment.cgi?id=127421
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.