1488817 – (CVE-2017-2862) CVE-2017-2862 gdk-pixbuf2: Heap overflow in the gdk_pixbuf__jpeg_image_load_increment function

Bug 1488817 (CVE-2017-2862) - CVE-2017-2862 gdk-pixbuf2: Heap overflow in the gdk_pixbuf__jpeg_image_load_increment function

Summary: CVE-2017-2862 gdk-pixbuf2: Heap overflow in the gdk_pixbuf__jpeg_image_load_i...

Keywords:
Status:	CLOSED WONTFIX
Alias:	CVE-2017-2862
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1569815 1888085
Blocks:	1486739
TreeView+	depends on / blocked

Reported:	2017-09-06 09:20 UTC by Andrej Nemec
Modified:	2021-02-17 01:36 UTC (History)
CC List:	4 users (show)
Fixed In Version:	gdk-pixbuf 2.36.7
Clone Of:
Environment:
Last Closed:	2017-09-21 02:55:09 UTC
Embargoed:

Attachments	(Terms of Use)

Description Andrej Nemec 2017-09-06 09:20:39 UTC

A heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf2.

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366

Comment 1 Huzaifa S. Sidhpurwala 2017-09-21 02:47:46 UTC

Upstream commit:

https://git.gnome.org/browse/gdk-pixbuf/commit/gdk-pixbuf/io-jpeg.c?id=c2a40a92fe3df4111ed9da51fe3368c079b86926

Comment 2 Huzaifa S. Sidhpurwala 2017-09-21 02:54:31 UTC

Analysis:

gdk-pixbuf assumed that the value of output_components to be either 3 or 4, but not an invalid value (9) or an unsupported value (1). Setting output color components to a value other than 3 or 4 causes invalid writes when libjpeg-turbo decodes images. 

Code execution seems to be unlikely because of the number of bytes which can be written on the heap.

Note You need to log in before you can comment on or make changes to this bug.