Bug 1488817 – CVE-2017-2862 gdk-pixbuf2: Heap overflow in the gdk_pixbuf__jpeg_image_load_increment function

Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.

Bug 1488817 - (CVE-2017-2862) CVE-2017-2862 gdk-pixbuf2: Heap overflow in the gdk_pixbuf__jpeg_image_load_increment function

Summary:	CVE-2017-2862 gdk-pixbuf2: Heap overflow in the gdk_pixbuf__jpeg_image_load_i...

Status:	CLOSED WONTFIX

Aliases:	CVE-2017-2862

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	medium Severity medium
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=moderate,public=20170830,repor...
Keywords:	Security

Depends On:
Blocks:	1486739
	Show dependency tree / graph

Reported:	2017-09-06 05:20 EDT by Andrej Nemec
Modified:	2017-09-20 22:55 EDT (History)
CC List:	4 users (show)

See Also:
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2017-09-20 22:55:09 EDT
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Andrej Nemec 2017-09-06 05:20:39 EDT

A heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf2.

External References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366

Comment 1 Huzaifa S. Sidhpurwala 2017-09-20 22:47:46 EDT

Upstream commit:

https://git.gnome.org/browse/gdk-pixbuf/commit/gdk-pixbuf/io-jpeg.c?id=c2a40a92fe3df4111ed9da51fe3368c079b86926

Comment 2 Huzaifa S. Sidhpurwala 2017-09-20 22:54:31 EDT

Analysis:

gdk-pixbuf assumed that the value of output_components to be either 3 or 4, but not an invalid value (9) or an unsupported value (1). Setting output color components to a value other than 3 or 4 causes invalid writes when libjpeg-turbo decodes images. 

Code execution seems to be unlikely because of the number of bytes which can be written on the heap.

Note You need to log in before you can comment on or make changes to this bug.