Bug 856300 - (CVE-2012-4433) CVE-2012-4433 gegl: Integer overflow, leading to heap-based buffer overflow by parsing PPM image headers
CVE-2012-4433 gegl: Integer overflow, leading to heap-based buffer overflow b...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20121105,repor...
: Security
Depends On: 870951 870953 873182 912715 979243
Blocks: 856302
  Show dependency treegraph
 
Reported: 2012-09-11 13:04 EDT by Jan Lieskovsky
Modified: 2015-10-15 17:29 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-10-29 12:39:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
quick fix, implements a safemultiply function, not sure if its portable though (893 bytes, patch)
2012-09-19 01:23 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
quick fix, implements a safemultiply function, not sure if its portable though (897 bytes, patch)
2012-09-19 01:51 EDT, Huzaifa S. Sidhpurwala
no flags Details | Diff
Proposed patch against gegl git master (5.23 KB, patch)
2012-10-26 10:59 EDT, Nils Philippsen
no flags Details | Diff

  None (edit)
Description Jan Lieskovsky 2012-09-11 13:04:04 EDT
An integer overflow, leading to heap-based buffer overflow was found in the way portable pixmap format (PPM) image file format handler of GEGL, a graph based image processing framework, processed certain input PPM image file headers. A remote attacker could provide a specially-crafted PPM image that when opened in gegl executable would lead to crash, or, potentially arbitrary code execution with the privileges of the user running the binary.

This issue was found by Murray McAllister, Red Hat Security Response Team.
Comment 2 Jan Lieskovsky 2012-09-11 13:08:23 EDT
This issue affects the version of the gegl package, as shipped with Red Hat Enterprise Linux 6.

--

This issue affects the versions of the gegl package, as shipped with Fedora release of 16 and 17.
Comment 4 Huzaifa S. Sidhpurwala 2012-09-18 05:21:24 EDT
This issue has been assigned CVE-2012-4433
Comment 5 Huzaifa S. Sidhpurwala 2012-09-19 01:11:53 EDT
Looked at other places in the code, some of the multiplications going on there seems to be un-safe, but cant find a way to trigger an overflow yet.

For example in png-load.c:

  pixels = g_malloc0 (width*bpp);

Here width = gint (4 bytes on x86-32) and g_malloc0's argument is gsize which is again 4 bytes on x86-32, so there is a potential for an overflow here.

However libpng in some one seems to cap the value of width here to < 32 bits so i am not able to trigger an overflow via crafted png files.

I observed similar things for jpeg and other formats gegl reads.
Comment 7 Huzaifa S. Sidhpurwala 2012-09-19 01:23:57 EDT
Created attachment 614202 [details]
quick fix, implements a safemultiply function,  not sure if its portable though
Comment 8 Huzaifa S. Sidhpurwala 2012-09-19 01:51:13 EDT
Created attachment 614203 [details]
quick fix, implements a safemultiply function, not sure if its portable though

New patch, use unsigned.
Comment 9 Nils Philippsen 2012-10-26 10:59:28 EDT
Created attachment 633906 [details]
Proposed patch against gegl git master

These 3 cumulative patches against git master make gegl crash with a SIGTRAP in a controlled fashion when it fails to g_malloc() about 12 Exabytes of memory. Ideally it would use g_try_malloc() to avoid a crash, but error propagation doesn't seem to work reliably in gegl -- so rather crash deterministically  here than in an uncontrolled fashion somewhere else.

The first patch checks values before doing potentially overflowing calculations and checks the allocated memory before using it (which is a no-op until error propagation works and g_try_malloc() is used). The second patch uses long ints as operands (to avoid overflowing memory size calculations) and checks if calls to strtol() fail or contain non-decimal values (violating the file format). The third patch corrects a comment concerning interpretation of certain file format header fields.
Comment 16 Huzaifa S. Sidhpurwala 2012-11-05 04:42:51 EST
Created gegl tracking bugs for this issue

Affects: fedora-all [bug 873182]
Comment 17 Huzaifa S. Sidhpurwala 2012-11-05 04:47:25 EST
Acknowledgements:

This issue was discovered by Murray McAllister of Red Hat Security Response Team.
Comment 18 errata-xmlrpc 2012-11-12 13:26:51 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:1455 https://rhn.redhat.com/errata/RHSA-2012-1455.html
Comment 21 Fedora Update System 2013-07-11 23:06:25 EDT
gegl-0.2.0-11.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 22 Fedora Update System 2013-07-11 23:13:10 EDT
gegl-0.2.0-11.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 23 Fedora Update System 2013-07-11 23:16:49 EDT
gegl-0.2.0-11.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.