Bug 1691636 (CVE-2018-19872) - CVE-2018-19872 qt: malformed PPM image causing division by zero and crash in qppmhandler.cpp
Summary: CVE-2018-19872 qt: malformed PPM image causing division by zero and crash in ...
Status: NEW
Alias: CVE-2018-19872
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181204,repor...
Keywords: Security
Depends On: 1702030 1702031 1691637 1691638
Blocks: 1696265
TreeView+ depends on / blocked
 
Reported: 2019-03-22 07:01 UTC by Dhananjay Arunesh
Modified: 2019-06-08 23:55 UTC (History)
10 users (show)

(edit)
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)

Description Dhananjay Arunesh 2019-03-22 07:01:17 UTC
An issue was discovered in Qt 5.11. A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp.

Reference:
https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/

Comment 1 Dhananjay Arunesh 2019-03-22 07:03:19 UTC
External References:

https://bugreports.qt.io/browse/QTBUG-69449
https://wiki.qt.io/Qt_5.11.3_Change_Files

Comment 2 Dhananjay Arunesh 2019-03-22 07:04:09 UTC
Created qt tracking bugs for this issue:

Affects: fedora-all [bug 1691638]


Created qt5 tracking bugs for this issue:

Affects: fedora-all [bug 1691637]

Comment 3 Kevin Kofler 2019-03-22 14:02:23 UTC
You can list all versions of qt3 as not affected. I verified that this code is not present in Qt 3, it was introduced in Qt 4.0.0.

Comment 4 Fedora Update System 2019-04-01 01:21:34 UTC
qt-4.8.7-45.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.

Comment 6 Kevin Kofler 2019-04-15 21:38:13 UTC
I don't see how you can come to the conclusion that rhel-*/qt=notaffected. I have seen the vulnerable code in ALL versions of Qt 4, from 4.0.0 to 4.8.7.

Comment 7 Scott Gayou 2019-04-15 23:03:06 UTC
Backtrace from 5.11.1:

```
Program received signal SIGFPE, Arithmetic exception.
0x00007ffff7a741ca in scale_pbm_color (bv=12336, gv=12336, rv=12336, mx=0)
    at ../../include/QtGui/../../src/gui/painting/qrgba64.h:79
79	../../include/QtGui/../../src/gui/painting/qrgba64.h: No such file or directory.
(gdb) bt
#0  0x00007ffff7a741ca in scale_pbm_color (bv=12336, gv=12336, rv=12336, mx=0)
    at ../../include/QtGui/../../src/gui/painting/qrgba64.h:79
#1  read_pbm_body (outImage=0x7fffffffd490, mcc=1329790976, h=3, w=<optimized out>, 
    type=<optimized out>, device=0x61c330) at image/qppmhandler.cpp:193
#2  QPpmHandler::read (this=0x61c8b0, image=0x7fffffffd490) at image/qppmhandler.cpp:509
#3  0x00007ffff7a46a8a in QImageReader::read (this=0x7fffffffd4e8, image=0x7fffffffd490)
    at image/qimagereader.cpp:1313
#4  0x00007ffff7a470d8 in QImageReader::read (this=this@entry=0x7fffffffd4e8)
    at image/qimagereader.cpp:1261
#5  0x00007ffff7a2f0da in QImage::load (this=0x7fffffffd560, fileName=..., format=<optimized out>)
    at image/qimage.cpp:3460
#6  0x0000000000400ce2 in main (argc=2, argv=0x7fffffffd6d8) at main.cpp:14
(gdb) 
```

Unable to reproduce this on Red Hat Enterprise 6 or 7 (7 running qt 4.8.7).

Comment 8 Scott Gayou 2019-04-22 18:33:38 UTC
```
static inline QRgb scale_pbm_color(quint16 mx, quint16 rv, quint16 gv, quint16 bv)
{
    return QRgba64::fromRgba64((rv * 0xffffu) / mx, (gv * 0xffffu) / mx, (bv * 0xffffu) / mx, 0xffff).toArgb32();
}
```

Looks like MX is 0 and a nice exception occurs.

Unrelated, but interesting. Division by zero is undefined behavior. gcc seems to generate a SIGFPE, whereas clang/llvm seems to generate junk and continue. Easiest way to detect this via a clang build is with -fsanitize=undefined. I'm sure there are a bunch of other knobs and switches to change the behavior.

Comment 9 Scott Gayou 2019-04-22 18:35:57 UTC
Red Hat Enterprise Linux 7 looks like it has the responsible code even though I couldn't reproduce it.. Didn't track down where/why mx is getting set to zero, but 7 could potentially be impacted. The code doesn't appear in earlier versions to the best of my knowledge.


Note You need to log in before you can comment on or make changes to this bug.