[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] CVE Request: heap buffer overflow in gdk-pixbuf
From:       Pedro Ribeiro <pedrib () gmail ! com>
Date:       2022-07-25 5:15:40
Message-ID: 174ef5a4-523e-ab75-5f4a-d1ef38e2410c () gmail ! com
[Download RAW message or body]



On 24/07/2022 10:35, Pedro Ribeiro wrote:
> 
> > On 24 Jul 2022, at 01:08, John Helmert III <ajak@gentoo.org> wrote:
> > 
> > On Sat, Jul 23, 2022 at 07:35:42PM +0700, Pedro Ribeiro wrote:
> > > Hi,
> > > 
> > > A year ago I found and submitted a vulnerability to the gdk-pixbuf tracker:
> > > https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190
> > > 
> > > It's a heap buffer overflow using a crafted GIF, which is likely
> > > exploitable in 32 bit systems. Full details are in the link above in the
> > > bug tracker.
> > > 
> > > This was patched and the fix was merged 8 months ago as seen here:
> > > https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121
> > > 
> > > The issue is now public, but since no CVE was attributed, it probably is
> > > not being considered as a problem for downstream users of the package.
> > > 
> > > As of today, the latest Debian stable package is affected by this
> > > vulnerability. Using a GNOME file system browser and browsing to that
> > > folder will cause a crash, as will opening it up in a GNOME image viewer
> > > and even attempting to load it in Chromium (should have submitted to
> > > them for a bounty :D).
> > > 
> > > Hence I'd like to get a CVE to raise awareness for this issue, so that
> > > downstream users of the package can get patched.
> > > 
> > > Thanks and regards,
> > > Pedro Ribeiro
> > 
> > Hi, according to the oss-security Openwall wiki page [1], CVEs need to
> > be requested via MITRE's web form [2].
> > 
> > [1] https://oss-security.openwall.org/wiki/mailing-lists/oss-security
> > [2] https://cveform.mitre.org/
> 
> Hi John,
> 
> Thanks for the info, will request via the form and post here again once I have a CVE number. \
> In any case I hope this post is useful to raise awareness of the issue to distro maintainers. \
>  Regards
> Pedro
> 
> 

Actually I was wrong, this doesn't crash Chromium! But it still crashes 
with a heap buffer overflow in GNOME file explorer and GNOME image 
viewers (anything using gdk-pixbuf really) as said in the previous email 
though.

Here's the CVE number that was attributed by MITRE: CVE-2021-46829.
I've put a copy of the PoC and bug report at 
https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md

Regards,
Pedro


[prev in list] [next in list] [prev in thread] [next in thread]