oss-sec mailing list archives

Re: CVE Request: heap buffer overflow in gdk-pixbuf

From: Pedro Ribeiro <pedrib () gmail com>
Date: Mon, 25 Jul 2022 12:15:40 +0700



On 24/07/2022 10:35, Pedro Ribeiro wrote:

On 24 Jul 2022, at 01:08, John Helmert III <ajak () gentoo org> wrote:

On Sat, Jul 23, 2022 at 07:35:42PM +0700, Pedro Ribeiro wrote:

Hi,

A year ago I found and submitted a vulnerability to the gdk-pixbuf tracker:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190

It's a heap buffer overflow using a crafted GIF, which is likely
exploitable in 32 bit systems. Full details are in the link above in the
bug tracker.

This was patched and the fix was merged 8 months ago as seen here:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121

The issue is now public, but since no CVE was attributed, it probably is
not being considered as a problem for downstream users of the package.

As of today, the latest Debian stable package is affected by this
vulnerability. Using a GNOME file system browser and browsing to that
folder will cause a crash, as will opening it up in a GNOME image viewer
and even attempting to load it in Chromium (should have submitted to
them for a bounty :D).

Hence I'd like to get a CVE to raise awareness for this issue, so that
downstream users of the package can get patched.

Thanks and regards,
Pedro Ribeiro


Hi, according to the oss-security Openwall wiki page [1], CVEs need to
be requested via MITRE's web form [2].

[1] https://oss-security.openwall.org/wiki/mailing-lists/oss-security
[2] https://cveform.mitre.org/


Hi John,

Thanks for the info, will request via the form and post here again once I have a CVE number. In any case I hope this 
post is useful to raise awareness of the issue to distro maintainers.

Regards
Pedro

Actually I was wrong, this doesn't crash Chromium! But it still crasheswith a heap buffer overflow in GNOME file explorer and GNOME imageviewers (anything using gdk-pixbuf really) as said in the previous emailthough.


Here's the CVE number that was attributed by MITRE: CVE-2021-46829.

I've put a copy of the PoC and bug report athttps://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md


Regards,
Pedro

Current thread:

CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 23)
- Re: CVE Request: heap buffer overflow in gdk-pixbuf John Helmert III (Jul 23)
  - Re: CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 24)
    - Re: CVE Request: heap buffer overflow in gdk-pixbuf Pedro Ribeiro (Jul 24)