[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1073234: marked as done (bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u1)

Your message dated Sat, 29 Jun 2024 10:46:21 +0000
with message-id <E1sNVb3-002bjU-7g@coccia.debian.org>
and subject line Released with 12.6
has caused the Debian Bug report #1073234,
regarding bookworm-pu: package gdk-pixbuf/2.42.10+dfsg-1+deb12u1
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1073234: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1073234
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gdk-pixbuf@packages.debian.org, Simon McVittie <smcv@debian.org>, carnil@debian.org
Control: affects -1 + src:gdk-pixbuf
User: release.debian.org@packages.debian.org
Usertags: pu

Hi stable release managers, CC'ing Simon,

[ Reason ]
gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via
crafted .ani files, cf. #1071265.

[ Impact ]
At least denial of service but potentially as well arbitrary code
execution. But we have classified in no-dsa and it does not warrant a
DSA on its own.

[ Tests ]
Manual test against the poc in the upstream issue
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202 .

[ Risks ]
Isolated changes, and the fix has been exposed in sid and trixie.

[ Checklist ]
  [x] *all* changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in (old)stable
  [x] the issue is verified as fixed in unstable

[ Changes ]
Three commits cherry-picked from upstream:

  * ANI: Reject files with multiple anih chunks (CVE-2022-48622)
    (Closes: #1071265)
  * ANI: Reject files with multiple INAM or IART chunks
  * ANI: Validate anih chunk size

The two other commits are not for CVE-2022-48622 but additional
hardening and fixing changes related to the ANI code.

Simon, ideally we should do as well the fixup in bullseye, but I have
not looked at that version yet.

Regards,
Salvatore

diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/changelog gdk-pixbuf-2.42.10+dfsg/debian/changelog
--- gdk-pixbuf-2.42.10+dfsg/debian/changelog	2022-11-18 20:13:50.000000000 +0100
+++ gdk-pixbuf-2.42.10+dfsg/debian/changelog	2024-06-13 23:04:36.000000000 +0200
@@ -1,3 +1,12 @@
+gdk-pixbuf (2.42.10+dfsg-1+deb12u1) bookworm; urgency=medium
+
+  * ANI: Reject files with multiple anih chunks (CVE-2022-48622)
+    (Closes: #1071265)
+  * ANI: Reject files with multiple INAM or IART chunks
+  * ANI: Validate anih chunk size
+
+ -- Salvatore Bonaccorso <carnil@debian.org>  Thu, 13 Jun 2024 23:04:36 +0200
+
 gdk-pixbuf (2.42.10+dfsg-1) unstable; urgency=medium
 
   * Team upload
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch	1970-01-01 01:00:00.000000000 +0100
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch	2024-06-13 23:02:36.000000000 +0200
@@ -0,0 +1,36 @@
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:13:37 -0500
+Subject: ANI: Reject files with multiple INAM or IART chunks
+Origin: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/d52134373594ff76614fb415125b0d1c723ddd56
+
+There should be at most one chunk each.  These would cause memory leaks
+otherwise.
+---
+ gdk-pixbuf/io-ani.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index a78ea7ace40b..8e8414117c3a 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_INAM) 
+ 	{
+-		if (!context->animation) 
++		if (!context->animation || context->title)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ 	}
+         else if (context->chunk_id == TAG_IART) 
+ 	{
+-		if (!context->animation) 
++		if (!context->animation || context->author)
+ 		{
+ 			g_set_error_literal (error,
+                                              GDK_PIXBUF_ERROR,
+-- 
+2.45.1
+
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch	1970-01-01 01:00:00.000000000 +0100
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch	2024-06-13 22:59:39.000000000 +0200
@@ -0,0 +1,41 @@
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 07:26:54 -0500
+Subject: ANI: Reject files with multiple anih chunks
+Origin: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/00c071dd11f723ca608608eef45cb1aa98da89cc
+Bug-Debian: https://bugs.debian.org/1071265
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48622
+
+An anih chunk causes us to initialize a bunch of state, which we only
+expect to do once per file.
+
+Fixes: #202
+Fixes: CVE-2022-48622
+---
+ gdk-pixbuf/io-ani.c                       |   9 +++++++++
+ tests/test-images/fail/CVE-2022-48622.ani | Bin 0 -> 28012 bytes
+ 2 files changed, 9 insertions(+)
+ create mode 100644 tests/test-images/fail/CVE-2022-48622.ani
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index c6c4642cf449..a78ea7ace40b 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
++		if (context->animation)
++		{
++			g_set_error_literal (error,
++                                             GDK_PIXBUF_ERROR,
++                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                             _("Invalid header in animation"));
++			return FALSE;
++		}
++
+ 		context->HeaderSize = read_int32 (context);
+ 		context->NumFrames = read_int32 (context);
+ 		context->NumSteps = read_int32 (context);
+-- 
+2.45.1
+
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch	1970-01-01 01:00:00.000000000 +0100
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch	2024-06-13 23:03:56.000000000 +0200
@@ -0,0 +1,38 @@
+From: Benjamin Gilbert <bgilbert@backtick.net>
+Date: Tue, 30 Apr 2024 08:17:25 -0500
+Subject: ANI: Validate anih chunk size
+Origin: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78
+
+Before reading a chunk, we verify that enough bytes are available to match
+the chunk size declared by the file.  However, uniquely, the anih chunk
+loader doesn't verify that this size matches the number of bytes it
+actually intends to read.  Thus, if the chunk size is too small and the
+file ends in the middle of the chunk, we populate some context fields with
+stack garbage.  (But we'd still fail later on because the file doesn't
+contain any images.)  Fix this.
+---
+ gdk-pixbuf/io-ani.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index 8e8414117c3a..cfafd7b1961b 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+         
+         if (context->chunk_id == TAG_anih) 
+ 	{
++		if (context->chunk_size < 36)
++		{
++			g_set_error_literal (error,
++                                             GDK_PIXBUF_ERROR,
++                                             GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++                                             _("Malformed chunk in animation"));
++			return FALSE;
++		}
+ 		if (context->animation)
+ 		{
+ 			g_set_error_literal (error,
+-- 
+2.45.1
+
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/series gdk-pixbuf-2.42.10+dfsg/debian/patches/series
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/series	2022-11-18 20:13:50.000000000 +0100
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/series	2024-06-13 23:04:02.000000000 +0200
@@ -2,3 +2,6 @@
 tests-Mark-pixbuf-randomly-modified-as-flaky.patch
 debian_queryloader_dir.patch
 tests-Tolerate-either-CORRUPT_IMAGE-or-INSUFFICIENT_MEMOR.patch
+ANI-Reject-files-with-multiple-anih-chunks.patch
+ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
+ANI-Validate-anih-chunk-size.patch

--- End Message ---
--- Begin Message --- 
Version: 12.6

The upload requested in this bug has been released as part of 12.6.

--- End Message ---
Reply to: