Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: gdk-pix...@packages.debian.org, Simon McVittie <s...@debian.org>, car...@debian.org Control: affects -1 + src:gdk-pixbuf User: release.debian....@packages.debian.org Usertags: pu
Hi stable release managers, CC'ing Simon, [ Reason ] gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via crafted .ani files, cf. #1071265. [ Impact ] At least denial of service but potentially as well arbitrary code execution. But we have classified in no-dsa and it does not warrant a DSA on its own. [ Tests ] Manual test against the poc in the upstream issue https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202 . [ Risks ] Isolated changes, and the fix has been exposed in sid and trixie. [ Checklist ] [x] *all* changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in (old)stable [x] the issue is verified as fixed in unstable [ Changes ] Three commits cherry-picked from upstream: * ANI: Reject files with multiple anih chunks (CVE-2022-48622) (Closes: #1071265) * ANI: Reject files with multiple INAM or IART chunks * ANI: Validate anih chunk size The two other commits are not for CVE-2022-48622 but additional hardening and fixing changes related to the ANI code. Simon, ideally we should do as well the fixup in bullseye, but I have not looked at that version yet. Regards, Salvatore
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/changelog gdk-pixbuf-2.42.10+dfsg/debian/changelog --- gdk-pixbuf-2.42.10+dfsg/debian/changelog 2022-11-18 20:13:50.000000000 +0100 +++ gdk-pixbuf-2.42.10+dfsg/debian/changelog 2024-06-13 23:04:36.000000000 +0200 @@ -1,3 +1,12 @@ +gdk-pixbuf (2.42.10+dfsg-1+deb12u1) bookworm; urgency=medium + + * ANI: Reject files with multiple anih chunks (CVE-2022-48622) + (Closes: #1071265) + * ANI: Reject files with multiple INAM or IART chunks + * ANI: Validate anih chunk size + + -- Salvatore Bonaccorso <car...@debian.org> Thu, 13 Jun 2024 23:04:36 +0200 + gdk-pixbuf (2.42.10+dfsg-1) unstable; urgency=medium * Team upload diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch --- gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch 1970-01-01 01:00:00.000000000 +0100 +++ gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch 2024-06-13 23:02:36.000000000 +0200 @@ -0,0 +1,36 @@ +From: Benjamin Gilbert <bgilb...@backtick.net> +Date: Tue, 30 Apr 2024 07:13:37 -0500 +Subject: ANI: Reject files with multiple INAM or IART chunks +Origin: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/d52134373594ff76614fb415125b0d1c723ddd56 + +There should be at most one chunk each. These would cause memory leaks +otherwise. +--- + gdk-pixbuf/io-ani.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c +index a78ea7ace40b..8e8414117c3a 100644 +--- a/gdk-pixbuf/io-ani.c ++++ b/gdk-pixbuf/io-ani.c +@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error) + } + else if (context->chunk_id == TAG_INAM) + { +- if (!context->animation) ++ if (!context->animation || context->title) + { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, +@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error) + } + else if (context->chunk_id == TAG_IART) + { +- if (!context->animation) ++ if (!context->animation || context->author) + { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, +-- +2.45.1 + diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch --- gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch 1970-01-01 01:00:00.000000000 +0100 +++ gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch 2024-06-13 22:59:39.000000000 +0200 @@ -0,0 +1,41 @@ +From: Benjamin Gilbert <bgilb...@backtick.net> +Date: Tue, 30 Apr 2024 07:26:54 -0500 +Subject: ANI: Reject files with multiple anih chunks +Origin: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/00c071dd11f723ca608608eef45cb1aa98da89cc +Bug-Debian: https://bugs.debian.org/1071265 +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48622 + +An anih chunk causes us to initialize a bunch of state, which we only +expect to do once per file. + +Fixes: #202 +Fixes: CVE-2022-48622 +--- + gdk-pixbuf/io-ani.c | 9 +++++++++ + tests/test-images/fail/CVE-2022-48622.ani | Bin 0 -> 28012 bytes + 2 files changed, 9 insertions(+) + create mode 100644 tests/test-images/fail/CVE-2022-48622.ani + +diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c +index c6c4642cf449..a78ea7ace40b 100644 +--- a/gdk-pixbuf/io-ani.c ++++ b/gdk-pixbuf/io-ani.c +@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error) + + if (context->chunk_id == TAG_anih) + { ++ if (context->animation) ++ { ++ g_set_error_literal (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Invalid header in animation")); ++ return FALSE; ++ } ++ + context->HeaderSize = read_int32 (context); + context->NumFrames = read_int32 (context); + context->NumSteps = read_int32 (context); +-- +2.45.1 + diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch --- gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch 1970-01-01 01:00:00.000000000 +0100 +++ gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch 2024-06-13 23:03:56.000000000 +0200 @@ -0,0 +1,38 @@ +From: Benjamin Gilbert <bgilb...@backtick.net> +Date: Tue, 30 Apr 2024 08:17:25 -0500 +Subject: ANI: Validate anih chunk size +Origin: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 + +Before reading a chunk, we verify that enough bytes are available to match +the chunk size declared by the file. However, uniquely, the anih chunk +loader doesn't verify that this size matches the number of bytes it +actually intends to read. Thus, if the chunk size is too small and the +file ends in the middle of the chunk, we populate some context fields with +stack garbage. (But we'd still fail later on because the file doesn't +contain any images.) Fix this. +--- + gdk-pixbuf/io-ani.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c +index 8e8414117c3a..cfafd7b1961b 100644 +--- a/gdk-pixbuf/io-ani.c ++++ b/gdk-pixbuf/io-ani.c +@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error) + + if (context->chunk_id == TAG_anih) + { ++ if (context->chunk_size < 36) ++ { ++ g_set_error_literal (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Malformed chunk in animation")); ++ return FALSE; ++ } + if (context->animation) + { + g_set_error_literal (error, +-- +2.45.1 + diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/series gdk-pixbuf-2.42.10+dfsg/debian/patches/series --- gdk-pixbuf-2.42.10+dfsg/debian/patches/series 2022-11-18 20:13:50.000000000 +0100 +++ gdk-pixbuf-2.42.10+dfsg/debian/patches/series 2024-06-13 23:04:02.000000000 +0200 @@ -2,3 +2,6 @@ tests-Mark-pixbuf-randomly-modified-as-flaky.patch debian_queryloader_dir.patch tests-Tolerate-either-CORRUPT_IMAGE-or-INSUFFICIENT_MEMOR.patch +ANI-Reject-files-with-multiple-anih-chunks.patch +ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch +ANI-Validate-anih-chunk-size.patch