Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc: gdk-pix...@packages.debian.org, Simon McVittie <s...@debian.org>,
car...@debian.org
Control: affects -1 + src:gdk-pixbuf
User: release.debian....@packages.debian.org
Usertags: pu
Hi stable release managers, CC'ing Simon,
[ Reason ]
gdk-pixbuf is affected by CVE-2022-48622, a memory corruption via
crafted .ani files, cf. #1071265.
[ Impact ]
At least denial of service but potentially as well arbitrary code
execution. But we have classified in no-dsa and it does not warrant a
DSA on its own.
[ Tests ]
Manual test against the poc in the upstream issue
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/202 .
[ Risks ]
Isolated changes, and the fix has been exposed in sid and trixie.
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
Three commits cherry-picked from upstream:
* ANI: Reject files with multiple anih chunks (CVE-2022-48622)
(Closes: #1071265)
* ANI: Reject files with multiple INAM or IART chunks
* ANI: Validate anih chunk size
The two other commits are not for CVE-2022-48622 but additional
hardening and fixing changes related to the ANI code.
Simon, ideally we should do as well the fixup in bullseye, but I have
not looked at that version yet.
Regards,
Salvatore
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/changelog
gdk-pixbuf-2.42.10+dfsg/debian/changelog
--- gdk-pixbuf-2.42.10+dfsg/debian/changelog 2022-11-18 20:13:50.000000000
+0100
+++ gdk-pixbuf-2.42.10+dfsg/debian/changelog 2024-06-13 23:04:36.000000000
+0200
@@ -1,3 +1,12 @@
+gdk-pixbuf (2.42.10+dfsg-1+deb12u1) bookworm; urgency=medium
+
+ * ANI: Reject files with multiple anih chunks (CVE-2022-48622)
+ (Closes: #1071265)
+ * ANI: Reject files with multiple INAM or IART chunks
+ * ANI: Validate anih chunk size
+
+ -- Salvatore Bonaccorso <car...@debian.org> Thu, 13 Jun 2024 23:04:36 +0200
+
gdk-pixbuf (2.42.10+dfsg-1) unstable; urgency=medium
* Team upload
diff -Nru
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
---
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
1970-01-01 01:00:00.000000000 +0100
+++
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
2024-06-13 23:02:36.000000000 +0200
@@ -0,0 +1,36 @@
+From: Benjamin Gilbert <bgilb...@backtick.net>
+Date: Tue, 30 Apr 2024 07:13:37 -0500
+Subject: ANI: Reject files with multiple INAM or IART chunks
+Origin:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/d52134373594ff76614fb415125b0d1c723ddd56
+
+There should be at most one chunk each. These would cause memory leaks
+otherwise.
+---
+ gdk-pixbuf/io-ani.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index a78ea7ace40b..8e8414117c3a 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ }
+ else if (context->chunk_id == TAG_INAM)
+ {
+- if (!context->animation)
++ if (!context->animation || context->title)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+ }
+ else if (context->chunk_id == TAG_IART)
+ {
+- if (!context->animation)
++ if (!context->animation || context->author)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+--
+2.45.1
+
diff -Nru
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch
---
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch
1970-01-01 01:00:00.000000000 +0100
+++
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Reject-files-with-multiple-anih-chunks.patch
2024-06-13 22:59:39.000000000 +0200
@@ -0,0 +1,41 @@
+From: Benjamin Gilbert <bgilb...@backtick.net>
+Date: Tue, 30 Apr 2024 07:26:54 -0500
+Subject: ANI: Reject files with multiple anih chunks
+Origin:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/00c071dd11f723ca608608eef45cb1aa98da89cc
+Bug-Debian: https://bugs.debian.org/1071265
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2022-48622
+
+An anih chunk causes us to initialize a bunch of state, which we only
+expect to do once per file.
+
+Fixes: #202
+Fixes: CVE-2022-48622
+---
+ gdk-pixbuf/io-ani.c | 9 +++++++++
+ tests/test-images/fail/CVE-2022-48622.ani | Bin 0 -> 28012 bytes
+ 2 files changed, 9 insertions(+)
+ create mode 100644 tests/test-images/fail/CVE-2022-48622.ani
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index c6c4642cf449..a78ea7ace40b 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+
+ if (context->chunk_id == TAG_anih)
+ {
++ if (context->animation)
++ {
++ g_set_error_literal (error,
++ GDK_PIXBUF_ERROR,
++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++ _("Invalid header in
animation"));
++ return FALSE;
++ }
++
+ context->HeaderSize = read_int32 (context);
+ context->NumFrames = read_int32 (context);
+ context->NumSteps = read_int32 (context);
+--
+2.45.1
+
diff -Nru
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch
gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch
1970-01-01 01:00:00.000000000 +0100
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/ANI-Validate-anih-chunk-size.patch
2024-06-13 23:03:56.000000000 +0200
@@ -0,0 +1,38 @@
+From: Benjamin Gilbert <bgilb...@backtick.net>
+Date: Tue, 30 Apr 2024 08:17:25 -0500
+Subject: ANI: Validate anih chunk size
+Origin:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78
+
+Before reading a chunk, we verify that enough bytes are available to match
+the chunk size declared by the file. However, uniquely, the anih chunk
+loader doesn't verify that this size matches the number of bytes it
+actually intends to read. Thus, if the chunk size is too small and the
+file ends in the middle of the chunk, we populate some context fields with
+stack garbage. (But we'd still fail later on because the file doesn't
+contain any images.) Fix this.
+---
+ gdk-pixbuf/io-ani.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
+index 8e8414117c3a..cfafd7b1961b 100644
+--- a/gdk-pixbuf/io-ani.c
++++ b/gdk-pixbuf/io-ani.c
+@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
+
+ if (context->chunk_id == TAG_anih)
+ {
++ if (context->chunk_size < 36)
++ {
++ g_set_error_literal (error,
++ GDK_PIXBUF_ERROR,
++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
++ _("Malformed chunk in
animation"));
++ return FALSE;
++ }
+ if (context->animation)
+ {
+ g_set_error_literal (error,
+--
+2.45.1
+
diff -Nru gdk-pixbuf-2.42.10+dfsg/debian/patches/series
gdk-pixbuf-2.42.10+dfsg/debian/patches/series
--- gdk-pixbuf-2.42.10+dfsg/debian/patches/series 2022-11-18
20:13:50.000000000 +0100
+++ gdk-pixbuf-2.42.10+dfsg/debian/patches/series 2024-06-13
23:04:02.000000000 +0200
@@ -2,3 +2,6 @@
tests-Mark-pixbuf-randomly-modified-as-flaky.patch
debian_queryloader_dir.patch
tests-Tolerate-either-CORRUPT_IMAGE-or-INSUFFICIENT_MEMOR.patch
+ANI-Reject-files-with-multiple-anih-chunks.patch
+ANI-Reject-files-with-multiple-INAM-or-IART-chunks.patch
+ANI-Validate-anih-chunk-size.patch
