Got it, thanks for the explanation. At least we know the overwrite doesn't happen, which removes the potential security issue out of the equation.
To be honest I'm not completely convinced it was exploitable, but I'm not convinced it wasn't either, so better play it safe and patch it out. The side effects on other apps are unfortunate, but like you say, it's up to the apps to manage errors coming from gdk-pixbuf. -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to gdk-pixbuf in Ubuntu. https://bugs.launchpad.net/bugs/1982898 Title: CVE-2021-46829: Buffer overwrite in io-gif-animation.c composite_frame() in gdk-pixbuf Status in gdk-pixbuf package in Ubuntu: In Progress Bug description: [Impact] * A buffer overwrite exists in gdk-pixbuf's thumbnailer. * The GIF loader runs out of memory with specifically crafted files with bad frame data (and images with its sizes) over the integer limit. * After gdk-pixbuf-thum runs out of memory, other apps can and on low RAM systems like my old iMac, the system can completely run out of memory. * Or, in other ways, bad gif files in other applications can open the door for exploits. * Any app using gdk-pixbuf is affected, mainly file managers and image viewers. [Test Plan] * Take the POC's - they can be found in the issue in the GNOME repo * Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with: - Nautilus, GNOME's file manager - Nemo, Cinnamon's file manager - Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes - PCManFM, LXDE's file manager which straight up crashes - Caja, MATE's file manager causes libpixbufloader-gif to segfault (app still usable, no memory issues) - Eye of GNOME (eog) triggers the segfault in syslog - Eye of MATE (eom) segfaults * If you or the system couldn't tell something is wrong, cat /var/log/syslog and enjoy the segfaults or out of memory warnings or even kernel spam. [Where problems could occur] * The patch itself is simple, but since gdk-pixbuf is often used with GTK apps a mistake here could be problematic. * It is possible, and has happened in the past (which has been patched) that other bad GIFs can cause other crashes. * That patch is essentially overflow checks - changes with GLib (GNOME's, not to be confused with glibc) and the functions used in not only the patch but all of gdk-pixbuf can cause problems * Other failures to properly handle GIFs and broken or intentionally tampered GIFs can continue and always will open the door for security holes for other bugs * Again, overall a simple patch but as long as the GIFs remain handled properly, and no changes to the GLib functions are made and to other apps that use gdk-pixbuf (and assuming are not affected by the change and still work), the patch does not have much regression potential. [Other Info] * Besides Buffer overwrite/overflow issues, as aforementioned out of memory errors can happen. * Files attached are examples or crashes * Again, all apps using gdk-pixbuf are affected * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121/ * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190 * https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.2 ProcVersionSignature: Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39 Uname: Linux 5.15.0-43-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: X-Cinnamon Date: Tue Jul 26 19:33:41 2022 InstallationDate: Installed on 2021-11-24 (244 days ago) InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826) SourcePackage: gdk-pixbuf UpgradeStatus: No upgrade log present (probably fresh install) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gdk-pixbuf/+bug/1982898/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
