Ubuntu
gdk-pixbuf package

CVE-2021-46829: Buffer overwrite in io-gif-animation.c composite_frame() in gdk-pixbuf

Bug #1982898 reported by Joshua Peisach
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdk-pixbuf (Ubuntu)
Fix Released
Undecided
Joshua Peisach
Focal
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

 * A buffer overwrite exists in gdk-pixbuf's thumbnailer.

 * The GIF loader runs out of memory with specifically crafted files with bad frame data (and images with its sizes) over the integer limit.

 * After gdk-pixbuf-thum runs out of memory, other apps can and on low RAM systems like my old iMac, the system can completely run out of memory.

 * Or, in other ways, bad gif files in other applications can open the door for exploits.

 * Any app using gdk-pixbuf is affected, mainly file managers and image viewers.

[Test Plan]

 * Take the POC's - they can be found in the issue in the GNOME repo

 * Open them in an application that uses gdk-pixbuf. I have managed to produce reactions with:
 - Nautilus, GNOME's file manager
 - Nemo, Cinnamon's file manager
 - Thunar, XFCE's file manager, which has its own thumbnailere (tumbler) that also inevitably fails and crashes
 - PCManFM, LXDE's file manager which straight up crashes
 - Caja, MATE's file manager causes libpixbufloader-gif to segfault (app still usable, no memory issues)
 - Eye of GNOME (eog) triggers the segfault in syslog
 - Eye of MATE (eom) segfaults

 * If you or the system couldn't tell something is wrong, cat /var/log/syslog and enjoy the segfaults or out of memory warnings or even kernel spam.

[Where problems could occur]

 * The patch itself is simple, but since gdk-pixbuf is often used with GTK apps a mistake here could be problematic.

 * It is possible, and has happened in the past (which has been patched) that other bad GIFs can cause other crashes.

 * That patch is essentially overflow checks - changes with GLib (GNOME's, not to be confused with glibc) and the functions used in not only the patch but all of gdk-pixbuf can cause problems

 * Other failures to properly handle GIFs and broken or intentionally tampered GIFs can continue and always will open the door for security holes for other bugs

* Again, overall a simple patch but as long as the GIFs remain handled properly, and no changes to the GLib functions are made and to other apps that use gdk-pixbuf (and assuming are not affected by the change and still work), the patch does not have much regression potential.

[Other Info]

 * Besides Buffer overwrite/overflow issues, as aforementioned out of memory errors can happen.
 * Files attached are examples or crashes
 * Again, all apps using gdk-pixbuf are affected
 * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/121/
 * https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/190
 * https://github.com/pedrib/PoC/blob/master/fuzzing/CVE-2021-46829/CVE-2021-46829.md

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libgdk-pixbuf2.0-0 2.40.0+dfsg-3ubuntu0.2
ProcVersionSignature: Ubuntu 5.15.0-43.46~20.04.1-generic 5.15.39
Uname: Linux 5.15.0-43-generic x86_64
ApportVersion: 2.20.11-0ubuntu27.24
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: X-Cinnamon
Date: Tue Jul 26 19:33:41 2022
InstallationDate: Installed on 2021-11-24 (244 days ago)
InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826)
SourcePackage: gdk-pixbuf
UpgradeStatus: No upgrade log present (probably fresh install)

See original description

CVE References

Revision history for this message
Joshua Peisach (itzswirlz) wrote :
information type: Private Security → Public Security
Revision history for this message
Joshua Peisach (itzswirlz) wrote :

Here is what it did to my iMac.

Changed in gdk-pixbuf (Ubuntu):
assignee: nobody → Joshua Peisach (itzswirlz)
tags: added: bionic xenial
removed: jammy
Revision history for this message
Joshua Peisach (itzswirlz) wrote :

Thunar, which uses tumbler for thumbnailing, produced a crash.

Revision history for this message
Joshua Peisach (itzswirlz) wrote :

PCManFM crashed to this.

that's my last POC - I'm going to create the patch

Revision history for this message
Joshua Peisach (itzswirlz) wrote :

Here's proposal focal patch - I noticed some whitespaces but those are in the code and not introduced by me.

Changed in gdk-pixbuf (Ubuntu):
status: New → In Progress
Joshua Peisach (itzswirlz)
description: updated
Joshua Peisach (itzswirlz)
description: updated
Revision history for this message
Pedro Ribeiro (pedrib) wrote :

I just checked, and it seems EOM still crashes with OOM, even with the patched library (version 2.42.8). I'm guessing this is a separate bug in EOM?

Revision history for this message
Joshua Peisach (itzswirlz) wrote :

Hmm… check Jammy/Kinetic. Can you send me the crash file/syslog?

Some apps I think have proper handling of bad files while others don’t. For example, EOG can detect its a bad file.

Seth Arnold (seth-arnold)
description: updated
Revision history for this message
Joshua Peisach (itzswirlz) wrote :
Revision history for this message
Joshua Peisach (itzswirlz) wrote :
description: updated
Revision history for this message
Pedro Ribeiro (pedrib) wrote :

Tested on Ubuntu 22.04, it seems that EoG / EoM / gdk-pixbuf-{pixdata,thumbnailer} try to allocate all the system's memory with the "more_trouble.poc" from the original report.

Out of these, EoM seems not to handle it gracefully, as it gets killed by oom-killer. The others simply give up at some point without being killed and do not crash. Seems like a different bug that affects EoM, but might affect other users of gdk-pixbuf too?

Revision history for this message
Joshua Peisach (itzswirlz) wrote :

I can confirm for myself now aswell that I am experiencing issues. Some applications, most of them listed above in one way or another can be found to properly be unable to handle these images.

Gdk-pixbuf still crashes but no longer is a buffer overwrite. Technically a win - but the key issue is apps do not know how to respond to what to do when gdk-pixbuf dies.

Take eye of gnome - if you open a file directly from terminal using one of the POCs, it is fine and reads the gdk-pixbuf error correctly. But cycle to the next POC and it crashes.

Probably a lot of this is apps being tied into gdk-pixbuf, and if I am correct it is a part of Gtk so apps are sort of forced to be connected to it. When one breaks down, it's like a cable wire. In the future, for stability purposes patches need to be made to apps so whenever a component like gdk-pixbuf fails, the rest of the app doesn't (or has some fallback state)

Revision history for this message
Pedro Ribeiro (pedrib) wrote :

Got it, thanks for the explanation.

At least we know the overwrite doesn't happen, which removes the potential security issue out of the equation.

To be honest I'm not completely convinced it was exploitable, but I'm not convinced it wasn't either, so better play it safe and patch it out. The side effects on other apps are unfortunate, but like you say, it's up to the apps to manage errors coming from gdk-pixbuf.

Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Joshua and Pedro,

Have you reported the side effects of the fix to those projects you mentioned?
If yes could you add the bug reports here?

thanks

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

ACK on the debdiff in comment #5, I am currently building it (with a slight change to add the bug number to the changelog) and will release it as a security update next week. Thanks!

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gdk-pixbuf - 2.40.0+dfsg-3ubuntu0.3

---------------
gdk-pixbuf (2.40.0+dfsg-3ubuntu0.3) focal-security; urgency=medium

  * SECURITY UPDATE: Buffer overwrite in io-gif-animation.c
    composite_frame() (LP: #1982898)
    - debian/patches/CVE-2021-46829.patch: gif: Check for overflow
      when compositing or clearing frames.
    - CVE-2021-46829

 -- Joshua Peisach <email address hidden> Tue, 26 Jul 2022 20:42:00 -0400

Changed in gdk-pixbuf (Ubuntu Focal):
status: New → Fix Released
Marc Deslauriers (mdeslaur)
Changed in gdk-pixbuf (Ubuntu):
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.