Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 596756 (CVE-2016-9082) - <x11-libs/cairo-1.16.0-r2: DoS attack based on using SVG to generate invalid pointers from a _cairo_image_surface in write_png (CVE-2016-9082)
Summary: <x11-libs/cairo-1.16.0-r2: DoS attack based on using SVG to generate invalid ...
Status: RESOLVED FIXED
Alias: CVE-2016-9082
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugs.freedesktop.org/show_bug...
Whiteboard: B3 [glsa+ cve]
Keywords:
Depends on: CVE-2018-19876
Blocks:
  Show dependency tree
 
Reported: 2016-10-10 10:32 UTC by Agostino Sarubbo
Modified: 2019-04-02 04:15 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-10-10 10:32:42 UTC
From ${URL} :

This is in cairo-1.14.6

This has already been reported on oss-security, although there is no analysis there and as yet there is no CVE:

http://www.openwall.com/lists/oss-security/2016/10/06/1

The repro uses:

rsvg-convert -o crash.png crash.svg

The crash happens because write_png passes invalid (off by 4GByte) pointers to libpng.  The bug is in the declaration of _cairo_image_surface which 
obviously won't work on a machine with a 64-bit address space and 32-bit (int) values.

The crash is 'just' a read from the invalid pointer inside libpng, however there is at least one other case of the loop in read_png where the crash would 
be a memory overwrite with data from the PNG; that version has been semi-fixed.

I'm not posting a detailed analysis because I'm not sure how many places the bug is exposed and it is pretty clear given the fact that the loop in 
read_png is different that you already know about one instance of this bug.

The libpng maintainer has a copy of my complete analysis and the original SVG, I suggest not posting it at the moment because it took me about 4 minutes 
to find the problem given the SVG.

I also suspect it isn't specific to SVG; I assume the read_png change came from test jockeys hitting Cairo with various obvious PNG files, they tend to 
not test SVG anywhere near as much.

The fix is to change 'stride' in the surface to (size_t), and preferably width/height to (uint32_t) and depth to (unsigned).  Doing that will reveal all 
cases of the bug given a sufficiently high warning level.



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Ian Zimmerman 2016-11-16 21:45:14 UTC
I think this is now CVE-2016-9082.
Comment 2 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-20 18:18:07 UTC
Update:

Even when the bug points to version 1.14.6, the error persists till actual version. There has been no update from upstream since last proposed patch, it is not a perfect solution, but it helps to avoid some of the problems.

RedHat has already marked it as NONFIX and 703 packages from the tree depend on cairo.

@Maintainers: could you let us know if the proposed patch could be applied here?

thanks
Comment 3 Thomas Deutschmann gentoo-dev Security 2018-05-15 21:23:06 UTC
Upstream patch: https://cgit.freedesktop.org/cairo/commit/?id=38fbe621cf80d560cfc27b54b5417b62cda64c8a

Upstream v1.15.10 or newer has this patch.
Comment 4 Matt Turner gentoo-dev 2019-03-29 20:49:00 UTC
This is fixed in 1.16.0 which is stable on all arches. No older versions remain in tree.
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2019-04-02 04:15:44 UTC
This issue was resolved and addressed in
 GLSA 201904-01 at https://security.gentoo.org/glsa/201904-01
by GLSA coordinator Aaron Bauman (b-man).