Bug#897954: marked as done (libgxps: CVE-2018-10733: Heap Buffer Overflow in ft_font_face_hash of gxps-fonts.c)

Debian Bug Tracking System Sat, 13 Oct 2018 22:55:06 -0700

Your message dated Sun, 14 Oct 2018 05:50:34 +0000
with message-id <e1gbziq-0001wx...@fasolo.debian.org>
and subject line Bug#897954: fixed in libgxps 0.3.0-3
has caused the Debian Bug report #897954,
regarding libgxps: CVE-2018-10733: Heap Buffer Overflow in ft_font_face_hash of 
gxps-fonts.c
to be marked as done.


This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
897954: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=897954
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Source: libgxps
Version: 0.3.0-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for libgxps.

CVE-2018-10733[0]:
| There is a heap-based buffer over-read in the function
| ft_font_face_hash of gxps-fonts.c in libgxps through 0.3.0. A crafted
| input will lead to a remote denial of service attack.

It seems it was orginally reported in [1].

./libgxps-0.3.0/obj-x86_64-linux-gnu/tools/xpstojpeg 1431033 /dev/null
=================================================================
==3828==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb2a7a7afc4 
at pc 0x7fb2b407389d bp 0x7ffdbc7b6fd0 sp 0x7ffdbc7b6fc8
READ of size 1 at 0x7fb2a7a7afc4 thread T0
    #0 0x7fb2b407389c in ft_font_face_hash ../libgxps/gxps-fonts.c:86
    #1 0x7fb2b3d2a883 in g_hash_table_lookup 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3a883)
    #2 0x7fb2b4073f32 in gxps_fonts_new_font_face ../libgxps/gxps-fonts.c:241
    #3 0x7fb2b4073f32 in gxps_fonts_get_font ../libgxps/gxps-fonts.c:296
    #4 0x7fb2b40a2ce1 in render_end_element ../libgxps/gxps-page.c:962
    #5 0x7fb2b3d3f7d1  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
    #6 0x7fb2b3d40721 in g_markup_parse_context_parse 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x50721)
    #7 0x7fb2b407b7aa in gxps_parse_stream ../libgxps/gxps-parse-utils.c:182
    #8 0x7fb2b40b2bd5 in gxps_page_parse_for_rendering 
../libgxps/gxps-page.c:1121
    #9 0x7fb2b40b2bd5 in gxps_page_render ../libgxps/gxps-page.c:1823
    #10 0x563417d13862 in gxps_converter_run ../tools/gxps-converter.c:320
    #11 0x563417d10553 in main ../tools/gxps-converter-main.c:40
    #12 0x7fb2b20bfa86 in __libc_start_main 
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #13 0x563417d10669 in _start 
(/root/libgxps-0.3.0/obj-x86_64-linux-gnu/tools/xpstojpeg+0xb669)

0x7fb2a7a7afc4 is located 0 bytes to the right of 186308-byte region 
[0x7fb2a7a4d800,0x7fb2a7a7afc4)
allocated by thread T0 here:
    #0 0x7fb2b442ac20 in __interceptor_malloc 
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x7fb2b3d41858 in g_malloc 
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51858)
    #2 0x7fb2b4073e70 in gxps_fonts_new_font_face ../libgxps/gxps-fonts.c:225
    #3 0x7fb2b4073e70 in gxps_fonts_get_font ../libgxps/gxps-fonts.c:296
    #4 0x7fb2b40a2ce1 in render_end_element ../libgxps/gxps-page.c:962
    #5 0x7fb2b3d3f7d1  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
    #6 0xd841508d82e26fff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../libgxps/gxps-fonts.c:86 in 
ft_font_face_hash
Shadow bytes around the buggy address:
  0x0ff6d4f475a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff6d4f475b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff6d4f475c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff6d4f475d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff6d4f475e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff6d4f475f0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
  0x0ff6d4f47600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff6d4f47610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff6d4f47620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff6d4f47630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff6d4f47640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3828==ABORTING

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10733
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10733
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1574844

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

Source: libgxps
Source-Version: 0.3.0-3

We believe that the bug you reported is fixed in the latest version of
libgxps, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 897...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bicha <jbi...@debian.org> (supplier of updated libgxps package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 14 Oct 2018 01:14:59 -0400
Source: libgxps
Binary: libgxps2 libgxps-dev libgxps-utils libgxps-doc gir1.2-gxps-0.1
Architecture: source
Version: 0.3.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers 
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Jeremy Bicha <jbi...@debian.org>
Description:
 gir1.2-gxps-0.1 - GObject introspection data for the gxps library
 libgxps-dev - handling and rendering XPS documents (development files)
 libgxps-doc - library for handling and rendering XPS documents (documentation)
 libgxps-utils - handling and rendering XPS documents (utilities)
 libgxps2   - handling and rendering XPS documents (library)
Closes: 887615 897954
Changes:
 libgxps (0.3.0-3) unstable; urgency=medium
 .
   * Update Vcs fields for migration to https://salsa.debian.org/
   * Use debian/libgxps-utils.manpages instead of dh_install
   * Bump Standards-Version to 4.2.1
   * Cherry-pick docs-Fix-OUTPUT-FILE-description.patch:
     - fix typo in manpages (Closes: #887615)
   * Cherry-pick gxps-archive-Ensure-gxps_archive_read_entry-fills-the-GEr.patch
     & gxps-archive-Handle-errors-returned-by-archive_read_data.patch:
     - Fix heap buffer overflow in ft_font_face_hash of gxps-fonts.c
       CVE-2018-10733 (Closes: #897954)
   * Cherry-pick gxps-images-fix-integer-overflow-in-png-decoder.patch:
     - Fix an integer overflow
   * Cherry-pick 
gxps-images-clear-the-error-before-trying-to-load-an-imag.patch:
     - clear an error so that fallback image loading works
Checksums-Sha1:
 eea646195b4d08c65421846cc75de93dec560619 2499 libgxps_0.3.0-3.dsc
 7ae49e20e03320885f500f14e08e2edfac7a5b4f 6916 libgxps_0.3.0-3.debian.tar.xz
 f260348600c1af3806fc21d52cf326ab82c30868 18289 libgxps_0.3.0-3_source.buildinfo
Checksums-Sha256:
 3b5b44db404cfca313ca7b9d8cef442ad18508175b214f12111eb93015f2ab5c 2499 
libgxps_0.3.0-3.dsc
 4c43e5545f7903ac737c1efca278303312df500df398dc4a1e320fc637719e6f 6916 
libgxps_0.3.0-3.debian.tar.xz
 73785a1aa69c6d128a65b99e11602e636fbfd3b6ef8e610f2daf7ab8eaf34df6 18289 
libgxps_0.3.0-3_source.buildinfo
Files:
 4257bbf46749c4e1ded2c00913315c3c 2499 libs optional libgxps_0.3.0-3.dsc
 262d3054601bc32c635f9b8d90a58c06 6916 libs optional 
libgxps_0.3.0-3.debian.tar.xz
 cb0a0ec3944bf350af05fc0861c82bd4 18289 libs optional 
libgxps_0.3.0-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAlvC0j0ACgkQ5mx3Wuv+
bH1yeRAA3A9YbcLIs8nmxm68Aqu3uadAbOs7T1F/qUmb8nT7aA4jWh6BmZX5gUT/
F50Mv/i7+xuJLQEEhDcsdFkJf1A1rPVFOQODi3RfI+2ijZPWAchZcYoW5++5WdA7
WxyHfUHiEpdkXpTAnIk1a77vLRloD+TeKD6uZrfTF/JSX+2wnVuVOopcB67QVEvM
24kRLMWCuTBg7jc9cd6OLaBN+89nUT8jLaBlIePORJMpjzW2UFBDAoPCR1c2i6rK
bB6GRAQRKQD3M6tk7QxhGEpigj4q3Vu0NJALPN8g6VBeVu2S0Cz2yiysFuFfQqeF
9VNrcn31PBAEhgBjorjMVWZdA7ukHCBWQJUPmDWVEyzUwxUoy/WROwwS4YDKK6UZ
PfDZq1FIxvrSsNCFJ4DaEkv+ToptFiqDpvuRoKQoEYys031SpUgPlJJQqCgJ/UBG
Bp/GN6w7+QM5HKmbplZvicY6SYQoUohB+BXDgDh59VtvqzNANiaD21s8+SY3lfnY
q2jtfRsKDbW7mBlfkO+QmP/xt8VUPtawWa/ZfSg3Cv4DUgYg/vk29RWEFWrzvX79
+Q+DA97AWi4IStH0S+7BrMKx6qTZIQCh2iX87u5lEwI0iw+aIcHCknjA8KmQ9b2f
wQg+r98H9l1laTXHaA7kK+EuLWRSxPAY/a5pwB1RgY5PgA7m9cs=
=DHkM
-----END PGP SIGNATURE-----

--- End Message ---

Bug#897954: marked as done (libgxps: CVE-2018-10733: Heap Buffer Overflow in ft_font_face_hash of gxps-fonts.c)

Reply via email to