Source: libgxps
Version: 0.3.0-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libgxps.
CVE-2018-10733[0]:
| There is a heap-based buffer over-read in the function
| ft_font_face_hash of gxps-fonts.c in libgxps through 0.3.0. A crafted
| input will lead to a remote denial of service attack.
It seems it was orginally reported in [1].
./libgxps-0.3.0/obj-x86_64-linux-gnu/tools/xpstojpeg 1431033 /dev/null
=================================================================
==3828==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb2a7a7afc4
at pc 0x7fb2b407389d bp 0x7ffdbc7b6fd0 sp 0x7ffdbc7b6fc8
READ of size 1 at 0x7fb2a7a7afc4 thread T0
#0 0x7fb2b407389c in ft_font_face_hash ../libgxps/gxps-fonts.c:86
#1 0x7fb2b3d2a883 in g_hash_table_lookup
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3a883)
#2 0x7fb2b4073f32 in gxps_fonts_new_font_face ../libgxps/gxps-fonts.c:241
#3 0x7fb2b4073f32 in gxps_fonts_get_font ../libgxps/gxps-fonts.c:296
#4 0x7fb2b40a2ce1 in render_end_element ../libgxps/gxps-page.c:962
#5 0x7fb2b3d3f7d1 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
#6 0x7fb2b3d40721 in g_markup_parse_context_parse
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x50721)
#7 0x7fb2b407b7aa in gxps_parse_stream ../libgxps/gxps-parse-utils.c:182
#8 0x7fb2b40b2bd5 in gxps_page_parse_for_rendering
../libgxps/gxps-page.c:1121
#9 0x7fb2b40b2bd5 in gxps_page_render ../libgxps/gxps-page.c:1823
#10 0x563417d13862 in gxps_converter_run ../tools/gxps-converter.c:320
#11 0x563417d10553 in main ../tools/gxps-converter-main.c:40
#12 0x7fb2b20bfa86 in __libc_start_main
(/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#13 0x563417d10669 in _start
(/root/libgxps-0.3.0/obj-x86_64-linux-gnu/tools/xpstojpeg+0xb669)
0x7fb2a7a7afc4 is located 0 bytes to the right of 186308-byte region
[0x7fb2a7a4d800,0x7fb2a7a7afc4)
allocated by thread T0 here:
#0 0x7fb2b442ac20 in __interceptor_malloc
(/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x7fb2b3d41858 in g_malloc
(/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51858)
#2 0x7fb2b4073e70 in gxps_fonts_new_font_face ../libgxps/gxps-fonts.c:225
#3 0x7fb2b4073e70 in gxps_fonts_get_font ../libgxps/gxps-fonts.c:296
#4 0x7fb2b40a2ce1 in render_end_element ../libgxps/gxps-page.c:962
#5 0x7fb2b3d3f7d1 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
#6 0xd841508d82e26fff (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../libgxps/gxps-fonts.c:86 in
ft_font_face_hash
Shadow bytes around the buggy address:
0x0ff6d4f475a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6d4f475b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6d4f475c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6d4f475d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6d4f475e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff6d4f475f0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
0x0ff6d4f47600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6d4f47610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6d4f47620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6d4f47630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6d4f47640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3828==ABORTING
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10733
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1574844
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
