** Description changed: [For some reason, the autoreporter wasn't opening Launchpad so I'm bugging this manually] CVE-2019-20326 - if gThumb tries to load an image greater than Cairo's max drawing size, it will crash. This is a heap-based buffer overflow an attacker could execute harmful code. Fysac on GitHub made a good writeup about this - https://github.com/Fysac/CVE-2019-20326 I have a patch for 20.04 Focal. [Impact] - * When gthumb opens or the user tries to open larger than 32767 px, it + * When gthumb opens or the user tries to open larger than 32767 px, it overflows Cairo's max image size. Thus, a heap buffer overflow crashes gthumb. - * An attacker could use this to execute arbitrary code. + * An attacker could use this to execute arbitrary code. [Test Plan] - * Get or craft a JPEG image that has a height larger than 32767 pixels. + * Get or craft a JPEG image that has a height larger than 32767 pixels. - * Clone this repo if you need the image: + * Clone this repo if you need the image: https://github.com/Fysac/CVE-2019-20326 - * Open it in gthumb, or just run 'gthumb poc.min.jpg' + * Open it in gthumb, or just run 'gthumb poc.min.jpg' [Where problems could occur] - * The code is in C - a great time for other regressions to open (thanks + * The code is in C - a great time for other regressions to open (thanks NULL) - * If an update is made to the cairo library, this can break the patch and break - gthumb; not only this patch but the software as a whole + * If an update is made to the cairo library, this can break the patch and break + gthumb; not only this patch but the software as a whole - * This issue may still be reproducible across other formats - png, svg, + * This issue may still be reproducible across other formats - png, svg, etc. - * The type of image rendering may still make this vulnerable (see how + * The type of image rendering may still make this vulnerable (see how the buffer was fixed every case in the patch) + [Additional commit needed] + + * This patch alone does not fix the issue; it does prevent heap-buffer overflow but still results in gthumb crashing. + gthumb: ../../../../src/cairo-surface.c:930: cairo_surface_reference: Assertion 'CAIRO_REFERENCE_COUNT_HAS_REFERENCE (&surface->ref_count)' failed. + + * A trivial fix I found for this was in gth_image_set_cairo_surface() + to remove the call to _gth_image_free_data + (https://gitlab.gnome.org/GNOME/gthumb/-/blob/gthumb-3-8/gthumb/gth- + image.c). This would make prevent the crash (not remove the data in + image->priv->data) but then other parts of GTK's drawing seems to freak + out. + + * An appropriate fix for this would be + https://gitlab.gnome.org/GNOME/gthumb/-/commit/9729b8688d5d67c01deabea46ad469ec517250c5. + + * Applying this fix allows for a greater risk of regression. + * If the value for whether gthumb is finished loading the jpeg is not finished, gthumb will set the value to 'finished' anyways. Then it proceeds to other cairo surface NULL checks. + + * This would just have Gtk set an error and call it a day. (line 607 in + the commit mentioned above). + + [Other Info] - - * Desktop, ubuntu 20.04 - * Not sure if I want to do Ubuntu 18.04, but cinnamon users may use gthumb so for ubuntu cinnamon i feel like its important and 20.04 its still in service for UCR + + * Desktop, ubuntu 20.04 + * Not sure if I want to do Ubuntu 18.04, but cinnamon users may use gthumb so for ubuntu cinnamon i feel like its important and 20.04 its still in service for UCR + + * I think it's possible that this may occur throughout other types of + image formats with the same setup. This may be reproducible on png's. + + ** There has been LOTS of stability commits and fixes for gthumb + upstream; especially near the gthumb 3.8.3 release. It may be good if I + later come back to fix them after this. ProblemType: Bug DistroRelease: Ubuntu 20.04 Package: gthumb 3:3.8.0-2.1build1 ProcVersionSignature: Ubuntu 5.13.0-46.51~20.04.1-generic 5.13.19 Uname: Linux 5.13.0-46-generic x86_64 ApportVersion: 2.20.11-0ubuntu27.24 Architecture: amd64 CasperMD5CheckResult: skip CurrentDesktop: X-Cinnamon Date: Sun May 29 12:20:58 2022 InstallationDate: Installed on 2021-11-24 (185 days ago) InstallationMedia: ubuntucinnamonremix "@BASECODENAME" (20210826) SourcePackage: gthumb UpgradeStatus: No upgrade log present (probably fresh install)
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1976189 Title: [CVE-2019-20326] gthumb crashes when trying to load an image with a height above 32767 px (heap-based buffer overflow) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gthumb/+bug/1976189/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
