Debian Bug report logs -
#897954
libgxps: CVE-2018-10733: Heap Buffer Overflow in ft_font_face_hash of gxps-fonts.c
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Sat, 5 May 2018 06:51:02 UTC
Severity: important
Tags: security, upstream
Found in version libgxps/0.3.0-1
Fixed in version libgxps/0.3.0-3
Done: Jeremy Bicha <jbicha@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#897954; Package src:libgxps.
(Sat, 05 May 2018 06:51:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Sat, 05 May 2018 06:51:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: libgxps
Version: 0.3.0-1
Severity: important
Tags: security upstream
Hi,
The following vulnerability was published for libgxps.
CVE-2018-10733[0]:
| There is a heap-based buffer over-read in the function
| ft_font_face_hash of gxps-fonts.c in libgxps through 0.3.0. A crafted
| input will lead to a remote denial of service attack.
It seems it was orginally reported in [1].
./libgxps-0.3.0/obj-x86_64-linux-gnu/tools/xpstojpeg 1431033 /dev/null
=================================================================
==3828==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb2a7a7afc4 at pc 0x7fb2b407389d bp 0x7ffdbc7b6fd0 sp 0x7ffdbc7b6fc8
READ of size 1 at 0x7fb2a7a7afc4 thread T0
#0 0x7fb2b407389c in ft_font_face_hash ../libgxps/gxps-fonts.c:86
#1 0x7fb2b3d2a883 in g_hash_table_lookup (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3a883)
#2 0x7fb2b4073f32 in gxps_fonts_new_font_face ../libgxps/gxps-fonts.c:241
#3 0x7fb2b4073f32 in gxps_fonts_get_font ../libgxps/gxps-fonts.c:296
#4 0x7fb2b40a2ce1 in render_end_element ../libgxps/gxps-page.c:962
#5 0x7fb2b3d3f7d1 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
#6 0x7fb2b3d40721 in g_markup_parse_context_parse (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x50721)
#7 0x7fb2b407b7aa in gxps_parse_stream ../libgxps/gxps-parse-utils.c:182
#8 0x7fb2b40b2bd5 in gxps_page_parse_for_rendering ../libgxps/gxps-page.c:1121
#9 0x7fb2b40b2bd5 in gxps_page_render ../libgxps/gxps-page.c:1823
#10 0x563417d13862 in gxps_converter_run ../tools/gxps-converter.c:320
#11 0x563417d10553 in main ../tools/gxps-converter-main.c:40
#12 0x7fb2b20bfa86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
#13 0x563417d10669 in _start (/root/libgxps-0.3.0/obj-x86_64-linux-gnu/tools/xpstojpeg+0xb669)
0x7fb2a7a7afc4 is located 0 bytes to the right of 186308-byte region [0x7fb2a7a4d800,0x7fb2a7a7afc4)
allocated by thread T0 here:
#0 0x7fb2b442ac20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
#1 0x7fb2b3d41858 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51858)
#2 0x7fb2b4073e70 in gxps_fonts_new_font_face ../libgxps/gxps-fonts.c:225
#3 0x7fb2b4073e70 in gxps_fonts_get_font ../libgxps/gxps-fonts.c:296
#4 0x7fb2b40a2ce1 in render_end_element ../libgxps/gxps-page.c:962
#5 0x7fb2b3d3f7d1 (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
#6 0xd841508d82e26fff (<unknown module>)
SUMMARY: AddressSanitizer: heap-buffer-overflow ../libgxps/gxps-fonts.c:86 in ft_font_face_hash
Shadow bytes around the buggy address:
0x0ff6d4f475a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6d4f475b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6d4f475c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6d4f475d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x0ff6d4f475e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff6d4f475f0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
0x0ff6d4f47600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6d4f47610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6d4f47620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6d4f47630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x0ff6d4f47640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==3828==ABORTING
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2018-10733
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10733
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1574844
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Jeremy Bicha <jbicha@debian.org>:
You have taken responsibility.
(Sun, 14 Oct 2018 05:54:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 14 Oct 2018 05:54:09 GMT) (full text, mbox, link).
Message #10 received at 897954-close@bugs.debian.org (full text, mbox, reply):
Source: libgxps
Source-Version: 0.3.0-3
We believe that the bug you reported is fixed in the latest version of
libgxps, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 897954@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bicha <jbicha@debian.org> (supplier of updated libgxps package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 14 Oct 2018 01:14:59 -0400
Source: libgxps
Binary: libgxps2 libgxps-dev libgxps-utils libgxps-doc gir1.2-gxps-0.1
Architecture: source
Version: 0.3.0-3
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Bicha <jbicha@debian.org>
Description:
gir1.2-gxps-0.1 - GObject introspection data for the gxps library
libgxps-dev - handling and rendering XPS documents (development files)
libgxps-doc - library for handling and rendering XPS documents (documentation)
libgxps-utils - handling and rendering XPS documents (utilities)
libgxps2 - handling and rendering XPS documents (library)
Closes: 887615 897954
Changes:
libgxps (0.3.0-3) unstable; urgency=medium
.
* Update Vcs fields for migration to https://salsa.debian.org/
* Use debian/libgxps-utils.manpages instead of dh_install
* Bump Standards-Version to 4.2.1
* Cherry-pick docs-Fix-OUTPUT-FILE-description.patch:
- fix typo in manpages (Closes: #887615)
* Cherry-pick gxps-archive-Ensure-gxps_archive_read_entry-fills-the-GEr.patch
& gxps-archive-Handle-errors-returned-by-archive_read_data.patch:
- Fix heap buffer overflow in ft_font_face_hash of gxps-fonts.c
CVE-2018-10733 (Closes: #897954)
* Cherry-pick gxps-images-fix-integer-overflow-in-png-decoder.patch:
- Fix an integer overflow
* Cherry-pick gxps-images-clear-the-error-before-trying-to-load-an-imag.patch:
- clear an error so that fallback image loading works
Checksums-Sha1:
eea646195b4d08c65421846cc75de93dec560619 2499 libgxps_0.3.0-3.dsc
7ae49e20e03320885f500f14e08e2edfac7a5b4f 6916 libgxps_0.3.0-3.debian.tar.xz
f260348600c1af3806fc21d52cf326ab82c30868 18289 libgxps_0.3.0-3_source.buildinfo
Checksums-Sha256:
3b5b44db404cfca313ca7b9d8cef442ad18508175b214f12111eb93015f2ab5c 2499 libgxps_0.3.0-3.dsc
4c43e5545f7903ac737c1efca278303312df500df398dc4a1e320fc637719e6f 6916 libgxps_0.3.0-3.debian.tar.xz
73785a1aa69c6d128a65b99e11602e636fbfd3b6ef8e610f2daf7ab8eaf34df6 18289 libgxps_0.3.0-3_source.buildinfo
Files:
4257bbf46749c4e1ded2c00913315c3c 2499 libs optional libgxps_0.3.0-3.dsc
262d3054601bc32c635f9b8d90a58c06 6916 libs optional libgxps_0.3.0-3.debian.tar.xz
cb0a0ec3944bf350af05fc0861c82bd4 18289 libs optional libgxps_0.3.0-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAlvC0j0ACgkQ5mx3Wuv+
bH1yeRAA3A9YbcLIs8nmxm68Aqu3uadAbOs7T1F/qUmb8nT7aA4jWh6BmZX5gUT/
F50Mv/i7+xuJLQEEhDcsdFkJf1A1rPVFOQODi3RfI+2ijZPWAchZcYoW5++5WdA7
WxyHfUHiEpdkXpTAnIk1a77vLRloD+TeKD6uZrfTF/JSX+2wnVuVOopcB67QVEvM
24kRLMWCuTBg7jc9cd6OLaBN+89nUT8jLaBlIePORJMpjzW2UFBDAoPCR1c2i6rK
bB6GRAQRKQD3M6tk7QxhGEpigj4q3Vu0NJALPN8g6VBeVu2S0Cz2yiysFuFfQqeF
9VNrcn31PBAEhgBjorjMVWZdA7ukHCBWQJUPmDWVEyzUwxUoy/WROwwS4YDKK6UZ
PfDZq1FIxvrSsNCFJ4DaEkv+ToptFiqDpvuRoKQoEYys031SpUgPlJJQqCgJ/UBG
Bp/GN6w7+QM5HKmbplZvicY6SYQoUohB+BXDgDh59VtvqzNANiaD21s8+SY3lfnY
q2jtfRsKDbW7mBlfkO+QmP/xt8VUPtawWa/ZfSg3Cv4DUgYg/vk29RWEFWrzvX79
+Q+DA97AWi4IStH0S+7BrMKx6qTZIQCh4iX87u5lEwI0iw+aIcHCknjA8KmQ9b2f
wQg+r98H9l1laTXHaA7kK+EuLWRSxPAY/a5pwB1RgY5PgA7m9cs=
=DHkM
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Fri, 16 Nov 2018 07:27:22 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:25:18 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon