Skip to content

[AUTO-CHERRYPICK] Patch gdk-pixbuf2 for CVE-2022-48622. - branch main #10508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
PawelWMS merged 1 commit into from
Sep 24, 2024
Merged

[AUTO-CHERRYPICK] Patch gdk-pixbuf2 for CVE-2022-48622. - branch main #10508

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
112 changes: 112 additions & 0 deletions SPECS/gdk-pixbuf2/CVE-2022-48622.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,112 @@
From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:26:54 -0500
Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks

An anih chunk causes us to initialize a bunch of state, which we only
expect to do once per file.

Fixes: #202
Fixes: CVE-2022-48622
---
gdk-pixbuf/io-ani.c | 9 +++++++++
1 file changed, 9 insertions(+)

diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index c6c4642cf4..a78ea7ace4 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error)

if (context->chunk_id == TAG_anih)
{
+ if (context->animation)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Invalid header in animation"));
+ return FALSE;
+ }
+
context->HeaderSize = read_int32 (context);
context->NumFrames = read_int32 (context);
context->NumSteps = read_int32 (context);
--
GitLab


From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 07:13:37 -0500
Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks

There should be at most one chunk each. These would cause memory leaks
otherwise.
---
gdk-pixbuf/io-ani.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index a78ea7ace4..8e8414117c 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_INAM)
{
- if (!context->animation)
+ if (!context->animation || context->title)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error)
}
else if (context->chunk_id == TAG_IART)
{
- if (!context->animation)
+ if (!context->animation || context->author)
{
g_set_error_literal (error,
GDK_PIXBUF_ERROR,
--
GitLab


From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001
From: Benjamin Gilbert <bgilbert@backtick.net>
Date: Tue, 30 Apr 2024 08:17:25 -0500
Subject: [PATCH 3/3] ANI: Validate anih chunk size

Before reading a chunk, we verify that enough bytes are available to match
the chunk size declared by the file. However, uniquely, the anih chunk
loader doesn't verify that this size matches the number of bytes it
actually intends to read. Thus, if the chunk size is too small and the
file ends in the middle of the chunk, we populate some context fields with
stack garbage. (But we'd still fail later on because the file doesn't
contain any images.) Fix this.
---
gdk-pixbuf/io-ani.c | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c
index 8e8414117c..cfafd7b196 100644
--- a/gdk-pixbuf/io-ani.c
+++ b/gdk-pixbuf/io-ani.c
@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error)

if (context->chunk_id == TAG_anih)
{
+ if (context->chunk_size < 36)
+ {
+ g_set_error_literal (error,
+ GDK_PIXBUF_ERROR,
+ GDK_PIXBUF_ERROR_CORRUPT_IMAGE,
+ _("Malformed chunk in animation"));
+ return FALSE;
+ }
if (context->animation)
{
g_set_error_literal (error,
--
GitLab
6 changes: 5 additions & 1 deletion SPECS/gdk-pixbuf2/gdk-pixbuf2.spec
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,12 +2,13 @@
Summary: An image loading library
Name: gdk-pixbuf2
Version: 2.40.0
Release: 5%{?dist}
Release: 6%{?dist}
License: LGPLv2+
Vendor: Microsoft Corporation
Distribution: Mariner
URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf
Source0: https://download.gnome.org/sources/gdk-pixbuf/2.40/gdk-pixbuf-%{version}.tar.xz
Patch0: CVE-2022-48622.patch
BuildRequires: gettext
BuildRequires: gtk-doc
BuildRequires: jasper-devel
Expand Down Expand Up @@ -116,6 +117,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache
%{_datadir}/installed-tests

%changelog
* Thu Sep 19 2024 Sumedh Sharma <sumsharma@microsoft.com> - 2.40.0-6
- Add patch for CVE-2022-48622

* Fri Mar 31 2023 Pawel Winogrodzki <pawelwi@microsoft.com> - 2.40.0-5
- Bumping release to re-build with newer 'libtiff' libraries.

Expand Down