Vulnerabilities > CVE-2017-2870 - Integer Overflow or Wraparound vulnerability in multiple products

047910
CVSS 7.8 - HIGH
Attack vector
LOCAL
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
local
low complexity
gnome
debian
CWE-190
nessus

Summary

An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.

Vulnerable Configurations

Part Description Count
Application
Gnome
1
OS
Debian
1

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Forced Integer Overflow
    This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.

Nessus

  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3418-1.NASL
    descriptionIt was discovered that the GDK-PixBuf library did not properly handle certain jpeg images. If an user or automated system were tricked into opening a specially crafted jpeg file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2862) It was discovered that the GDK-PixBuf library did not properly handle certain tiff images. If an user or automated system were tricked into opening a specially crafted tiff file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2870) Ariel Zelivansky discovered that the GDK-PixBuf library did not properly handle printing certain error messages. If an user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service. (CVE-2017-6311). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id103320
    published2017-09-19
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/103320
    titleUbuntu 14.04 LTS / 16.04 LTS / 17.04 : gdk-pixbuf vulnerabilities (USN-3418-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1045.NASL
    descriptionAccording to the versions of the gdk-pixbuf2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - gdk-pixbuf is an image loading library that can be extended by loadable modules for new image formats. It is used by toolkits such as GTK+ or clutter.Security Fix(es):An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.(CVE-2017-2862)An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.(CVE-2017-2870)Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution.(CVE-2017-1000422) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-03
    modified2018-02-13
    plugin id106773
    published2018-02-13
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106773
    titleEulerOS 2.0 SP1 : gdk-pixbuf2 (EulerOS-SA-2018-1045)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-2470-1.NASL
    descriptionThis update for gtk2 provides the following fixes: These security issues were fixed : - CVE-2017-6312: Prevent integer overflow that allowed context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file (bsc#1027026). - CVE-2017-6314: The make_available_at_least function allowed context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file (bsc#1027025). - CVE-2017-6313: Prevent integer underflow in the load_resources function that allowed context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file (bsc#1027024). - CVE-2017-2862: Prevent heap overflow in the gdk_pixbuf__jpeg_image_load_increment function. A specially crafted jpeg file could have caused a heap overflow resulting in remote code execution (bsc#1048289) - CVE-2017-2870: Prevent integer overflow in the tiff_image_parse functionality. A specially crafted tiff file could have caused a heap-overflow resulting in remote code execution (bsc#1048544). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id112057
    published2018-08-22
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112057
    titleSUSE SLES11 Security Update : gtk2 (SUSE-SU-2018:2470-1)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2017-2381-1.NASL
    descriptionThis update for gdk-pixbuf fixes the following issues : - CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (bsc#1048289) - CVE-2017-2870: tiff_image_parse Code Execution Vulnerability (bsc#1048544) - CVE-2017-6313: A dangerous integer underflow in io-icns.c (bsc#1027024) - CVE-2017-6314: Infinite loop in io-tiff.c (bsc#1027025) - CVE-2017-6312: Out-of-bounds read on io-ico.c (bsc#1027026) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id102990
    published2017-09-07
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102990
    titleSUSE SLED12 / SLES12 Security Update : gdk-pixbuf (SUSE-SU-2017:2381-1)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1046.NASL
    descriptionAccording to the versions of the gdk-pixbuf2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.i1/4^CVE-2017-2862i1/4%0 - An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.i1/4^CVE-2017-2870i1/4%0 - Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code executioni1/4^CVE-2017-1000422i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-10
    modified2018-02-13
    plugin id106774
    published2018-02-13
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/106774
    titleEulerOS 2.0 SP2 : gdk-pixbuf2 (EulerOS-SA-2018-1046)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2017-1024.NASL
    descriptionThis update for gdk-pixbuf fixes the following issues : - CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (bsc#1048289) - CVE-2017-2870: tiff_image_parse Code Execution Vulnerability (bsc#1048544) - CVE-2017-6313: A dangerous integer underflow in io-icns.c (bsc#1027024) - CVE-2017-6314: Infinite loop in io-tiff.c (bsc#1027025) - CVE-2017-6312: Out-of-bounds read on io-ico.c (bsc#1027026) This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen2020-06-05
    modified2017-09-13
    plugin id103160
    published2017-09-13
    reporterThis script is Copyright (C) 2017-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/103160
    titleopenSUSE Security Update : gdk-pixbuf (openSUSE-2017-1024)
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_5A1F1A868F4C11E7B5AFA4BADB2F4699.NASL
    descriptionTALOS reports : - An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality. - An exploitable heap-overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality.
    last seen2020-06-01
    modified2020-06-02
    plugin id102939
    published2017-09-05
    reporterThis script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/102939
    titleFreeBSD : gdk-pixbuf -- multiple vulnerabilities (5a1f1a86-8f4c-11e7-b5af-a4badb2f4699)

Seebug

bulletinFamilyexploit
description### Summary An exploitable integer overflow vulnerability exists in the tiffimageparse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability. ### Tested Versions Gdk-Pixbuf 2.36.6 commit: aba8d88798dfc2f3856ea0ddda14b06174bbb2bc compiled with clang -O3 flag libtiff 4.0.6 ### Product URLs https://developer.gnome.org/gdk-pixbuf/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior ### Details ``` Gdk-Pixbuf is a toolkit for image loading and pixel buffer manipulation used in various type of desktop applications: image viewers(GNOME thumbnailer), web browsers (Chromium, Firefox), media players (VLC), etc. ``` The vulnerability exists in the TIFF parser and only manifests itself when the library is compiled with high optimization flags `-O3` (tested with Clang, gcc does not remove the check). Several defined `if statements` inside the `tiff_image_parse` function are responsible of integer overflow checks or at least that was their intention. Because the checks are made on signed integers, the condition cannot evaluate to false unless an integer overflow occurs. According to the C standard, a signed integer overflow is defined as "Undefined Bahavior", thus behaviour related to it is implementation dependent and in the case of Clang the check is removed. Finally the lack of proper integer overflows check leads to heap overflow and can allow attackers to obtain arbitrary code execution. The code below is removed from compilation process because it would be true if a `signed integer overflow` would occur which is `undefined bahavior`: ``` Line 89 gint width, height, rowstride, bytes; Line 128 rowstride = width * 4; Line 129 if (rowstride / 4 != width) { /* overflow */ Line 130 g_set_error_literal (error, Line 131 GDK_PIXBUF_ERROR, Line 132 GDK_PIXBUF_ERROR_CORRUPT_IMAGE, Line 133 _("Dimensions of TIFF image too large")); Line 134 return NULL; Line 135 } Line 136 Line 137 bytes = height * rowstride; Line 138 if (bytes / rowstride != height) { /* overflow */ Line 139 g_set_error_literal (error, Line 140 GDK_PIXBUF_ERROR, Line 141 GDK_PIXBUF_ERROR_CORRUPT_IMAGE, Line 142 _("Dimensions of TIFF image too large")); Line 143 return NULL; Line 144 } ``` in our case the variables have the following values: ``` width = 0x8020 height = 0xfff7 ``` which causes an integer overflow at `line 137`: ``` bytes = height * ( width * 4) ``` Then, based on the overflowed value, a buffer is allocated : ``` Line 160 pixels = g_try_malloc (bytes); ``` Then all three parameters: width,height and the allocated `bytes` buffer are passed as arguments: ``` Line 272 if (!TIFFReadRGBAImageOriented (tiff, width, height, (uint32 *)pixels, ORIENTATION_TOPLEFT, 1)) { ``` Because buffer `bytes` was allocated based on overflowed value, width and height parameters mismatch the size of the buffer which leads to out of bound writes (Line 1362) inside the `put1bitbwtile` function while reading RGB values: ``` libtiff/tif_getimage.c:1326 Line 1351 /* Line 1352 * 1-bit bilevel => colormap/RGB Line 1353 */ Line 1354 DECLAREContigPutFunc(put1bitbwtile) Line 1355 { Line 1356 uint32** BWmap = img->BWmap; Line 1357 Line 1358 (void) x; (void) y; Line 1359 fromskew /= 8; Line 1360 while (h-- > 0) { Line 1361 uint32* bw; Line 1362 UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++); Line 1363 cp += toskew; Line 1364 pp += fromskew; Line 1365 } Line 1366 } ``` ### Crash Information ``` valgrind ./pixbuf-read crashes/tiff_bug.tiff ==32378== Invalid write of size 4 ==32378== at 0x4B5D71D: put1bitbwtile (tif_getimage.c:1326) ==32378== by 0x4B5BE5E: gtTileContig (tif_getimage.c:673) ==32378== by 0x4B5B810: TIFFRGBAImageGet (tif_getimage.c:495) ==32378== by 0x4B5B8ED: TIFFReadRGBAImageOriented (tif_getimage.c:514) ==32378== by 0x4067A59: tiff_image_parse (io-tiff.c:272) ==32378== by 0x406634C: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:477) ==32378== by 0x4048442: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:822) ==32378== by 0x8048903: test_loader (pixbuf-read.c:35) ==32378== by 0x8048903: main (pixbuf-read.c:75) ==32378== Address 0x5343ba8 is 0 bytes after a block of size 7,207,808 alloc'd ==32378== at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==32378== by 0x432C3BF: g_try_malloc (in /lib/i386-linux-gnu/libglib-2.0.so.0.4800.2) ==32378== by 0x4067584: tiff_image_parse (io-tiff.c:160) ==32378== by 0x406634C: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:477) ==32378== by 0x4048442: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:822) ==32378== by 0x8048903: test_loader (pixbuf-read.c:35) ==32378== by 0x8048903: main (pixbuf-read.c:75) ``` ### Timeline * 2017-07-13 - Vendor Disclosure * 2017-08-30 - Public Release ### CREDIT * Discovered by Marcin 'Icewall' Noga of Cisco Talos.
idSSV:96446
last seen2017-11-19
modified2017-09-12
published2017-09-12
reporterRoot
titleGdk-Pixbuf TIFF tiff_image_parse Code Execution Vulnerability(CVE-2017-2870)

Talos

idTALOS-2017-0377
last seen2019-05-29
published2017-08-30
reporterTalos Intelligence
sourcehttp://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377
titleGdk-Pixbuf TIFF tiff_image_parse Code Execution Vulnerability