Vulnerabilities > CVE-2017-2870 - Integer Overflow or Wraparound vulnerability in multiple products
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 | |
OS | 1 |
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Forced Integer Overflow This attack forces an integer variable to go out of range. The integer variable is often used as an offset such as size of memory allocation or similarly. The attacker would typically control the value of such variable and try to get it out of range. For instance the integer in question is incremented past the maximum possible value, it may wrap to become a very small, or negative number, therefore providing a very incorrect value which can lead to unexpected behavior. At worst the attacker can execute arbitrary code.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3418-1.NASL description It was discovered that the GDK-PixBuf library did not properly handle certain jpeg images. If an user or automated system were tricked into opening a specially crafted jpeg file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2862) It was discovered that the GDK-PixBuf library did not properly handle certain tiff images. If an user or automated system were tricked into opening a specially crafted tiff file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2017-2870) Ariel Zelivansky discovered that the GDK-PixBuf library did not properly handle printing certain error messages. If an user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service. (CVE-2017-6311). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 103320 published 2017-09-19 reporter Ubuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103320 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : gdk-pixbuf vulnerabilities (USN-3418-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1045.NASL description According to the versions of the gdk-pixbuf2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - gdk-pixbuf is an image loading library that can be extended by loadable modules for new image formats. It is used by toolkits such as GTK+ or clutter.Security Fix(es):An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.(CVE-2017-2862)An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.(CVE-2017-2870)Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution.(CVE-2017-1000422) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-03 modified 2018-02-13 plugin id 106773 published 2018-02-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106773 title EulerOS 2.0 SP1 : gdk-pixbuf2 (EulerOS-SA-2018-1045) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-2470-1.NASL description This update for gtk2 provides the following fixes: These security issues were fixed : - CVE-2017-6312: Prevent integer overflow that allowed context-dependent attackers to cause a denial of service (segmentation fault and application crash) via a crafted image entry offset in an ICO file (bsc#1027026). - CVE-2017-6314: The make_available_at_least function allowed context-dependent attackers to cause a denial of service (infinite loop) via a large TIFF file (bsc#1027025). - CVE-2017-6313: Prevent integer underflow in the load_resources function that allowed context-dependent attackers to cause a denial of service (out-of-bounds read and program crash) via a crafted image entry size in an ICO file (bsc#1027024). - CVE-2017-2862: Prevent heap overflow in the gdk_pixbuf__jpeg_image_load_increment function. A specially crafted jpeg file could have caused a heap overflow resulting in remote code execution (bsc#1048289) - CVE-2017-2870: Prevent integer overflow in the tiff_image_parse functionality. A specially crafted tiff file could have caused a heap-overflow resulting in remote code execution (bsc#1048544). The update package also includes non-security fixes. See advisory for details. Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 112057 published 2018-08-22 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112057 title SUSE SLES11 Security Update : gtk2 (SUSE-SU-2018:2470-1) NASL family SuSE Local Security Checks NASL id SUSE_SU-2017-2381-1.NASL description This update for gdk-pixbuf fixes the following issues : - CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (bsc#1048289) - CVE-2017-2870: tiff_image_parse Code Execution Vulnerability (bsc#1048544) - CVE-2017-6313: A dangerous integer underflow in io-icns.c (bsc#1027024) - CVE-2017-6314: Infinite loop in io-tiff.c (bsc#1027025) - CVE-2017-6312: Out-of-bounds read on io-ico.c (bsc#1027026) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 102990 published 2017-09-07 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102990 title SUSE SLED12 / SLES12 Security Update : gdk-pixbuf (SUSE-SU-2017:2381-1) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1046.NASL description According to the versions of the gdk-pixbuf2 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability.i1/4^CVE-2017-2862i1/4%0 - An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability.i1/4^CVE-2017-2870i1/4%0 - Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code executioni1/4^CVE-2017-1000422i1/4%0 Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-10 modified 2018-02-13 plugin id 106774 published 2018-02-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/106774 title EulerOS 2.0 SP2 : gdk-pixbuf2 (EulerOS-SA-2018-1046) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1024.NASL description This update for gdk-pixbuf fixes the following issues : - CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (bsc#1048289) - CVE-2017-2870: tiff_image_parse Code Execution Vulnerability (bsc#1048544) - CVE-2017-6313: A dangerous integer underflow in io-icns.c (bsc#1027024) - CVE-2017-6314: Infinite loop in io-tiff.c (bsc#1027025) - CVE-2017-6312: Out-of-bounds read on io-ico.c (bsc#1027026) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-09-13 plugin id 103160 published 2017-09-13 reporter This script is Copyright (C) 2017-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103160 title openSUSE Security Update : gdk-pixbuf (openSUSE-2017-1024) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_5A1F1A868F4C11E7B5AFA4BADB2F4699.NASL description TALOS reports : - An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality. - An exploitable heap-overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality. last seen 2020-06-01 modified 2020-06-02 plugin id 102939 published 2017-09-05 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102939 title FreeBSD : gdk-pixbuf -- multiple vulnerabilities (5a1f1a86-8f4c-11e7-b5af-a4badb2f4699)
Seebug
bulletinFamily | exploit |
description | ### Summary An exploitable integer overflow vulnerability exists in the tiffimageparse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability. ### Tested Versions Gdk-Pixbuf 2.36.6 commit: aba8d88798dfc2f3856ea0ddda14b06174bbb2bc compiled with clang -O3 flag libtiff 4.0.6 ### Product URLs https://developer.gnome.org/gdk-pixbuf/ ### CVSSv3 Score 8.8 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ### CWE CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior ### Details ``` Gdk-Pixbuf is a toolkit for image loading and pixel buffer manipulation used in various type of desktop applications: image viewers(GNOME thumbnailer), web browsers (Chromium, Firefox), media players (VLC), etc. ``` The vulnerability exists in the TIFF parser and only manifests itself when the library is compiled with high optimization flags `-O3` (tested with Clang, gcc does not remove the check). Several defined `if statements` inside the `tiff_image_parse` function are responsible of integer overflow checks or at least that was their intention. Because the checks are made on signed integers, the condition cannot evaluate to false unless an integer overflow occurs. According to the C standard, a signed integer overflow is defined as "Undefined Bahavior", thus behaviour related to it is implementation dependent and in the case of Clang the check is removed. Finally the lack of proper integer overflows check leads to heap overflow and can allow attackers to obtain arbitrary code execution. The code below is removed from compilation process because it would be true if a `signed integer overflow` would occur which is `undefined bahavior`: ``` Line 89 gint width, height, rowstride, bytes; Line 128 rowstride = width * 4; Line 129 if (rowstride / 4 != width) { /* overflow */ Line 130 g_set_error_literal (error, Line 131 GDK_PIXBUF_ERROR, Line 132 GDK_PIXBUF_ERROR_CORRUPT_IMAGE, Line 133 _("Dimensions of TIFF image too large")); Line 134 return NULL; Line 135 } Line 136 Line 137 bytes = height * rowstride; Line 138 if (bytes / rowstride != height) { /* overflow */ Line 139 g_set_error_literal (error, Line 140 GDK_PIXBUF_ERROR, Line 141 GDK_PIXBUF_ERROR_CORRUPT_IMAGE, Line 142 _("Dimensions of TIFF image too large")); Line 143 return NULL; Line 144 } ``` in our case the variables have the following values: ``` width = 0x8020 height = 0xfff7 ``` which causes an integer overflow at `line 137`: ``` bytes = height * ( width * 4) ``` Then, based on the overflowed value, a buffer is allocated : ``` Line 160 pixels = g_try_malloc (bytes); ``` Then all three parameters: width,height and the allocated `bytes` buffer are passed as arguments: ``` Line 272 if (!TIFFReadRGBAImageOriented (tiff, width, height, (uint32 *)pixels, ORIENTATION_TOPLEFT, 1)) { ``` Because buffer `bytes` was allocated based on overflowed value, width and height parameters mismatch the size of the buffer which leads to out of bound writes (Line 1362) inside the `put1bitbwtile` function while reading RGB values: ``` libtiff/tif_getimage.c:1326 Line 1351 /* Line 1352 * 1-bit bilevel => colormap/RGB Line 1353 */ Line 1354 DECLAREContigPutFunc(put1bitbwtile) Line 1355 { Line 1356 uint32** BWmap = img->BWmap; Line 1357 Line 1358 (void) x; (void) y; Line 1359 fromskew /= 8; Line 1360 while (h-- > 0) { Line 1361 uint32* bw; Line 1362 UNROLL8(w, bw = BWmap[*pp++], *cp++ = *bw++); Line 1363 cp += toskew; Line 1364 pp += fromskew; Line 1365 } Line 1366 } ``` ### Crash Information ``` valgrind ./pixbuf-read crashes/tiff_bug.tiff ==32378== Invalid write of size 4 ==32378== at 0x4B5D71D: put1bitbwtile (tif_getimage.c:1326) ==32378== by 0x4B5BE5E: gtTileContig (tif_getimage.c:673) ==32378== by 0x4B5B810: TIFFRGBAImageGet (tif_getimage.c:495) ==32378== by 0x4B5B8ED: TIFFReadRGBAImageOriented (tif_getimage.c:514) ==32378== by 0x4067A59: tiff_image_parse (io-tiff.c:272) ==32378== by 0x406634C: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:477) ==32378== by 0x4048442: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:822) ==32378== by 0x8048903: test_loader (pixbuf-read.c:35) ==32378== by 0x8048903: main (pixbuf-read.c:75) ==32378== Address 0x5343ba8 is 0 bytes after a block of size 7,207,808 alloc'd ==32378== at 0x402D17C: malloc (in /usr/lib/valgrind/vgpreload_memcheck-x86-linux.so) ==32378== by 0x432C3BF: g_try_malloc (in /lib/i386-linux-gnu/libglib-2.0.so.0.4800.2) ==32378== by 0x4067584: tiff_image_parse (io-tiff.c:160) ==32378== by 0x406634C: gdk_pixbuf__tiff_image_stop_load (io-tiff.c:477) ==32378== by 0x4048442: gdk_pixbuf_loader_close (gdk-pixbuf-loader.c:822) ==32378== by 0x8048903: test_loader (pixbuf-read.c:35) ==32378== by 0x8048903: main (pixbuf-read.c:75) ``` ### Timeline * 2017-07-13 - Vendor Disclosure * 2017-08-30 - Public Release ### CREDIT * Discovered by Marcin 'Icewall' Noga of Cisco Talos. |
id | SSV:96446 |
last seen | 2017-11-19 |
modified | 2017-09-12 |
published | 2017-09-12 |
reporter | Root |
title | Gdk-Pixbuf TIFF tiff_image_parse Code Execution Vulnerability(CVE-2017-2870) |
Talos
id | TALOS-2017-0377 |
last seen | 2019-05-29 |
published | 2017-08-30 |
reporter | Talos Intelligence |
source | http://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377 |
title | Gdk-Pixbuf TIFF tiff_image_parse Code Execution Vulnerability |
References
- http://www.securityfocus.com/bid/100541
- http://www.securityfocus.com/bid/100541
- https://lists.debian.org/debian-lts-announce/2019/12/msg00025.html
- https://lists.debian.org/debian-lts-announce/2019/12/msg00025.html
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377
- https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377