Bug#897954: libgxps: CVE-2018-10733: Heap Buffer Overflow in ft_font_face_hash of gxps-fonts.c

Salvatore Bonaccorso carnil at debian.org
Sat May 5 07:47:06 BST 2018 

Source: libgxps
Version: 0.3.0-1
Severity: important
Tags: security upstream

Hi,

The following vulnerability was published for libgxps.

CVE-2018-10733[0]:
| There is a heap-based buffer over-read in the function
| ft_font_face_hash of gxps-fonts.c in libgxps through 0.3.0. A crafted
| input will lead to a remote denial of service attack.

It seems it was orginally reported in [1].

./libgxps-0.3.0/obj-x86_64-linux-gnu/tools/xpstojpeg 1431033 /dev/null
=================================================================
==3828==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7fb2a7a7afc4 at pc 0x7fb2b407389d bp 0x7ffdbc7b6fd0 sp 0x7ffdbc7b6fc8
READ of size 1 at 0x7fb2a7a7afc4 thread T0
    #0 0x7fb2b407389c in ft_font_face_hash ../libgxps/gxps-fonts.c:86
    #1 0x7fb2b3d2a883 in g_hash_table_lookup (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x3a883)
    #2 0x7fb2b4073f32 in gxps_fonts_new_font_face ../libgxps/gxps-fonts.c:241
    #3 0x7fb2b4073f32 in gxps_fonts_get_font ../libgxps/gxps-fonts.c:296
    #4 0x7fb2b40a2ce1 in render_end_element ../libgxps/gxps-page.c:962
    #5 0x7fb2b3d3f7d1  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
    #6 0x7fb2b3d40721 in g_markup_parse_context_parse (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x50721)
    #7 0x7fb2b407b7aa in gxps_parse_stream ../libgxps/gxps-parse-utils.c:182
    #8 0x7fb2b40b2bd5 in gxps_page_parse_for_rendering ../libgxps/gxps-page.c:1121
    #9 0x7fb2b40b2bd5 in gxps_page_render ../libgxps/gxps-page.c:1823
    #10 0x563417d13862 in gxps_converter_run ../tools/gxps-converter.c:320
    #11 0x563417d10553 in main ../tools/gxps-converter-main.c:40
    #12 0x7fb2b20bfa86 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21a86)
    #13 0x563417d10669 in _start (/root/libgxps-0.3.0/obj-x86_64-linux-gnu/tools/xpstojpeg+0xb669)

0x7fb2a7a7afc4 is located 0 bytes to the right of 186308-byte region [0x7fb2a7a4d800,0x7fb2a7a7afc4)
allocated by thread T0 here:
    #0 0x7fb2b442ac20 in __interceptor_malloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xd9c20)
    #1 0x7fb2b3d41858 in g_malloc (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x51858)
    #2 0x7fb2b4073e70 in gxps_fonts_new_font_face ../libgxps/gxps-fonts.c:225
    #3 0x7fb2b4073e70 in gxps_fonts_get_font ../libgxps/gxps-fonts.c:296
    #4 0x7fb2b40a2ce1 in render_end_element ../libgxps/gxps-page.c:962
    #5 0x7fb2b3d3f7d1  (/usr/lib/x86_64-linux-gnu/libglib-2.0.so.0+0x4f7d1)
    #6 0xd841508d82e26fff  (<unknown module>)

SUMMARY: AddressSanitizer: heap-buffer-overflow ../libgxps/gxps-fonts.c:86 in ft_font_face_hash
Shadow bytes around the buggy address:
  0x0ff6d4f475a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff6d4f475b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff6d4f475c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff6d4f475d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0ff6d4f475e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0ff6d4f475f0: 00 00 00 00 00 00 00 00[04]fa fa fa fa fa fa fa
  0x0ff6d4f47600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff6d4f47610: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff6d4f47620: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff6d4f47630: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0ff6d4f47640: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Container overflow:      fc
  Array cookie:            ac
  Intra object redzone:    bb
  ASan internal:           fe
  Left alloca redzone:     ca
  Right alloca redzone:    cb
==3828==ABORTING

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2018-10733
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10733
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1574844

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

More information about the pkg-gnome-maintainers mailing list