From cea7e567c39bbc207e14b7d69ad8e9ed2e62ee19 Mon Sep 17 00:00:00 2001 From: zhangpan Date: Fri, 13 Sep 2024 11:11:23 +0000 Subject: [PATCH] fix CVE-2022-48622 --- backport-CVE-2022-48622.patch | 113 ++++++++++++++++++++++++++++++++++ gdk-pixbuf2.spec | 8 ++- 2 files changed, 120 insertions(+), 1 deletion(-) create mode 100644 backport-CVE-2022-48622.patch diff --git a/backport-CVE-2022-48622.patch b/backport-CVE-2022-48622.patch new file mode 100644 index 0000000..bbbd994 --- /dev/null +++ b/backport-CVE-2022-48622.patch @@ -0,0 +1,113 @@ +From 00c071dd11f723ca608608eef45cb1aa98da89cc Mon Sep 17 00:00:00 2001 +From: Benjamin Gilbert +Date: Tue, 30 Apr 2024 07:26:54 -0500 +Subject: [PATCH 1/3] ANI: Reject files with multiple anih chunks + +An anih chunk causes us to initialize a bunch of state, which we only +expect to do once per file. + +Fixes: #202 +Fixes: CVE-2022-48622 +--- + gdk-pixbuf/io-ani.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c +index c6c4642cf4..a78ea7ace4 100644 +--- a/gdk-pixbuf/io-ani.c ++++ b/gdk-pixbuf/io-ani.c +@@ -295,6 +295,15 @@ ani_load_chunk (AniLoaderContext *context, GError **error) + + if (context->chunk_id == TAG_anih) + { ++ if (context->animation) ++ { ++ g_set_error_literal (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Invalid header in animation")); ++ return FALSE; ++ } ++ + context->HeaderSize = read_int32 (context); + context->NumFrames = read_int32 (context); + context->NumSteps = read_int32 (context); +-- +GitLab + + +From d52134373594ff76614fb415125b0d1c723ddd56 Mon Sep 17 00:00:00 2001 +From: Benjamin Gilbert +Date: Tue, 30 Apr 2024 07:13:37 -0500 +Subject: [PATCH 2/3] ANI: Reject files with multiple INAM or IART chunks + +There should be at most one chunk each. These would cause memory leaks +otherwise. +--- + gdk-pixbuf/io-ani.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c +index a78ea7ace4..8e8414117c 100644 +--- a/gdk-pixbuf/io-ani.c ++++ b/gdk-pixbuf/io-ani.c +@@ -445,7 +445,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error) + } + else if (context->chunk_id == TAG_INAM) + { +- if (!context->animation) ++ if (!context->animation || context->title) + { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, +@@ -472,7 +472,7 @@ ani_load_chunk (AniLoaderContext *context, GError **error) + } + else if (context->chunk_id == TAG_IART) + { +- if (!context->animation) ++ if (!context->animation || context->author) + { + g_set_error_literal (error, + GDK_PIXBUF_ERROR, +-- +GitLab + + +From 91b8aa5cd8a0eea28acb51f0e121827ca2e7eb78 Mon Sep 17 00:00:00 2001 +From: Benjamin Gilbert +Date: Tue, 30 Apr 2024 08:17:25 -0500 +Subject: [PATCH 3/3] ANI: Validate anih chunk size + +Before reading a chunk, we verify that enough bytes are available to match +the chunk size declared by the file. However, uniquely, the anih chunk +loader doesn't verify that this size matches the number of bytes it +actually intends to read. Thus, if the chunk size is too small and the +file ends in the middle of the chunk, we populate some context fields with +stack garbage. (But we'd still fail later on because the file doesn't +contain any images.) Fix this. +--- + gdk-pixbuf/io-ani.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/gdk-pixbuf/io-ani.c b/gdk-pixbuf/io-ani.c +index 8e8414117c..cfafd7b196 100644 +--- a/gdk-pixbuf/io-ani.c ++++ b/gdk-pixbuf/io-ani.c +@@ -295,6 +295,14 @@ ani_load_chunk (AniLoaderContext *context, GError **error) + + if (context->chunk_id == TAG_anih) + { ++ if (context->chunk_size < 36) ++ { ++ g_set_error_literal (error, ++ GDK_PIXBUF_ERROR, ++ GDK_PIXBUF_ERROR_CORRUPT_IMAGE, ++ _("Malformed chunk in animation")); ++ return FALSE; ++ } + if (context->animation) + { + g_set_error_literal (error, +-- +GitLab + diff --git a/gdk-pixbuf2.spec b/gdk-pixbuf2.spec index ac2db7f..5e6c6cd 100644 --- a/gdk-pixbuf2.spec +++ b/gdk-pixbuf2.spec @@ -1,6 +1,6 @@ Name: gdk-pixbuf2 Version: 2.40.0 -Release: 5 +Release: 6 Summary: gdk is a multi-platform toolkit for creating graphical user interfaces. License: LGPLv2+ @@ -12,6 +12,7 @@ Patch0001: backport-CVE-2021-20240.patch Patch0002: backport-CVE-2020-29385.patch Patch0003: backport-CVE-2021-46829.patch Patch0004: backport-CVE-2021-44648.patch +Patch0005: backport-CVE-2022-48622.patch BuildRequires: gettext gtk-doc pkgconfig(gio-2.0) >= 2.48.0 libpng-devel libjpeg-devel libtiff-devel shared-mime-info BuildRequires: meson pkgconfig(x11) pkgconfig(gobject-introspection-1.0) >= 0.9.3 gobject-introspection-devel libxslt gdb @@ -51,6 +52,8 @@ developing applications that uses gdk-pixbuf2 xlib and test. cp %{SOURCE1} ./tests/test-images/gif-test-suite/invalid-colors.gif %build +# remove bug793470-crasher.png to resolve pixbuf-fail use case failure +rm -rf tests/test-images/fail/bug793470-crasher.png %meson -Dbuiltin_loaders=png -Ddocs=true %global _smp_mflags -j1 @@ -105,6 +108,9 @@ gdk-pixbuf-query-loaders-%{__isa_bits} --update-cache %{_mandir}/man1/gdk-pixbuf-csource.1* %changelog +* Fri Sep 13 2024 zhangpan - 2.40.0-6 +- fix CVE-2022-48622 + * Tue Jun 20 2023 zhangpan - 2.40.0-5 - fix CVE-2021-44648 -- Gitee