GNOME Image Viewer (EOG): invalid XPM file causes dynamic memory allocation

Bug #1797161 reported by orbitcowboy
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gdk-pixbuf
New
Unknown
eog (Ubuntu)
Invalid
Undecided
Unassigned
gdk-pixbuf (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Summary

Loading a specially crafted (invalid) XPM file, an attacker is able to crash the whole system, since too much dynamic memory is allocated.

Test environment

$ eog --version
GNOME Image Viewer 3.28.1

Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic

Steps to reproduce
1) Open a terminal and start the 'top' program to see the memory usage a program uses
2) Open a second terminal
  a) Execute: $ eog eog_ctrl_mem.xpm
  b) Observe how dynamic memory allocation increases by Eye of Gnome in terminal 1). Depending on the available resources, the system can crash.

Note: If the system is crashing/swapping depends on the available physical memory and the amount of resources other applications already has allocated on the system. I have experimented in a virtual box and it was easy to crash by changing the with and height parameters in the XPM file.

Are other programs affected and how they behave?

I have tested (GNU Image Manipulation Program version 2.8.22), which simply rejects the file with an error message and no additional memory is allocated.
Error Message from Gimp:
"Opening 'eog_ctrl_mem.xpm' failed: X PixMap image plug-In could not open image"

Potential vulnerability

An attacker could prepare an invalid XPM-file (e.g. eog_ctrl_mem.xpm). In case the user opens the file by double clicking, the system is able to crash due to the huge amount of memory allocated. Since Eye of Gnome is the default viewer on Ubuntu this is likely.

Best regards

Martin Ettl

Revision history for this message
orbitcowboy (orbitcowboy) wrote :
description: updated
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Martin, I've filed https://gitlab.gnome.org/GNOME/gdk-pixbuf/issues/95 with upstream developers.

Revision history for this message
orbitcowboy (orbitcowboy) wrote :

Thanks!

Revision history for this message
orbitcowboy (orbitcowboy) wrote :

Ping: Is there any progress?

Revision history for this message
orbitcowboy (orbitcowboy) wrote :

Since there is no progress, the bug will be published soonish...

affects: choreographics → gdk-pixbuf
information type: Private Security → Public Security
Changed in gdk-pixbuf:
status: Unknown → New
Changed in eog (Ubuntu):
status: New → Incomplete
status: Incomplete → Invalid
Changed in gdk-pixbuf (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.