After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 762028 - >=eog-3.16 is affected by CVE-2013-7447
>=eog-3.16 is affected by CVE-2013-7447
Status: RESOLVED FIXED
Product: eog
Classification: Core
Component: general
git master
Other Linux
: Normal normal
: ---
Assigned To: EOG Maintainers
EOG Maintainers
Depends on:
Blocks:
 
 
Reported: 2016-02-14 12:26 UTC by Pacho Ramos
Modified: 2016-02-14 18:46 UTC
See Also:
GNOME target: ---
GNOME version: ---


Description Pacho Ramos 2016-02-14 12:26:03 UTC 
As reported in:
https://bugs.gentoo.org/show_bug.cgi?id=574372
https://bugs.gentoo.org/show_bug.cgi?id=574380

eog is affected by CVE-2013-7447 (bug #703220). In 3.18 I see:
$ grep -r "cairo_pixels" -- *
src/eog-print-preview.c:  guchar *cairo_pixels;
src/eog-print-preview.c:  cairo_pixels = g_malloc (height * cairo_stride);
src/eog-print-preview.c:  surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels,
src/eog-print-preview.c:			       cairo_pixels, (cairo_destroy_func_t)g_free);
src/eog-print-preview.c:      guchar *q = cairo_pixels;
src/eog-print-preview.c:      cairo_pixels += cairo_stride;


Thanks
Comment 1 Felix Riemann 2016-02-14 18:07:31 UTC 
Thanks for reporting this. I'm dropping the copied code in master as GDK has the same function with gdk_cairo_surface_create_from_pixbuf() nowadays.

This is not a critical problem though, as the code should only work with images which are as large as the widget at most and as such wouldn't be able to cause the overflow.

I'll fix this in the 3.18 branch as well using the g_malloc_n approach.

commit c1ac983bf3bdbd7d8ab4ab34208f1f399bdacbfc
Author: Felix Riemann <friemann@gnome.org>
Date:   Sun Feb 14 18:50:43 2016 +0100

    EogPrintPreview: Fix possible integer overflow
    
    This removes code copied from GDK that was susceptiple to a possible
    integer overflow (cf. CVE-2013-7447), although the code only worked
    on images too small to trigger the overflow. GDK provides a (fixed)
    variant of the code with the same features nowadays, so just use that.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=762028
Comment 2 Felix Riemann 2016-02-14 18:46:06 UTC 
commit 0b02e1b43d28c05de73befb7af2d4bc057a00a65 (gnome-3-14)
commit ec604eb219c43f9e6f654a1888527e9fb537c9f4 (gnome-3-16)
commit f4e1b12e781ec573e4188ea64e0aa1b326aa006b (gnome-3-18)
Author: Felix Riemann <>
Date:   Sun Feb 14 19:09:16 2016 +0100

    EogPrintPreview: Fix possible integer overflow
    
    Import a fix into code copied from GDK which was susceptible to a possible
    integer overflow (cf. CVE-2013-7447). This is practically the corresponding
    fix from GDK. The code in eog however should only work with images too small
    to trigger this integer overflow.
    
    https://bugzilla.gnome.org/show_bug.cgi?id=762028

Also pushed out fixed stable releases 3.14.5, 3.16.4 and 3.18.2.
---
This problem has been fixed in our software repository. The fix will go into the next software release. Once that release is available, you may want to check for a software upgrade provided by your Linux distribution.