Bug 1279413 (CVE-2014-9766)

pixman: integer overflow in create_bits function

RESOLVED FIXED in Firefox 48

Status

()

Core
Graphics
RESOLVED FIXED
2 years ago
a year ago

People

(Reporter: Huzaifa Sidhpurwala, Assigned: jrmuizel)

Tracking

({csectype-intoverflow, sec-low})

46 Branch
mozilla50
csectype-intoverflow, sec-low
Points:
---

Firefox Tracking Flags

(firefox47 wontfix, firefox48+ fixed, firefox49+ fixed, firefox-esr4548+ fixed, firefox50+ fixed)

Details

(Whiteboard: [post-critsmash-triage][adv-main48-][adv-esr45.3-])

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160503092137

Steps to reproduce:

CVE-2014-9766 is related to pixman: integer overflow in create_bits function, which Firefox seems to embed.

Details at:
In create_bits() both height and stride are ints, so the result is
also an int, which will overflow if height or stride are big enough
and size_t is bigger than int.

http://lists.freedesktop.org/archives/pixman/2014-April/003244.html

I find similar code in the version of pixman embedded in firefox. But i dont really have the skills to figure out, if Firefox is indeed affected.

Would appreciate if you could look, thanks!

Comment 1

2 years ago
Jeff, looks like the fix is from pixman 0.32.6, and we're running 0.29.2 on nightly. Is that right?
Group: firefox-core-security → core-security
Component: Untriaged → Graphics
Flags: needinfo?(jmuizelaar)
Product: Firefox → Core
Group: core-security → gfx-core-security
(Reporter)

Comment 2

a year ago
dveditz,

This is a code execution bug, remote ACE for firefox, and its already public, can you accelerate this a bit?

Thanks!

Comment 3

a year ago
ni for comment #2
Flags: needinfo?(dveditz)
(In reply to Huzaifa Sidhpurwala from comment #2)
> This is a code execution bug, remote ACE for firefox,

Is it? Gecko imposes image size limits that should kick in before this code is called. Without a testcase this is still an investigatory bug (though I agree we ought to update our libraries)
status-firefox47: --- → affected
status-firefox48: --- → affected
status-firefox49: --- → affected
status-firefox50: --- → affected
status-firefox-esr45: --- → affected
tracking-firefox48: --- → +
tracking-firefox49: --- → +
tracking-firefox50: --- → +
tracking-firefox-esr45: --- → 48+
Flags: needinfo?(dveditz) → needinfo?(huzaifas)
(Reporter)

Comment 5

a year ago
You could be right, as i said, i have not investigated this from a mozilla pov, but am generally worried about getting it fixed there.
Flags: needinfo?(huzaifas)
https://hg.mozilla.org/mozilla-central/rev/330fb1898594
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox50: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Jeff, could you fill the uplift requests to aurora, beta & esr? Thanks
Assignee: nobody → jmuizelaar
status-firefox47: affected → wontfix
Flags: needinfo?(jmuizelaar)
Group: gfx-core-security → core-security-release
Just caught this - no sec rating but it has already landed.  Milan can you request uplift ?
Flags: needinfo?(milan)
Created attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html)

Creating the patch that already landed, so that we can request uplift.

Approval Request Comment
[Feature/regressing bug #]: In upstream pixman at our version 0.29.2, fixed by 0.32.6 in 2014.
[User impact if declined]: We don't know the attack vector, but the description of the upstream problem is:
Integer overflow in the create_bits function in pixman-bits-image.c in Pixman before 0.32.6 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via large height and stride values.
Flags: needinfo?(milan)
Attachment #8771561 - Flags: review+
Attachment #8771561 - Flags: approval-mozilla-beta?
Attachment #8771561 - Flags: approval-mozilla-aurora?
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html)

Milan, Jeff, what about ESR45? Thanks
Flags: needinfo?(milan)
Flags: needinfo?(jmuizelaar)
Attachment #8771561 - Flags: approval-mozilla-beta?
Attachment #8771561 - Flags: approval-mozilla-beta+
Attachment #8771561 - Flags: approval-mozilla-aurora?
Attachment #8771561 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/7827e7019cb9
status-firefox49: affected → fixed
https://hg.mozilla.org/releases/mozilla-beta/rev/adfa3c5930cf
status-firefox48: affected → fixed
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html)

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:

This is somewhat difficult without the security rating.  The description is above, and the fix is simple enough that even without a known attack vector, it would be good to get it into 45esr.
Flags: needinfo?(milan)
Flags: needinfo?(jmuizelaar)
Attachment #8771561 - Flags: approval-mozilla-esr45?
Alias: CVE-2014-9766
Keywords: csectype-intoverflow, sec-moderate
Keywords: sec-moderate → sec-low
Comment on attachment 8771561 [details] [diff] [review]
The patch that landed (from upstreamed https://lists.freedesktop.org/archives/pixman/2014-April/003244.html)

We should take this on all the branches, a=dveditz for ESR-45
Attachment #8771561 - Flags: approval-mozilla-esr45? → approval-mozilla-esr45+
Whiteboard: [post-critsmash-triage]
https://hg.mozilla.org/releases/mozilla-esr45/rev/13cb36dee2c5
status-firefox-esr45: affected → fixed
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main48-][adv-esr45.3-]
(Reporter)

Comment 16

a year ago
Is there going to be an advisory for this?
No, there is not (hence the minus tags for the released in the whiteboard). It isn't clear that Firefox was actually affected by this in practice.
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.