gdk-pixbuf Heap-Based Buffer Overflow Vulnerability in JPEG Image Loader

A heap-based buffer overflow vulnerability has been identified in the gdk-pixbuf library's JPEG image loader. This vulnerability arises from improper validation of color component counts when processing specially crafted JPEG images, leading to insufficient memory allocation for pixel data. The flaw can be exploited remotely without user interaction, such as during thumbnail generation, causing application crashes and denial-of-service conditions.

Impact

Exploitation of this vulnerability leads to a heap-based buffer overflow, causing application crashes and denial-of-service conditions. Additionally, on 32-bit systems, this vulnerability can be exploited to execute arbitrary code by hijacking the vtable of a GObject through controlled pixel data. While claims of code execution on 64-bit systems require more complex conditions, the necessary exploitation primitives have been verified.

Reproduction

The vulnerability can be reproduced by processing a specially crafted JPEG image with the gdk-pixbuf library's JPEG loader. This can be done manually or automatically via thumbnail generation in file managers like Nautilus, Thunar, or Caja, which trigger the vulnerability without user interaction.

Remediation

Users are advised to avoid opening or processing untrusted JPEG files. For distributions that include gdk-pixbuf, such as Ubuntu 24.04 LTS, a patched version is available. The fix involves adding a validation check for color component counts in the JPEG loader, which has already been implemented in the latest gdk-pixbuf release.