CVE-2019-20326: 
NixOS vulnerability analysis and mitigation

A heap-based buffer overflow vulnerability was discovered in GNOME gThumb before version 3.8.3 and Linux Mint Pix before version 2.4.5. The vulnerability exists in the _cairo_image_surface_create_from_jpeg() function within the extensions/cairo_io/cairo-image-surface-jpeg.c file. This security flaw was assigned CVE-2019-20326 and was first recorded on January 2, 2020 (CVE Mitre).

The vulnerability occurs due to improper memory management when processing JPEG images. The cairo_io module supports maximum JPEG dimensions of 32767 x 32767 (CAIRO_MAX_IMAGE_SIZE). When allocating a Cairo surface, the function picks the minimum of CAIRO_MAX_IMAGE_SIZE and the length specified in the SOF0 segment of the file. However, when writing pixel data into the allocated surface, the function iterates over the original dimensions specified by the JPEG instead of the appropriate destination dimensions, leading to a buffer overflow condition (GitHub POC).

If successfully exploited, this vulnerability could allow attackers to cause a program crash, resulting in a denial of service condition, or potentially execute arbitrary code via a specially crafted JPEG file (Ubuntu Security, Gentoo Security).

The vulnerability has been fixed in gThumb version 3.8.3 and Pix version 2.4.5. Users are advised to upgrade to these or later versions. Various Linux distributions have released security updates to address this vulnerability, including Ubuntu 20.04 (version 3:3.8.0-2.1ubuntu0.1), Debian 9 (version 3:3.4.4.1-5+deb9u2), and Gentoo (version >= 3.10.0) (Ubuntu Security, Debian LTS, Gentoo Security).