gimp: Buffer overrun in XCF reading code

Debian Bug report logs - #377049
gimp: Buffer overrun in XCF reading code

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henning Makholm <henning@makholm.net>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: gimp: Buffer overrun in XCF reading code

Date: Thu, 06 Jul 2006 13:13:28 +0200

[Message part 1 (text/plain, inline)]

Package: gimp
Version: 2.2.6-1
Severity: grave
Tags: security patch
Justification: user security hole

I have reported this bug privately to the maintainer and the security
team, but it turns out that the upstream developers have no way of
reporting security bugs privately, so it is hereby in the open. It
is #346742 in the upstream bug tracking system.

The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c
of the source tree. For each "stroke" being read, the code reads an
uint32 from the XCF file into the variable num_axes, and then for each
control proint of the stroke reads num_axes floats from the file into
the stack-allocated array coords whose size is hard-coded as 6.

A malicious XCF file creater could write a large number into the
num_axes position and trick the XCF reader into overwriting part of
the stack with raw data read from the file. On little-endian systems,
the function xcf_read_float() that actually reads the floats does a
byte-order conversion on the data it reads but does not do any special
float processing, so an attacker has direct control of the data
written to the stack.

I have not attempted to construct an working exploit (though I did
verify being able to crash Gimp with a naively patched image file),
but there seems to be no reason why the overrun could not be used to
mount a standard arbitrary code execution attack if one can get the
victim to try to load an appropriately crafted image file.

The attack is in the VECTORS property of an XCF file which pure XCF
_viewers_ (e.g. imagemagick or xcftools) normally skip without
parsing.  Thus an attack file can easily be written such that the
image will display correctly with no symptoms at all in a viewer
application.

The same bug appears in the unstable (2.2.11) and experimental (2.3.9)
versions, as well as the upsteam CVS head.

The attached patch should fix it (more gracefully than the one in my
earlier private report).

[gimppatch4 (text/plain, attachment)]

Message #16 received at 377049@bugs.debian.org (full text, mbox, reply):

From: Micah Anderson <micah@riseup.net>

To: 377049@bugs.debian.org

Subject: CVE assigned

Date: Thu, 06 Jul 2006 16:12:05 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Hi,

I've requested that a CVE ID be assigned for this issue. It has been
allocated:

======================================================
Name: CVE-2006-3404
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404
Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=377049

Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c
for gimp 2.2.6 allows user-complicit attackers to cause a denial of
service (crash) and possibly execute arbitrary code via an XCF file
with a large num_axes value in the VECTORS property

Please be sure to mention this CVE ID in any changelog that fixes this
issue.

Micah
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFErW6V9n4qXRzy1ioRAskhAJ9BZPKmnjPC7t6gO4k+VBqVnspSjACfU8uL
2oQvmKvnJ71p1fQs8mHVojM=
=xIh4
-----END PGP SIGNATURE-----

Message #21 received at 377049@bugs.debian.org (full text, mbox, reply):

From: Henning Makholm <henning@makholm.net>

To: 377049@bugs.debian.org, control@bugs.debian.org

Subject: Bug #377049 fixed upstream

Date: Fri, 7 Jul 2006 12:34:31 +0200

tag 377049 fixed-upstream
thanks

This bug is fixed in the upstream Gimp release 2.2.12.

The fix did not make it into the development release 2.3.10, but
I have verified that it exists in the development CVS, so it will
probably be fixed in 2.3.11.

-- 
Henning Makholm       "It was intended to compile from some approximation to
                 the M-notation, but the M-notation was never fully defined,
                because representing LISP functions by LISP lists became the
 dominant programming language when the interpreter later became available."

Message #30 received at 377049-close@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: 377049-close@bugs.debian.org

Subject: Bug#377049: fixed in gimp 2.2.12-1

Date: Tue, 11 Jul 2006 14:47:26 -0700

Source: gimp
Source-Version: 2.2.12-1

We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive:

gimp-data_2.2.12-1_all.deb
  to pool/main/g/gimp/gimp-data_2.2.12-1_all.deb
gimp-dbg_2.2.12-1_amd64.deb
  to pool/main/g/gimp/gimp-dbg_2.2.12-1_amd64.deb
gimp-helpbrowser_2.2.12-1_amd64.deb
  to pool/main/g/gimp/gimp-helpbrowser_2.2.12-1_amd64.deb
gimp-python_2.2.12-1_amd64.deb
  to pool/main/g/gimp/gimp-python_2.2.12-1_amd64.deb
gimp-svg_2.2.12-1_amd64.deb
  to pool/main/g/gimp/gimp-svg_2.2.12-1_amd64.deb
gimp_2.2.12-1.diff.gz
  to pool/main/g/gimp/gimp_2.2.12-1.diff.gz
gimp_2.2.12-1.dsc
  to pool/main/g/gimp/gimp_2.2.12-1.dsc
gimp_2.2.12-1_amd64.deb
  to pool/main/g/gimp/gimp_2.2.12-1_amd64.deb
gimp_2.2.12.orig.tar.gz
  to pool/main/g/gimp/gimp_2.2.12.orig.tar.gz
libgimp2.0-dev_2.2.12-1_amd64.deb
  to pool/main/g/gimp/libgimp2.0-dev_2.2.12-1_amd64.deb
libgimp2.0-doc_2.2.12-1_all.deb
  to pool/main/g/gimp/libgimp2.0-doc_2.2.12-1_all.deb
libgimp2.0_2.2.12-1_amd64.deb
  to pool/main/g/gimp/libgimp2.0_2.2.12-1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 377049@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated gimp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

Format: 1.7
Date: Tue, 11 Jul 2006 14:30:03 -0400
Source: gimp
Binary: gimp-python libgimp2.0-doc gimp-data gimp gimp-helpbrowser libgimp2.0 gimp-svg libgimp2.0-dev gimp-dbg
Architecture: source amd64 all
Version: 2.2.12-1
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description: 
 gimp       - The GNU Image Manipulation Program
 gimp-data  - Data files for The GIMP
 gimp-dbg   - Debugging symbols for The GIMP
 gimp-helpbrowser - Built-in Help Browser plugin for The GIMP
 gimp-python - Python support and plugins for The GIMP
 gimp-svg   - SVG (Scalable Vector Graphics) plugin for The GIMP
 libgimp2.0 - Libraries necessary to Run the GIMP
 libgimp2.0-dev - Headers and other files for compiling plugins for The GIMP
 libgimp2.0-doc - Developers' Documentation for the GIMP library
Closes: 339115 377049
Changes: 
 gimp (2.2.12-1) unstable; urgency=low
 .
   * New upstream release
     - Fixes segfault when closing image while saving it (Closes: #339115)
   * Acknowledge NMU (Closes: #377049), revert patch which has been applied
     upstream
Files: 
 cc817256038e6d142d848f6b75d2402b 1263 graphics optional gimp_2.2.12-1.dsc
 89ececcfa9905b9100d2563334b221ec 18552000 graphics optional gimp_2.2.12.orig.tar.gz
 ac6368f894443ed21fe098185c738b13 27530 graphics optional gimp_2.2.12-1.diff.gz
 b8fdf89f7363740cff1e82ded2b75997 6770958 graphics optional gimp-data_2.2.12-1_all.deb
 549f43544840daf05e0556d13783144a 567520 doc optional libgimp2.0-doc_2.2.12-1_all.deb
 815b15169ea37cb4ed11722e093dd61c 574558 libs optional libgimp2.0_2.2.12-1_amd64.deb
 8f63afa6269c495c1408bf36f61fec79 63566 graphics optional gimp-helpbrowser_2.2.12-1_amd64.deb
 7effdb284ce44011b3bccddec11255a2 144322 graphics optional gimp-python_2.2.12-1_amd64.deb
 b582f7058bf523b94645f8f794881959 63838 graphics optional gimp-svg_2.2.12-1_amd64.deb
 206aa40c0eef845e658d79f9c542cfb8 3235344 graphics optional gimp_2.2.12-1_amd64.deb
 10cf85e3d095dc8fe4a2f9e37ac75f76 118980 libdevel optional libgimp2.0-dev_2.2.12-1_amd64.deb
 1925045f0a7b03608d87a1298da66a97 8393180 graphics extra gimp-dbg_2.2.12-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtAzZwO+u47cOQDsRAxXcAKCVO9oHYXOT9I8ivbLKLSHJLZT28gCfWCGt
UePwKA6Mdp7qn8im6XDaZqY=
=yxaT
-----END PGP SIGNATURE-----

Message #41 received at 377049-done@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@inutil.org>

To: 377049-done@bugs.debian.org

Subject: Closing old security bug with versioning

Date: Mon, 11 Aug 2008 19:28:18 +0200

Version: 2.2.12-1

Message #46 received at 377049-done@bugs.debian.org (full text, mbox, reply):

From: Thijs Kinkhorst <thijs@debian.org>

To: 377049-done@bugs.debian.org

Subject: Also fixed in 2.3 branch

Date: Wed, 13 Aug 2008 11:45:59 +0200

[Message part 1 (text/plain, inline)]

Version: 2.3.10-1

This has also been fixed in the 2.3 branch that came in via experimental.

[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.