gimp: CVE-2009-3909: heap overflow due to integer overflow when parsing psd files

Debian Bug report logs - #556750
gimp: CVE-2009-3909: heap overflow due to integer overflow when parsing psd files

Toggle useless messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Raphael Geissert <geissert@debian.org>

To: submit@bugs.debian.org

Subject: gimp: CVE-2009-3909: heap overflow due to integer overflow when parsing psd files

Date: Tue, 17 Nov 2009 12:26:32 -0600

Package: gimp
Severity: grave
Version: 2.6.7-1
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gimp.

CVE-2009-3909[0]:
| Secunia Research has discovered a vulnerability in Gimp, which can be
| exploited by malicious people to potentially compromise a user's
| system.
|
| The vulnerability is caused by an integer overflow error within the
| "read_channel_data()" function in plug-ins/file-psd/psd-load.c. This
| can be exploited to cause a heap-based buffer overflow by e.g.
| tricking a user into opening a specially crafted PSD file.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Don't forget to also help prepare stable and oldstable uploads to address this 
issue.

Patches:
http://git.gnome.org/cgit/gimp/commit/?id=9cc8d78ff33b7a36852b74e64b427489cad44d0e
http://git.gnome.org/cgit/gimp/commit/?id=0e440cb6d4d6ee029667363d244aff61b154c33c

For further information see:

[0] http://secunia.com/secunia_research/2009-43/
    http://security-tracker.debian.org/tracker/CVE-2009-3909

Cheers,
-- 
Raphael Geissert - Debian Developer
www.debian.org - get.debian.net

Message #8 received at 556750@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 556750@bugs.debian.org, 555929@bugs.debian.org

Subject: intent to NMU

Date: Sat, 21 Nov 2009 15:23:21 +0100

[Message part 1 (text/plain, inline)]

Hi,
I intent to upload a 0day NMU to fix these two security issues.
The patch is available at 
http://people.debian.org/~nion/nmu-diff/gimp-2.6.7-1_2.6.7-1.1.patch

Kind regards
Nico

-- 
Nico Golde - http://www.ngolde.de - nion@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

[Message part 2 (application/pgp-signature, inline)]

Message #13 received at 556750-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 556750-close@bugs.debian.org

Subject: Bug#556750: fixed in gimp 2.6.7-1.1

Date: Sat, 21 Nov 2009 17:04:50 +0000

Source: gimp
Source-Version: 2.6.7-1.1

We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive:

gimp-data_2.6.7-1.1_all.deb
  to main/g/gimp/gimp-data_2.6.7-1.1_all.deb
gimp-dbg_2.6.7-1.1_amd64.deb
  to main/g/gimp/gimp-dbg_2.6.7-1.1_amd64.deb
gimp_2.6.7-1.1.diff.gz
  to main/g/gimp/gimp_2.6.7-1.1.diff.gz
gimp_2.6.7-1.1.dsc
  to main/g/gimp/gimp_2.6.7-1.1.dsc
gimp_2.6.7-1.1_amd64.deb
  to main/g/gimp/gimp_2.6.7-1.1_amd64.deb
libgimp2.0-dev_2.6.7-1.1_amd64.deb
  to main/g/gimp/libgimp2.0-dev_2.6.7-1.1_amd64.deb
libgimp2.0-doc_2.6.7-1.1_all.deb
  to main/g/gimp/libgimp2.0-doc_2.6.7-1.1_all.deb
libgimp2.0_2.6.7-1.1_amd64.deb
  to main/g/gimp/libgimp2.0_2.6.7-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 556750@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated gimp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Nov 2009 14:57:51 +0100
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: source all amd64
Version: 2.6.7-1.1
Distribution: unstable
Urgency: high
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 gimp       - The GNU Image Manipulation Program
 gimp-data  - Data files for GIMP
 gimp-dbg   - Debugging symbols for GIMP
 libgimp2.0 - Libraries for the GNU Image Manipulation Program
 libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
 libgimp2.0-doc - Developers' Documentation for the GIMP library
Closes: 553234 555929 556750
Changes: 
 gimp (2.6.7-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update fixes the following security issues:
     - CVE-2009-3909: integer overflow in PSD file loader leading to
       a heap-based buffer overflow (Closes: #556750).
     - CVE-2009-1570: integer overflow in BMP file loader leading to
       a heap-based buffer overflow (Closes: #555929).
   * Add ${shlibs: Depends} to depends of libgimp-dev (Closes: #553234).
Checksums-Sha1: 
 063b8df139c9c8110c438566179419dbd4763da7 1948 gimp_2.6.7-1.1.dsc
 ab6ff9a2cf1c329ae2eb1cb0187a970588dccfd6 45057 gimp_2.6.7-1.1.diff.gz
 8f9f036586de837879d08bb4804cf68b0ffb84c6 11045246 gimp-data_2.6.7-1.1_all.deb
 89a21721083320452d60a2911708ffef13b0af6a 1074066 libgimp2.0-doc_2.6.7-1.1_all.deb
 ac2773b706e928585bcc5bde6e144c2a2e4516df 1134256 libgimp2.0_2.6.7-1.1_amd64.deb
 c88679fc7bb5e98b4bd9909d94a4ce5f7e150b5f 4913686 gimp_2.6.7-1.1_amd64.deb
 e8c5a3044a7212a0427d9e72e363f68037bc3f47 157090 libgimp2.0-dev_2.6.7-1.1_amd64.deb
 e0b9139e61bc0fdeef84a32d8512bb26ccf811c4 13797466 gimp-dbg_2.6.7-1.1_amd64.deb
Checksums-Sha256: 
 feabc12a63edfa8cbc442ec093650679ce55760dc7a871aeb520191ff9648e2e 1948 gimp_2.6.7-1.1.dsc
 190631712ba66e5c7eed75c2891983b0609d370025e2cf5fd67fa31ee11ef7fb 45057 gimp_2.6.7-1.1.diff.gz
 c1c3f9a9bcb18b359a9e90f7f2623c919822ab4690b9e0d1ed21913134be9740 11045246 gimp-data_2.6.7-1.1_all.deb
 31a80b404d04183ee7c67baa405d54d17e0baa9cfe406177d0d864f3091d579d 1074066 libgimp2.0-doc_2.6.7-1.1_all.deb
 5c525373f768842fc67fdac006c9bab60238700a180b31ed6b2f70b106eb6fa7 1134256 libgimp2.0_2.6.7-1.1_amd64.deb
 834eab4106583c3b49b1ef7dc89fa0c8fde164826c34e040afc8857925011e97 4913686 gimp_2.6.7-1.1_amd64.deb
 46b6701c74647ad12ba19107d3510719e07df9ea4395f06e06df8fd767b90ab4 157090 libgimp2.0-dev_2.6.7-1.1_amd64.deb
 082597a1f3d44f2921833ce7349e9a8565ff762be2eb141925991c1cb14a8a8a 13797466 gimp-dbg_2.6.7-1.1_amd64.deb
Files: 
 e29a8a246b41c7d6e54be9ecf9baa237 1948 graphics optional gimp_2.6.7-1.1.dsc
 3062c9c69a9e59510a73e51eec9380d7 45057 graphics optional gimp_2.6.7-1.1.diff.gz
 e78b4cd448fade3f1b1d0779475cdf04 11045246 graphics optional gimp-data_2.6.7-1.1_all.deb
 4f7d8b438535940543f8ff261ebb6849 1074066 doc optional libgimp2.0-doc_2.6.7-1.1_all.deb
 c361ee0407cc79179b2ba6f0ca5f8533 1134256 libs optional libgimp2.0_2.6.7-1.1_amd64.deb
 ed7eefbb4b320b668f2a9a1bcb78c9f2 4913686 graphics optional gimp_2.6.7-1.1_amd64.deb
 c0344fa18150e41d010a6b72cd390224 157090 libdevel optional libgimp2.0-dev_2.6.7-1.1_amd64.deb
 0c2def267e3fbee92e099fceb72f6ded 13797466 debug extra gimp-dbg_2.6.7-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksIGKQACgkQHYflSXNkfP/vlgCgmjlof7ifhjQ0EWR4Q85jz81Q
vgAAoK7mIt2hal/2gTaJ2h/CnzHNNJjY
=3jGU
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.