182047 2007-06-14 17:37 0000 media-gfx/gimp PSD Integer Overflow Vulnerability (CVE-{2007-2949|2006-4519}) 2007-07-31 06:11:06 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED B2 [glsa] jaervosz P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org hanno@gentoo.org lars@chaotika.org mjf@gentoo.org jaervosz@gentoo.org 2007-06-14 17:37:31 0000 there is a is an integer overflow in Gimp when loading PSD files. Affected product: Gimp Affected version: 2.2.15. Other versions may also be affected CVE: CVE-2007-2949 SAID: 25677 (http://secunia.com/advisories/25677/) Credit: Stefan Cornelius, Secunia Research Disclosure date: Preliminary date set to Wed 27th June, 2007. -- Background -- "GIMP is the GNU Image Manipulation Program. It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems." PSD is an image file format originally used by Adobe Photoshop. File format specifications can be found here: http://www.fileformat.info/format/psd/spec/index.htm -- Analysis -- The vulnerability is caused due to an integer overflow within the function "seek_to_and_unpack_pixeldata()" in plug-ins/common/psd.c. The file format documentation used during research states that valid width and height values are between 1 and 30000. However, Gimp doesn't check that and uses the values in an insecure arithmetic function to determine the amount of memory to allocate, which may be exploited to cause a heap-based buffer overflow. seek_to_and_unpack_pixeldata(FILE* fd, gint layeri, gint channeli) { int width, height; [1] guchar *tmpline; gint compression; guint32 offset = 0; PSDchannel *channel = &psd_image.layer[layeri].channel[channeli]; fsetpos(fd, &channel->fpos); compression = getgshort(fd, "layer channel compression type"); offset+=2; width = channel->width; [2] height = channel->height; [2] IFDBG { printf("\t\t\tLayer (%d) Channel (%d:%d) Compression: %d (%s)\n", layeri, channeli, channel->type, compression, compression==0?"raw":(compression==1?"RLE":"*UNKNOWN!*")); fflush(stdout); } channel->data = g_malloc (width * height); [3] tmpline = g_malloc(width + 1); switch (compression) { case 0: /* raw data */ { gint linei; for (linei = 0; linei < height; linei++) { xfread(fd, channel->data + linei * width, width, "raw channel line"); [4] offset += width; } #if 0 /* Pad raw data to multiple of 2? */ if ((height * width) & 1) { getguchar(fd, "raw channel padding"); offset++; } #endif } break; case 1: /* RLE, one row at a time, padded to an even width */ { ---- [1] define variables width and height [2] assign unchecked values to the variables [3] multiply width and height, use result to allocate memory. If width and height are certain large values, this will overflow and an insufficient amount of memory is allocated. [4] Load data from file and copy it into the buffer. (In this case for the uncompressed format - RLE encoded files may also be affected). -- Exploitation -- The vulnerability can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted PSD file with certain width and height information. Successful exploitation may allow execution of arbitrary code. Credits should be given to: Stefan Cornelius, Secunia Research. jaervosz@gentoo.org 2007-06-14 17:41:15 0000 Friendly reminder: waiting for upstream and please don't commit anything before the 27th. hanno@gentoo.org 2007-07-02 13:18:40 0000 has this been delayed? didn't see a public advisory anywhere. aetius@gentoo.org 2007-07-03 21:11:31 0000 It's public now. http://secunia.com/advisories/25677/ hanno@gentoo.org 2007-07-08 00:27:27 0000 *** Bug 184141 has been marked as a duplicate of this bug. *** hanno@gentoo.org 2007-07-08 00:50:21 0000 gimp 2.2.16 added, archs, please mark stable. security, please make this bug public. A problem is with 2.3.x. Upstream hasn't released an update and it seems that it's more than just one integer overflow (and they aren't documented properly). I think we can just wait for a new 2.3.x-release. corsair@gentoo.org 2007-07-10 06:16:43 0000 ppc64 stable jer@gentoo.org 2007-07-10 07:13:23 0000 Stable for HPPA. fauli@gentoo.org 2007-07-10 08:55:05 0000 x86 stable armin76@gentoo.org 2007-07-10 14:21:30 0000 alpha/ia64 stable gustavoz@gentoo.org 2007-07-10 14:42:01 0000 sparc stable. angelos@gentoo.org 2007-07-11 12:03:27 0000 amd64 stable dertobi123@gentoo.org 2007-07-11 17:23:16 0000 ppc stable, ready for GLSA. hanno@gentoo.org 2007-07-13 02:07:57 0000 *** Bug 184782 has been marked as a duplicate of this bug. *** falco@gentoo.org 2007-07-25 21:21:26 0000 GLSA 200707-09 kumba@gentoo.org 2007-07-31 06:11:06 0000 mips stable.