Bug 139524

Summary:	media-gfx/gimp Buffer overrun in XCF parsing code (CVE-2006-3404)
Product:	Gentoo Security	Reporter:	Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	allanonjl, fauli, henrik, tcort
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://bugzilla.gnome.org/show_bug.cgi?id=346742
Whiteboard:	B2 [glsa] Falco
Package list:		Runtime testing required:	---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-07 00:50:29 UTC

The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c
of the source tree. For each "stroke" being read, the code reads an
uint32 from the XCF file into the variable num_axes, and then for each
control proint of the stroke reads num_axes floats from the file into
the stack-allocated array coords whose size is hard-coded as 6.

A malicious XCF file creater could write a large number into the
num_axes position and trick the XCF reader into overwriting part of
the stack with raw data read from the file. On little-endian systems,
the function xcf_read_float() that actually reads the floats does a
byte-order conversion on the data it reads but does not do any special
float processing, so an attacker has direct control of the data
written to the stack.

I have not attempted to construct an working exploit (though I did
verify being able to crash Gimp with a naively patched image file),
but there seems to be no reason why the overrun could not be used to
mount a standard arbitrary code execution attack if one can get the
victim to try to load an appropriately crafted image file.

The attack is in the VECTORS property of an XCF file which pure XCF
_viewers_ (e.g. imagemagick or xcftools) normally skip without
parsing.  Thus an attack file can easily be written such that the
image will display correctly with no symptoms at all in a viewer
application.

The same bug appears in the current CVS head.

Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-07-07 01:12:58 UTC

We seem to be vulnerable.

patch is here : http://bugzilla.gnome.org/attachment.cgi?id=68457&action=view

and it will be included it 2.2.12 "soon".

Brix or Allanonjl, please patch or advise if you prefer to wait for the next release, thanks

Comment 2 John N. Laliberte (RETIRED) gentoo-dev

2006-07-07 07:34:53 UTC

new ebuild ( gimp-2.2.12 ) in portage now.

note that this now depends on the external package gimp-help and will have to be stabilized along with gimp.

alpha / ia64 / mips were dropped on this version, see bug #137192.

Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-07-07 10:50:21 UTC

(In reply to comment #2)
> new ebuild ( gimp-2.2.12 ) in portage now.
> 

thanks

> note that this now depends on the external package gimp-help and will have to
> be stabilized along with gimp.
> 
> alpha / ia64 / mips were dropped on this version, see bug #137192.

mmm... that's not really good... ia64 and mips will stay with their vulnerable version.
Alpha has no stable version is the 2.x branch, so i guess (i hope) it is not affected. But, same, ~alpha will stay vulnerable, which is not very good.

Well, for the moment, let's start the stabilization dance \o_

Heya amd64, hppa, ppc, ppc64, sparc and x86, there is a new gimp ebuild fixing a buffer overflow !
Please test gimp-2.2.12 and mark stable if possible. Note that gimp-help-0.10 has to be stabilized too, as a dependency of gimp-2.2.12 .

Comment 4 Markus Rothe (RETIRED) gentoo-dev

2006-07-07 11:32:42 UTC

stable on ppc64

Comment 5 Christian Faulhammer (RETIRED) gentoo-dev

2006-07-07 13:07:42 UTC

both emerge fine, pass collision test, gimp passes whole testsuit without problems.
Only help for selected LINGUAS is created.  I am happy so far, functionality will be tested tomorrow...Good night.

Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r9 i686)
=================================================================
System uname: 2.6.16-gentoo-r9 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.15
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O0"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-O0"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa apache2 arts artworkextra asf audiofile avi bash-completion berkdb bidi bitmap-fonts bootsplash bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal howl icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k kde ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nowebdav nptl nptlonly nsplugin nvidia ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 6 Luca Barbato gentoo-dev

2006-07-07 15:48:10 UTC

Stable ppc

Comment 7 Thomas Cort (RETIRED) gentoo-dev

2006-07-07 19:08:06 UTC

(In reply to comment #3)
> (In reply to comment #2)
> > alpha / ia64 / mips were dropped on this version, see bug #137192.
> Alpha has no stable version is the 2.x branch, so i guess (i hope) it is not
> affected. But, same, ~alpha will stay vulnerable, which is not very good.

gimp-2.3.9 just got ~alpha. If you need it marked stable on alpha, please add us to this bug.

Comment 8 Thomas Cort (RETIRED) gentoo-dev

2006-07-07 19:33:34 UTC

amd64 stable.

Comment 9 Christian Faulhammer (RETIRED) gentoo-dev

2006-07-08 02:06:36 UTC

Basic functions work, loaded some different graphic formats, edited them a bit, scripted a little...works.  Thumbs up from me...

Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-07-08 05:47:50 UTC

> gimp-2.3.9 just got ~alpha. If you need it marked stable on alpha, please add
> us to this bug.
> 

mmm no, it's useless, 2.3.9 is vulnerable too.

since most arches are ~keyworded to 2.3.9, i think it should be a good idea to bump a 2.3.9-r1 with the patch. John, your opinion ?

Comment 11 Thomas Cort (RETIRED) gentoo-dev

2006-07-08 08:34:55 UTC

(In reply to comment #10)
> > gimp-2.3.9 just got ~alpha.
> mmm no, it's useless, 2.3.9 is vulnerable too.

Sorry, I assumed gimp made releases in version number order. I tested and keyworded gimp-2.2.12 ~alpha so ~alpha users have a non-vulnerable version keyworded.

Comment 12 Paul Varner (RETIRED) gentoo-dev

2006-07-08 21:32:48 UTC

Stable on x86. Christian, thanks for the testing.

Comment 13 René Nussbaumer (RETIRED) gentoo-dev

2006-07-09 01:53:31 UTC

stable on hppa

Comment 14 Jason Wever (RETIRED) gentoo-dev

2006-07-11 05:44:14 UTC

SPARC me amadeus

Comment 15 Jonathan Coome (RETIRED) gentoo-dev

2006-07-24 02:34:32 UTC

I think GLSA 200607-08, which references this bug report, is using the wrong version number - 1.2.12, instead of 2.2.12. It was noticed in the forums by tuam [1].

[1] http://forums.gentoo.org/viewtopic-t-483119.html

Comment 16 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-24 03:08:18 UTC

I'll be fixing that in CVS shortly when I return home from work. Thx for note.

Comment 17 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-24 06:00:24 UTC

Update committed to CVS awaiting resolution of gentoo-announce problems for GLSA resend.

Comment 18 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-07-24 12:21:45 UTC

GLSA 200607-08 along with ERRATA.

Comment 19 Peter Volkov (RETIRED) gentoo-dev

2008-03-06 09:37:28 UTC

Does not affect current (2008.0) release. Removing release.