Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 182047

Summary: media-gfx/gimp PSD Integer Overflow Vulnerability (CVE-{2007-2949|2006-4519})
Product: Gentoo Security Reporter: Sune Kloppenborg Jeppesen (RETIRED) <jaervosz>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hanno, lars, mjf
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa] jaervosz
Package list:
Runtime testing required: ---

Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-14 17:37:31 UTC
there is a is an integer overflow in Gimp when loading PSD files.

Affected product: Gimp
Affected version: 2.2.15. Other versions may also be affected
CVE: CVE-2007-2949
SAID: 25677 (http://secunia.com/advisories/25677/)
Credit: Stefan Cornelius, Secunia Research
Disclosure date: Preliminary date set to Wed 27th June, 2007.



-- Background --

"GIMP is the GNU Image Manipulation Program. It is a freely distributed 
piece of software for such tasks as photo retouching, image composition
and image authoring. It works on many operating systems."

PSD is an image file format originally used by Adobe Photoshop.
File format specifications can be found here: 
http://www.fileformat.info/format/psd/spec/index.htm



-- Analysis -- 

The vulnerability is caused due to an integer overflow within the 
function "seek_to_and_unpack_pixeldata()" in plug-ins/common/psd.c.
The file format documentation used during research states that valid
width and height values are between 1 and 30000. However, Gimp doesn't 
check that and uses the values in an insecure arithmetic function to
determine the amount of memory to allocate, which may be exploited to
cause a heap-based buffer overflow.

seek_to_and_unpack_pixeldata(FILE* fd, gint layeri, gint channeli) 
{
  int width, height; [1]
  guchar *tmpline;
  gint compression;
  guint32 offset = 0;
  PSDchannel *channel = &psd_image.layer[layeri].channel[channeli];

  fsetpos(fd, &channel->fpos); 

  compression = getgshort(fd, "layer channel compression type");
  offset+=2;

  width = channel->width;     [2]
  height = channel->height;   [2]

  IFDBG
    {
      printf("\t\t\tLayer (%d) Channel (%d:%d) Compression: %d (%s)\n", 
         layeri,
         channeli,
         channel->type,
         compression,
         compression==0?"raw":(compression==1?"RLE":"*UNKNOWN!*"));

      fflush(stdout); 
    }

  channel->data = g_malloc (width * height);   [3]

  tmpline = g_malloc(width + 1);

  switch (compression)
    {
    case 0: /* raw data */
      {
    gint linei;

    for (linei = 0; linei < height; linei++) 
      {
        xfread(fd, channel->data + linei * width, width,
           "raw channel line");     [4]
        offset += width;
      }

#if 0
    /* Pad raw data to multiple of 2? */ 
    if ((height * width) & 1)
      {
        getguchar(fd, "raw channel padding");
        offset++;
      }
#endif
      }
      break;
    case 1: /* RLE, one row at a time, padded to an even width */ 
      {

----

[1] define variables width and height 
[2] assign unchecked values to the variables
[3] multiply width and height, use result to allocate memory.
     If width and height are certain large values, this will
     overflow and an insufficient amount of memory is allocated. 
[4] Load data from file and copy it into the buffer. (In this case
     for the uncompressed format - RLE encoded files may also be
     affected).



-- Exploitation --

The vulnerability can be exploited to cause a heap-based buffer overflow
by e.g. tricking a user into opening a specially crafted PSD file with
certain width and height information. 

Successful exploitation may allow execution of arbitrary code.


Credits should be given to:
Stefan Cornelius, Secunia Research.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-06-14 17:41:15 UTC
Friendly reminder: waiting for upstream and please don't commit anything before the 27th.
Comment 2 Hanno Böck gentoo-dev 2007-07-02 13:18:40 UTC
has this been delayed? didn't see a public advisory anywhere.
Comment 3 Matt Drew (RETIRED) gentoo-dev 2007-07-03 21:11:31 UTC
It's public now.

http://secunia.com/advisories/25677/
Comment 4 Hanno Böck gentoo-dev 2007-07-08 00:27:27 UTC
*** Bug 184141 has been marked as a duplicate of this bug. ***
Comment 5 Hanno Böck gentoo-dev 2007-07-08 00:50:21 UTC
gimp 2.2.16 added, archs, please mark stable.

security, please make this bug public.

A problem is with 2.3.x. Upstream hasn't released an update and it seems that it's more than just one integer overflow (and they aren't documented properly). I think we can just wait for a new 2.3.x-release.
Comment 6 Markus Rothe (RETIRED) gentoo-dev 2007-07-10 06:16:43 UTC
ppc64  stable
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-10 07:13:23 UTC
Stable for HPPA.
Comment 8 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-10 08:55:05 UTC
x86 stable
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2007-07-10 14:21:30 UTC
alpha/ia64 stable
Comment 10 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-10 14:42:01 UTC
sparc stable.
Comment 11 Christoph Mende (RETIRED) gentoo-dev 2007-07-11 12:03:27 UTC
amd64 stable
Comment 12 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-11 17:23:16 UTC
ppc stable, ready for GLSA.
Comment 13 Hanno Böck gentoo-dev 2007-07-13 02:07:57 UTC
*** Bug 184782 has been marked as a duplicate of this bug. ***
Comment 14 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-25 21:21:26 UTC
GLSA 200707-09
Comment 15 Joshua Kinard gentoo-dev 2007-07-31 06:11:06 UTC
mips stable.