Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 184782

Summary: media-gfx/gimp multiple integer overflow vulnerabilities
Product: Gentoo Security Reporter: Matt Fleming (RETIRED) <mjf>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED DUPLICATE    
Severity: major    
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=551
Whiteboard:
Package list:
Runtime testing required: ---

Description Matt Fleming (RETIRED) gentoo-dev 2007-07-09 21:47:40 UTC 
Credit: Sean Larsson (iDefense Labs)
CVE: 2006-4519

-- Description --
Remote exploitation of multiple integer overflow vulnerabilities in
several of the image loader plug-ins included with distributions of
'The GIMP' allow attackers to crash The GIMP or potentially execute
arbitrary code with the privileges of the user.

The following lines show the location of some vulnerabilities within the
code responsible for loading the DICOM, PNM, PSD, PSP, Sun RAS, XBM, and
XWD file formats. Each of the files are located within the
plug-ins/common directory of the source code.

  dicom.c:391:      value = g_new0 (guint8, element_length + 4);
  pnm.c:566:  data = g_new (guchar, gimp_tile_height () * info->xres * np);
  pnm.c:628:  data = g_new (guchar, gimp_tile_height () * info->xres *
info->np);
  pnm.c:681:  data = g_new (guchar, gimp_tile_height () * info->xres);
  psd.c:2969:    PSDheader.rowlength = g_malloc (PSDheader.rows *
  psp.c:1225:      pixel = g_malloc0 (height * width * bytespp);
  sunras.c:955:  data = g_malloc (tile_height * width);
  sunras.c:1076:  data = g_malloc (tile_height * width);
  sunras.c:1146:  data = g_malloc (tile_height * width * 3);
  sunras.c:1231:  data = g_malloc (tile_height * width * 3);
  xbm.c:879:  data = (guchar *) g_malloc (width * tileheight);
  xwd.c:1193:  data = g_malloc (tile_height * width);
  xwd.c:1195:  scanline = g_new (guchar, xwdhdr->l_bytes_per_line + 8);
  xwd.c:1352:  data = g_malloc (tile_height * width);
  xwd.c:1441:  data = g_malloc (tile_height * width * 3);
  xwd.c:1601:  data = g_malloc (tile_height * width * 3);
  xwd.c:1812:  data = g_malloc (tile_height * width * bytes_per_pixel);

In each case, an integer value from an untrusted input source has
arithmetic operations performed upon it to calculate the length to
allocate. Since no integer overflow checking is performed, a
potentially exploitable heap overflow may result.

This is not a complete list of integer overflow vulnerabilities in the
code.

-- Analysis --
Exploitation allows attackers to execute arbitrary code in the context
of the user opening a malicious image file.

In order to be successful, the attacker must convince the victim into
opening a maliciously crafted image with The GIMP.

Reproducible: Always




GIMP maintainers have released version 2.2.16 to address these
vulnerabilities. For more information, consult the following URL.

http://developer.gimp.org/NEWS-2.2
Comment 1 Hanno Böck gentoo-dev 2007-07-13 02:07:57 UTC 

*** This bug has been marked as a duplicate of bug 182047 ***