Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 442016 (CVE-2012-4433)

Summary: <media-libs/gegl-0.2.0-r2: PPM Image Processing Integer Overflow Vulnerability (CVE-2012-4433)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: pacho, sping
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2012/11/06/1
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---
Bug Depends on: 481736    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2012-11-06 10:41:00 UTC
From https://secunia.com/advisories/51114/ :

Description
A vulnerability has been reported in GEGL, which can be exploited by malicious people to compromise 
an application using the library.

The vulnerability is caused due to an integer overflow error in PPM image handler 
(operations/external/ppm-load.c) and can be exploited to cause a heap-based buffer overflow via 
specially crafted image dimensions.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 0.2.0. Other versions may also be affected.


Solution
Fixed in the source code repository.

Provided and/or discovered by
Murray McAllister, Red Hat Security Response Team

Original Advisory
Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=856300
Comment 1 Sebastian Pipping gentoo-dev 2012-11-06 19:40:03 UTC
+*gegl-0.2.0-r1 (06 Nov 2012)
+
+  06 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.2.0-r1.ebuild,
+  +files/gegl-0.2.0-cve-2012-4433-1e92e523.patch,
+  +files/gegl-0.2.0-cve-2012-4433-4757cdf7.patch:
+  Integrate Redhat patches for CVE-2012-4433 (bug #442016)
+


0.1.6 and 0.1.8 unchecked.
Comment 2 Sean Amoss (RETIRED) gentoo-dev Security 2012-11-10 18:32:53 UTC
Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is =media-libs/gegl-0.2.0-r1 ready for stabilization?
Comment 3 Sebastian Pipping gentoo-dev 2012-11-17 15:48:31 UTC
(In reply to comment #2)
> Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is
> =media-libs/gegl-0.2.0-r1 ready for stabilization?

One of the two patches needed minimal "porting"...


+*gegl-0.1.8-r1 (17 Nov 2012)
+*gegl-0.1.6-r1 (17 Nov 2012)
+
+  17 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.1.6-r1.ebuild,
+  +gegl-0.1.8-r1.ebuild, +files/gegl-0.1.8-cve-2012-4433-4757cdf7.patch:
+  Patch 0.1.6 and 0.1.8 for CVE-2012-4433, too (bug #442016)
+
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 00:28:51 UTC
CVE-2012-4433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4433):
  Multiple integer overflows in operations/external/ppm-load.c in GEGL
  (Generic Graphics Library) 0.2.0 allow remote attackers to cause a denial of
  service (application crash) or possibly execute arbitrary code via a large
  (1) width or (2) height value in a Portable Pixel Map (ppm) image, which
  triggers a heap-based buffer overflow.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2013-01-03 00:29:32 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is
> > =media-libs/gegl-0.2.0-r1 ready for stabilization?
> 
> One of the two patches needed minimal "porting"...
> 
> 
> +*gegl-0.1.8-r1 (17 Nov 2012)
> +*gegl-0.1.6-r1 (17 Nov 2012)
> +
> +  17 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.1.6-r1.ebuild,
> +  +gegl-0.1.8-r1.ebuild, +files/gegl-0.1.8-cve-2012-4433-4757cdf7.patch:
> +  Patch 0.1.6 and 0.1.8 for CVE-2012-4433, too (bug #442016)
> +

Thanks, Sebastian. Shall we stabilize 0.1.6-r1 then, or another version?
Comment 6 Chris Reffett (RETIRED) gentoo-dev Security 2013-09-11 03:46:54 UTC
Arches, please test and stabilize:
=media-libs/gegl-0.1.6-r1
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2013-09-30 23:14:13 UTC
GLSA drafted and ready for review.
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2013-10-06 22:50:13 UTC
GLSA has been sent. 

Maintainers, please drop vulnerable versions so we can close this up. Thanks.
Comment 9 Sebastian Pipping gentoo-dev 2013-10-27 01:43:21 UTC
(In reply to Sean Amoss from comment #8)
> GLSA has been sent. 
> 
> Maintainers, please drop vulnerable versions so we can close this up. Thanks.

+  27 Oct 2013; Sebastian Pipping <sping@gentoo.org> -gegl-0.2.0-r1.ebuild:
+  Removing 0.2.0-r1 for security (bug #442016)
+

I'm keeping

  gegl-0.1.6.ebuild 
  gegl-0.1.6-r1.ebuild
  gegl-0.1.8-r1.ebuild

to keep "<media-libs/gegl-0.2" from media-gfx/gimp-2.6.12-r5 satisfied.
I'm open to suggestion on deleting more.
Comment 10 Sergey Popov gentoo-dev 2013-12-31 07:44:43 UTC
(In reply to Sebastian Pipping from comment #9)
> (In reply to Sean Amoss from comment #8)
> > GLSA has been sent. 
> > 
> > Maintainers, please drop vulnerable versions so we can close this up. Thanks.
> 
> +  27 Oct 2013; Sebastian Pipping <sping@gentoo.org> -gegl-0.2.0-r1.ebuild:
> +  Removing 0.2.0-r1 for security (bug #442016)
> +
> 
> I'm keeping
> 
>   gegl-0.1.6.ebuild 
>   gegl-0.1.6-r1.ebuild
>   gegl-0.1.8-r1.ebuild
> 
> to keep "<media-libs/gegl-0.2" from media-gfx/gimp-2.6.12-r5 satisfied.
> I'm open to suggestion on deleting more.

Two notes:

1) 0.1.6-r1 was not stabilized as requested. Should we proceed with it's stabilization? Or stabilizing 0.2.0-r2, which happened in bug #481736 is fine?
2) 0.1.6 is vulnerable, so it should be treecleaned. 0.1.6-r1 seems fine.
Comment 11 Pacho Ramos gentoo-dev 2013-12-31 17:44:53 UTC
0.2.0-r2 was stabilized and older versions are only needed by old gimp, then, dropping old versions of gimp and gegl would be enough
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2014-08-27 03:01:48 UTC
Maintainer(s), Thank you for cleanup!

Added to existing GLSA
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-11-24 22:31:17 UTC
This issue was resolved and addressed in
 GLSA 201310-05 at http://security.gentoo.org/glsa/glsa-201310-05.xml
by GLSA coordinator Sean Amoss (ackle).