The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c of the source tree. For each "stroke" being read, the code reads an uint32 from the XCF file into the variable num_axes, and then for each control proint of the stroke reads num_axes floats from the file into the stack-allocated array coords whose size is hard-coded as 6. A malicious XCF file creater could write a large number into the num_axes position and trick the XCF reader into overwriting part of the stack with raw data read from the file. On little-endian systems, the function xcf_read_float() that actually reads the floats does a byte-order conversion on the data it reads but does not do any special float processing, so an attacker has direct control of the data written to the stack. I have not attempted to construct an working exploit (though I did verify being able to crash Gimp with a naively patched image file), but there seems to be no reason why the overrun could not be used to mount a standard arbitrary code execution attack if one can get the victim to try to load an appropriately crafted image file. The attack is in the VECTORS property of an XCF file which pure XCF _viewers_ (e.g. imagemagick or xcftools) normally skip without parsing. Thus an attack file can easily be written such that the image will display correctly with no symptoms at all in a viewer application. The same bug appears in the current CVS head.
We seem to be vulnerable. patch is here : http://bugzilla.gnome.org/attachment.cgi?id=68457&action=view and it will be included it 2.2.12 "soon". Brix or Allanonjl, please patch or advise if you prefer to wait for the next release, thanks
new ebuild ( gimp-2.2.12 ) in portage now. note that this now depends on the external package gimp-help and will have to be stabilized along with gimp. alpha / ia64 / mips were dropped on this version, see bug #137192.
(In reply to comment #2) > new ebuild ( gimp-2.2.12 ) in portage now. > thanks > note that this now depends on the external package gimp-help and will have to > be stabilized along with gimp. > > alpha / ia64 / mips were dropped on this version, see bug #137192. mmm... that's not really good... ia64 and mips will stay with their vulnerable version. Alpha has no stable version is the 2.x branch, so i guess (i hope) it is not affected. But, same, ~alpha will stay vulnerable, which is not very good. Well, for the moment, let's start the stabilization dance \o_ Heya amd64, hppa, ppc, ppc64, sparc and x86, there is a new gimp ebuild fixing a buffer overflow ! Please test gimp-2.2.12 and mark stable if possible. Note that gimp-help-0.10 has to be stabilized too, as a dependency of gimp-2.2.12 .
stable on ppc64
both emerge fine, pass collision test, gimp passes whole testsuit without problems. Only help for selected LINGUAS is created. I am happy so far, functionality will be tested tomorrow...Good night. Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r9 i686) ================================================================= System uname: 2.6.16-gentoo-r9 i686 AMD Athlon(tm) XP 2500+ Gentoo Base System version 1.6.15 dev-lang/python: 2.4.3-r1 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: [Not Present] dev-util/confcache: [Not Present] sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.59-r7 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.13-r3 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.11-r2 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CBUILD="i686-pc-linux-gnu" CFLAGS="-O0" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-O0" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/" LANG="de_DE@euro" LC_ALL="de_DE@euro" LINGUAS="de" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage" USE="x86 3dnow 3dnowext X Xaw3d a52 alsa apache2 arts artworkextra asf audiofile avi bash-completion berkdb bidi bitmap-fonts bootsplash bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal howl icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k kde ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nowebdav nptl nptlonly nsplugin nvidia ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Stable ppc
(In reply to comment #3) > (In reply to comment #2) > > alpha / ia64 / mips were dropped on this version, see bug #137192. > Alpha has no stable version is the 2.x branch, so i guess (i hope) it is not > affected. But, same, ~alpha will stay vulnerable, which is not very good. gimp-2.3.9 just got ~alpha. If you need it marked stable on alpha, please add us to this bug.
amd64 stable.
Basic functions work, loaded some different graphic formats, edited them a bit, scripted a little...works. Thumbs up from me...
> gimp-2.3.9 just got ~alpha. If you need it marked stable on alpha, please add > us to this bug. > mmm no, it's useless, 2.3.9 is vulnerable too. since most arches are ~keyworded to 2.3.9, i think it should be a good idea to bump a 2.3.9-r1 with the patch. John, your opinion ?
(In reply to comment #10) > > gimp-2.3.9 just got ~alpha. > mmm no, it's useless, 2.3.9 is vulnerable too. Sorry, I assumed gimp made releases in version number order. I tested and keyworded gimp-2.2.12 ~alpha so ~alpha users have a non-vulnerable version keyworded.
Stable on x86. Christian, thanks for the testing.
stable on hppa
SPARC me amadeus
I think GLSA 200607-08, which references this bug report, is using the wrong version number - 1.2.12, instead of 2.2.12. It was noticed in the forums by tuam [1]. [1] http://forums.gentoo.org/viewtopic-t-483119.html
I'll be fixing that in CVS shortly when I return home from work. Thx for note.
Update committed to CVS awaiting resolution of gentoo-announce problems for GLSA resend.
GLSA 200607-08 along with ERRATA.
Does not affect current (2008.0) release. Removing release.
