Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 139524 - media-gfx/gimp Buffer overrun in XCF parsing code (CVE-2006-3404)
Summary: media-gfx/gimp Buffer overrun in XCF parsing code (CVE-2006-3404)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://bugzilla.gnome.org/show_bug.cg...
Whiteboard: B2 [glsa] Falco
Keywords:
Depends on:
Blocks:
 
Reported: 2006-07-07 00:50 UTC by Sune Kloppenborg Jeppesen
Modified: 2008-03-06 09:37 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen gentoo-dev 2006-07-07 00:50:29 UTC
The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c
of the source tree. For each "stroke" being read, the code reads an
uint32 from the XCF file into the variable num_axes, and then for each
control proint of the stroke reads num_axes floats from the file into
the stack-allocated array coords whose size is hard-coded as 6.

A malicious XCF file creater could write a large number into the
num_axes position and trick the XCF reader into overwriting part of
the stack with raw data read from the file. On little-endian systems,
the function xcf_read_float() that actually reads the floats does a
byte-order conversion on the data it reads but does not do any special
float processing, so an attacker has direct control of the data
written to the stack.

I have not attempted to construct an working exploit (though I did
verify being able to crash Gimp with a naively patched image file),
but there seems to be no reason why the overrun could not be used to
mount a standard arbitrary code execution attack if one can get the
victim to try to load an appropriately crafted image file.

The attack is in the VECTORS property of an XCF file which pure XCF
_viewers_ (e.g. imagemagick or xcftools) normally skip without
parsing.  Thus an attack file can easily be written such that the
image will display correctly with no symptoms at all in a viewer
application.

The same bug appears in the current CVS head.
Comment 1 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-07 01:12:58 UTC
We seem to be vulnerable.

patch is here : http://bugzilla.gnome.org/attachment.cgi?id=68457&action=view

and it will be included it 2.2.12 "soon".

Brix or Allanonjl, please patch or advise if you prefer to wait for the next release, thanks
Comment 2 John N. Laliberte (RETIRED) gentoo-dev 2006-07-07 07:34:53 UTC
new ebuild ( gimp-2.2.12 ) in portage now.

note that this now depends on the external package gimp-help and will have to be stabilized along with gimp.

alpha / ia64 / mips were dropped on this version, see bug #137192.
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-07 10:50:21 UTC
(In reply to comment #2)
> new ebuild ( gimp-2.2.12 ) in portage now.
> 

thanks

> note that this now depends on the external package gimp-help and will have to
> be stabilized along with gimp.
> 
> alpha / ia64 / mips were dropped on this version, see bug #137192.

mmm... that's not really good... ia64 and mips will stay with their vulnerable version.
Alpha has no stable version is the 2.x branch, so i guess (i hope) it is not affected. But, same, ~alpha will stay vulnerable, which is not very good.

Well, for the moment, let's start the stabilization dance \o_

Heya amd64, hppa, ppc, ppc64, sparc and x86, there is a new gimp ebuild fixing a buffer overflow !
Please test gimp-2.2.12 and mark stable if possible. Note that gimp-help-0.10 has to be stabilized too, as a dependency of gimp-2.2.12 .

Comment 4 Markus Rothe (RETIRED) gentoo-dev 2006-07-07 11:32:42 UTC
stable on ppc64
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2006-07-07 13:07:42 UTC
both emerge fine, pass collision test, gimp passes whole testsuit without problems.
Only help for selected LINGUAS is created.  I am happy so far, functionality will be tested tomorrow...Good night.

Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r9 i686)
=================================================================
System uname: 2.6.16-gentoo-r9 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.15
dev-lang/python:     2.4.3-r1
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r3
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O0"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/X11/xkb"
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-O0"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 alsa apache2 arts artworkextra asf audiofile avi bash-completion berkdb bidi bitmap-fonts bootsplash bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds emacs emboss encode esd evo exif expat fam fat fbcon fdftk ffmpeg firefox foomaticdb fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal howl icq idn imagemagick imap imlib ipv6 isdnlog java javascript jikes jpeg jpeg2k kde ldap leim libg++ libwww lm_sensors mad maildir matroska mbox mikmod mime mmx mmxext mng mono motif mp3 mpeg mpeg2 mule nautilus ncurses nforce2 nls nocardbus nowebdav nptl nptlonly nsplugin nvidia ogg opengl pam pcre pdf pdflib perl plotutils pmu png ppds pppd preview-latex print python qt qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb vcd videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib elibc_glibc input_devices_mouse input_devices_keyboard kernel_linux linguas_de userland_GNU video_cards_radeon video_cards_vesa video_cards_fbdev"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 6 Luca Barbato gentoo-dev 2006-07-07 15:48:10 UTC
Stable ppc
Comment 7 Thomas Cort (RETIRED) gentoo-dev 2006-07-07 19:08:06 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > alpha / ia64 / mips were dropped on this version, see bug #137192.
> Alpha has no stable version is the 2.x branch, so i guess (i hope) it is not
> affected. But, same, ~alpha will stay vulnerable, which is not very good.

gimp-2.3.9 just got ~alpha. If you need it marked stable on alpha, please add us to this bug.
Comment 8 Thomas Cort (RETIRED) gentoo-dev 2006-07-07 19:33:34 UTC
amd64 stable.
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2006-07-08 02:06:36 UTC
Basic functions work, loaded some different graphic formats, edited them a bit, scripted a little...works.  Thumbs up from me...
Comment 10 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-07-08 05:47:50 UTC
> gimp-2.3.9 just got ~alpha. If you need it marked stable on alpha, please add
> us to this bug.
> 

mmm no, it's useless, 2.3.9 is vulnerable too.

since most arches are ~keyworded to 2.3.9, i think it should be a good idea to bump a 2.3.9-r1 with the patch. John, your opinion ?
Comment 11 Thomas Cort (RETIRED) gentoo-dev 2006-07-08 08:34:55 UTC
(In reply to comment #10)
> > gimp-2.3.9 just got ~alpha.
> mmm no, it's useless, 2.3.9 is vulnerable too.

Sorry, I assumed gimp made releases in version number order. I tested and keyworded gimp-2.2.12 ~alpha so ~alpha users have a non-vulnerable version keyworded.
Comment 12 Paul Varner (RETIRED) gentoo-dev 2006-07-08 21:32:48 UTC
Stable on x86. Christian, thanks for the testing.
Comment 13 René Nussbaumer (RETIRED) gentoo-dev 2006-07-09 01:53:31 UTC
stable on hppa
Comment 14 Jason Wever (RETIRED) gentoo-dev 2006-07-11 05:44:14 UTC
SPARC me amadeus
Comment 15 Jonathan Coome (RETIRED) gentoo-dev 2006-07-24 02:34:32 UTC
I think GLSA 200607-08, which references this bug report, is using the wrong version number - 1.2.12, instead of 2.2.12. It was noticed in the forums by tuam [1].

[1] http://forums.gentoo.org/viewtopic-t-483119.html
Comment 16 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-24 03:08:18 UTC
I'll be fixing that in CVS shortly when I return home from work. Thx for note.
Comment 17 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-24 06:00:24 UTC
Update committed to CVS awaiting resolution of gentoo-announce problems for GLSA resend.
Comment 18 Sune Kloppenborg Jeppesen gentoo-dev 2006-07-24 12:21:45 UTC
GLSA 200607-08 along with ERRATA. 
Comment 19 Peter Volkov (RETIRED) gentoo-dev 2008-03-06 09:37:28 UTC
Does not affect current (2008.0) release. Removing release.