The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c
of the source tree. For each "stroke" being read, the code reads an
uint32 from the XCF file into the variable num_axes, and then for each
control proint of the stroke reads num_axes floats from the file into
the stack-allocated array coords whose size is hard-coded as 6.
A malicious XCF file creater could write a large number into the
num_axes position and trick the XCF reader into overwriting part of
the stack with raw data read from the file. On little-endian systems,
the function xcf_read_float() that actually reads the floats does a
byte-order conversion on the data it reads but does not do any special
float processing, so an attacker has direct control of the data
written to the stack.
I have not attempted to construct an working exploit (though I did
verify being able to crash Gimp with a naively patched image file),
but there seems to be no reason why the overrun could not be used to
mount a standard arbitrary code execution attack if one can get the
victim to try to load an appropriately crafted image file.
The attack is in the VECTORS property of an XCF file which pure XCF
_viewers_ (e.g. imagemagick or xcftools) normally skip without
parsing. Thus an attack file can easily be written such that the
image will display correctly with no symptoms at all in a viewer
The same bug appears in the current CVS head.
We seem to be vulnerable.
patch is here : http://bugzilla.gnome.org/attachment.cgi?id=68457&action=view
and it will be included it 2.2.12 "soon".
Brix or Allanonjl, please patch or advise if you prefer to wait for the next release, thanks
new ebuild ( gimp-2.2.12 ) in portage now.
note that this now depends on the external package gimp-help and will have to be stabilized along with gimp.
alpha / ia64 / mips were dropped on this version, see bug #137192.
(In reply to comment #2)
> new ebuild ( gimp-2.2.12 ) in portage now.
> note that this now depends on the external package gimp-help and will have to
> be stabilized along with gimp.
> alpha / ia64 / mips were dropped on this version, see bug #137192.
mmm... that's not really good... ia64 and mips will stay with their vulnerable version.
Alpha has no stable version is the 2.x branch, so i guess (i hope) it is not affected. But, same, ~alpha will stay vulnerable, which is not very good.
Well, for the moment, let's start the stabilization dance \o_
Heya amd64, hppa, ppc, ppc64, sparc and x86, there is a new gimp ebuild fixing a buffer overflow !
Please test gimp-2.2.12 and mark stable if possible. Note that gimp-help-0.10 has to be stabilized too, as a dependency of gimp-2.2.12 .
stable on ppc64
both emerge fine, pass collision test, gimp passes whole testsuit without problems.
Only help for selected LINGUAS is created. I am happy so far, functionality will be tested tomorrow...Good night.
Portage 2.1-r1 (default-linux/x86/2006.0, gcc-3.4.6, glibc-2.3.6-r4, 2.6.16-gentoo-r9 i686)
System uname: 2.6.16-gentoo-r9 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.6.15
dev-util/ccache: [Not Present]
dev-util/confcache: [Not Present]
sys-devel/autoconf: 2.13, 2.59-r7
sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
CONFIG_PROTECT_MASK="/etc/env.d /etc/gconf /etc/revdep-rebuild /etc/splash /etc/terminfo"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
(In reply to comment #3)
> (In reply to comment #2)
> > alpha / ia64 / mips were dropped on this version, see bug #137192.
> Alpha has no stable version is the 2.x branch, so i guess (i hope) it is not
> affected. But, same, ~alpha will stay vulnerable, which is not very good.
gimp-2.3.9 just got ~alpha. If you need it marked stable on alpha, please add us to this bug.
Basic functions work, loaded some different graphic formats, edited them a bit, scripted a little...works. Thumbs up from me...
> gimp-2.3.9 just got ~alpha. If you need it marked stable on alpha, please add
> us to this bug.
mmm no, it's useless, 2.3.9 is vulnerable too.
since most arches are ~keyworded to 2.3.9, i think it should be a good idea to bump a 2.3.9-r1 with the patch. John, your opinion ?
(In reply to comment #10)
> > gimp-2.3.9 just got ~alpha.
> mmm no, it's useless, 2.3.9 is vulnerable too.
Sorry, I assumed gimp made releases in version number order. I tested and keyworded gimp-2.2.12 ~alpha so ~alpha users have a non-vulnerable version keyworded.
Stable on x86. Christian, thanks for the testing.
stable on hppa
SPARC me amadeus
I think GLSA 200607-08, which references this bug report, is using the wrong version number - 1.2.12, instead of 2.2.12. It was noticed in the forums by tuam .
I'll be fixing that in CVS shortly when I return home from work. Thx for note.
Update committed to CVS awaiting resolution of gentoo-announce problems for GLSA resend.
GLSA 200607-08 along with ERRATA.
Does not affect current (2008.0) release. Removing release.