Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 293127 (CVE-2009-1570) - media-gfx/gimp BMP and PSD Heap-based buffer overflows (CVE-2009-{1570,3909})
Summary: media-gfx/gimp BMP and PSD Heap-based buffer overflows (CVE-2009-{1570,3909})
Status: RESOLVED FIXED
Alias: CVE-2009-1570
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://git.gnome.org/cgit/gimp/commit...
Whiteboard: B2 [glsa]
Keywords:
: 287478 (view as bug list)
Depends on:
Blocks:
 
Reported: 2009-11-13 23:00 UTC by Stefan Behte (RETIRED)
Modified: 2012-09-28 11:43 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Behte (RETIRED) gentoo-dev Security 2009-11-13 23:00:23 UTC
CVE-2009-1570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1570):
  Integer overflow in the ReadImage function in
  plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote
  attackers to execute arbitrary code via a BMP file with crafted width
  and height values that trigger a heap-based buffer overflow.
Comment 1 Tomáš Chvátal (RETIRED) gentoo-dev 2009-11-16 15:59:49 UTC
Just sidenote hello from QA team.

Hanno is currently not entirely active in gimp development (last commit at 18 March).

We would recommend that someone who care backport the patch and stable the 2.9.7, then dropping of all older versions should be proceeded.

Cheers
Comment 2 Hanno Böck gentoo-dev 2009-11-16 17:33:55 UTC
I've added 2.6.7-r1 with the patch from gimp git. I found no sample bmp in the security reports so I couldn't test it but it should be fine.

CC-ing archs. ppc64 also needs to stabilize babl and gegl. mips and x86-fbsd have no keyword on 2.6.7-r1 yet, cc-ing them also. If you can't re-keyword 2.6.7-r1, your arch will be without gimp soon.
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2009-11-16 22:10:31 UTC
Stable for HPPA.
Comment 4 Markus Meier gentoo-dev 2009-11-16 23:10:11 UTC
amd64/x86 stable
Comment 5 Robert Buchholz (RETIRED) gentoo-dev 2009-11-17 14:13:23 UTC
Secunia discovered more heap-based buffer overflows when parsing .PSD files (CVE-2009-3909):
http://secunia.com/secunia_research/2009-43/

The following two commits fix the PSD issue: 
http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6&id=88eccea84aa375197cc04a2a0e2e29debb56bfa5
http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6&id=687ec47914ec08d6e460918cb641c196d80140a3

According to upstream, a new 2.6 release is planned "in the next few days" 
Comment 7 Pacho Ramos gentoo-dev 2009-11-19 19:14:12 UTC
*** Bug 287478 has been marked as a duplicate of this bug. ***
Comment 8 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-11-26 08:25:56 UTC
CVE-2009-3909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3909):
  Integer overflow in the read_channel_data function in
  plug-ins/file-psd/psd-load.c in GIMP 2.6.7 might allow remote
  attackers to execute arbitrary code via a crafted PSD file that
  triggers a heap-based buffer overflow.

Comment 9 Hanno Böck gentoo-dev 2009-12-20 13:54:01 UTC
Added 2.6.8.

Citing myself from comment #2:
ppc64 also needs to stabilize babl and gegl. mips and x86-fbsd have no keyword on 2.6.8 yet, cc-ing them also. If you can't re-keyword 2.6.8, your arch will be without gimp soon.

Comment 10 Brent Baude (RETIRED) gentoo-dev 2009-12-20 16:36:51 UTC
ppc64 done
Comment 11 Pacho Ramos gentoo-dev 2009-12-20 18:23:56 UTC
amd64 stable
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2009-12-22 02:44:14 UTC
Stable for HPPA.
Comment 13 Markus Meier gentoo-dev 2009-12-23 01:19:37 UTC
x86 stable
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2009-12-26 14:21:33 UTC
alpha/ia64/sparc stable, and bsd/mips doesn't do stable keywords.
Comment 15 Joe Jezak (RETIRED) gentoo-dev 2010-01-05 02:44:49 UTC
Marked ppc stable.
Comment 16 Hanno Böck gentoo-dev 2010-01-06 09:38:57 UTC
bsd/mips don't have keywords at all on 2.6.8, so they'll loose gimp-support altogether. I wrote them a mail, though I'll remove all old ebuilds within a few days.

Else I think we're ready for glsa. I think it deserves a GLSA, security, what do you think?
Comment 17 Stefan Behte (RETIRED) gentoo-dev Security 2010-04-14 21:30:23 UTC
No vote needed. GLSA request filed according to policy (http://www.gentoo.org/security/en/vulnerability-policy.xml).
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 11:43:14 UTC
This issue was resolved and addressed in
 GLSA 201209-23 at http://security.gentoo.org/glsa/glsa-201209-23.xml
by GLSA coordinator Sean Amoss (ackle).