Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442016 (CVE-2012-4433) - <media-libs/gegl-0.2.0-r2: PPM Image Processing Integer Overflow Vulnerability (CVE-2012-4433)
Summary: <media-libs/gegl-0.2.0-r2: PPM Image Processing Integer Overflow Vulnerabilit...
Status: RESOLVED FIXED
Alias: CVE-2012-4433
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on: 481736
Blocks:
  Show dependency tree
 
Reported: 2012-11-06 10:41 UTC by Agostino Sarubbo
Modified: 2014-11-24 22:31 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-06 10:41:00 UTC
From https://secunia.com/advisories/51114/ :

Description
A vulnerability has been reported in GEGL, which can be exploited by malicious people to compromise 
an application using the library.

The vulnerability is caused due to an integer overflow error in PPM image handler 
(operations/external/ppm-load.c) and can be exploited to cause a heap-based buffer overflow via 
specially crafted image dimensions.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 0.2.0. Other versions may also be affected.


Solution
Fixed in the source code repository.

Provided and/or discovered by
Murray McAllister, Red Hat Security Response Team

Original Advisory
Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=856300
Comment 1 Sebastian Pipping gentoo-dev 2012-11-06 19:40:03 UTC
+*gegl-0.2.0-r1 (06 Nov 2012)
+
+  06 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.2.0-r1.ebuild,
+  +files/gegl-0.2.0-cve-2012-4433-1e92e523.patch,
+  +files/gegl-0.2.0-cve-2012-4433-4757cdf7.patch:
+  Integrate Redhat patches for CVE-2012-4433 (bug #442016)
+


0.1.6 and 0.1.8 unchecked.
Comment 2 Sean Amoss gentoo-dev Security 2012-11-10 18:32:53 UTC
Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is =media-libs/gegl-0.2.0-r1 ready for stabilization?
Comment 3 Sebastian Pipping gentoo-dev 2012-11-17 15:48:31 UTC
(In reply to comment #2)
> Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is
> =media-libs/gegl-0.2.0-r1 ready for stabilization?

One of the two patches needed minimal "porting"...


+*gegl-0.1.8-r1 (17 Nov 2012)
+*gegl-0.1.6-r1 (17 Nov 2012)
+
+  17 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.1.6-r1.ebuild,
+  +gegl-0.1.8-r1.ebuild, +files/gegl-0.1.8-cve-2012-4433-4757cdf7.patch:
+  Patch 0.1.6 and 0.1.8 for CVE-2012-4433, too (bug #442016)
+
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2012-11-20 00:28:51 UTC
CVE-2012-4433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4433):
  Multiple integer overflows in operations/external/ppm-load.c in GEGL
  (Generic Graphics Library) 0.2.0 allow remote attackers to cause a denial of
  service (application crash) or possibly execute arbitrary code via a large
  (1) width or (2) height value in a Portable Pixel Map (ppm) image, which
  triggers a heap-based buffer overflow.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2013-01-03 00:29:32 UTC
(In reply to comment #3)
> (In reply to comment #2)
> > Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is
> > =media-libs/gegl-0.2.0-r1 ready for stabilization?
> 
> One of the two patches needed minimal "porting"...
> 
> 
> +*gegl-0.1.8-r1 (17 Nov 2012)
> +*gegl-0.1.6-r1 (17 Nov 2012)
> +
> +  17 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.1.6-r1.ebuild,
> +  +gegl-0.1.8-r1.ebuild, +files/gegl-0.1.8-cve-2012-4433-4757cdf7.patch:
> +  Patch 0.1.6 and 0.1.8 for CVE-2012-4433, too (bug #442016)
> +

Thanks, Sebastian. Shall we stabilize 0.1.6-r1 then, or another version?
Comment 6 Chris Reffett gentoo-dev Security 2013-09-11 03:46:54 UTC
Arches, please test and stabilize:
=media-libs/gegl-0.1.6-r1
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86
Comment 7 Sean Amoss gentoo-dev Security 2013-09-30 23:14:13 UTC
GLSA drafted and ready for review.
Comment 8 Sean Amoss gentoo-dev Security 2013-10-06 22:50:13 UTC
GLSA has been sent. 

Maintainers, please drop vulnerable versions so we can close this up. Thanks.
Comment 9 Sebastian Pipping gentoo-dev 2013-10-27 01:43:21 UTC
(In reply to Sean Amoss from comment #8)
> GLSA has been sent. 
> 
> Maintainers, please drop vulnerable versions so we can close this up. Thanks.

+  27 Oct 2013; Sebastian Pipping <sping@gentoo.org> -gegl-0.2.0-r1.ebuild:
+  Removing 0.2.0-r1 for security (bug #442016)
+

I'm keeping

  gegl-0.1.6.ebuild 
  gegl-0.1.6-r1.ebuild
  gegl-0.1.8-r1.ebuild

to keep "<media-libs/gegl-0.2" from media-gfx/gimp-2.6.12-r5 satisfied.
I'm open to suggestion on deleting more.
Comment 10 Sergey Popov gentoo-dev Security 2013-12-31 07:44:43 UTC
(In reply to Sebastian Pipping from comment #9)
> (In reply to Sean Amoss from comment #8)
> > GLSA has been sent. 
> > 
> > Maintainers, please drop vulnerable versions so we can close this up. Thanks.
> 
> +  27 Oct 2013; Sebastian Pipping <sping@gentoo.org> -gegl-0.2.0-r1.ebuild:
> +  Removing 0.2.0-r1 for security (bug #442016)
> +
> 
> I'm keeping
> 
>   gegl-0.1.6.ebuild 
>   gegl-0.1.6-r1.ebuild
>   gegl-0.1.8-r1.ebuild
> 
> to keep "<media-libs/gegl-0.2" from media-gfx/gimp-2.6.12-r5 satisfied.
> I'm open to suggestion on deleting more.

Two notes:

1) 0.1.6-r1 was not stabilized as requested. Should we proceed with it's stabilization? Or stabilizing 0.2.0-r2, which happened in bug #481736 is fine?
2) 0.1.6 is vulnerable, so it should be treecleaned. 0.1.6-r1 seems fine.
Comment 11 Pacho Ramos gentoo-dev 2013-12-31 17:44:53 UTC
0.2.0-r2 was stabilized and older versions are only needed by old gimp, then, dropping old versions of gimp and gegl would be enough
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2014-08-27 03:01:48 UTC
Maintainer(s), Thank you for cleanup!

Added to existing GLSA
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2014-11-24 22:31:17 UTC
This issue was resolved and addressed in
 GLSA 201310-05 at http://security.gentoo.org/glsa/glsa-201310-05.xml
by GLSA coordinator Sean Amoss (ackle).