Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 493372 (CVE-2013-1913) - <media-gfx/gimp-2.6.9: Two xwd plugin issues (CVE-2013-{1913,1978})
Summary: <media-gfx/gimp-2.6.9: Two xwd plugin issues (CVE-2013-{1913,1978})
Status: RESOLVED FIXED
Alias: CVE-2013-1913
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-05 09:24 UTC by Agostino Sarubbo
Modified: 2016-03-06 19:57 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-12-05 09:24:54 UTC
From ${URL} :

Two gimp xwd plugin issues were made public yesterday.  The following
bugs should have all relevant links:

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1978
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-1913


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 GLSAMaker/CVETool Bot gentoo-dev 2013-12-21 02:19:17 UTC
CVE-2013-1978 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1978):
  Heap-based buffer overflow in the read_xwd_cols function in file-xwd.c in
  the X Window Dump (XWD) plug-in in GIMP 2.6.9 and earlier allows remote
  attackers to cause a denial of service (crash) and possibly execute
  arbitrary code via an X Window System (XWD) image dump with more colors than
  color map entries.

CVE-2013-1913 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-1913):
  Integer overflow in the load_image function in file-xwd.c in the X Window
  Dump (XWD) plug-in in GIMP 2.6.9 and earlier, when used with glib before
  2.24, allows remote attackers to cause a denial of service (crash) and
  possibly execute arbitrary code via a large color entries value in an X
  Window System (XWD) image dump.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2014-08-26 20:32:39 UTC
This is fixed upstream in 

file-xwd: sanity check colormap size (CVE-2013-1913)
https://git.gnome.org/browse/gimp/commit/?id=32ae0f83e5748299641cceaabe3f80f1b3afd03e 

and

file-xwd: sanity check # of colors and map entries (CVE-2013-1978)
https://git.gnome.org/browse/gimp/commit/?id=23f685931e5f000dd033a45c60c1e60d7f78caf4

Part of 2.8.12. Following that 2.8.14 has been released due to a usability issue. 

@maintainers: please bump version
Comment 3 Sebastian Pipping gentoo-dev 2014-09-06 20:11:51 UTC
(In reply to Kristian Fiskerstrand from comment #2)
> Part of 2.8.12. Following that 2.8.14 has been released due to a usability
> issue. 
> 
> @maintainers: please bump version

Conforming both commits to be included in 2.8.14, with different SHA1s though:

file-xwd: sanity check colormap size (CVE-2013-1913)
  # git tag --contains 7f2322e4ced8ba393abc5a0aa15a607f340f0db8
  GIMP_2_8_12
  GIMP_2_8_14

file-xwd: sanity check # of colors and map entries (CVE-2013-1978)
  # git tag --contains 0ffb3b6753aad00512349bba31bf5113054c6a0e
  GIMP_2_8_12
  GIMP_2_8_14
Comment 4 Sebastian Pipping gentoo-dev 2014-09-06 21:15:20 UTC
+*gimp-2.8.10-r2 (06 Sep 2014)
+
+  06 Sep 2014; Sebastian Pipping <sping@gentoo.org> gimp-2.8.10-r1.ebuild,
+  +gimp-2.8.10-r2.ebuild, +files/gimp-2.8.10-CVE-2013-1913.patch,
+  +files/gimp-2.8.10-CVE-2013-1978.patch, +files/gimp-2.8.10-freetype251.patch:
+  Add patches for CVE-2013-{1913,1978} to 2.8.10-r2 (bug #493372, 2.8.14 has
+  them already); inline gimp-2.8.10-freetype251.patch (checksum changed)


I would like to propose removal of 2.8.6 and 2.8.8-r1.  Those may also be affected and need inspection and we have newer version 2.8.10-r1 (and soon -r2) marked stable, already.  Any objections?
Comment 5 Yury German Gentoo Infrastructure gentoo-dev Security 2014-10-05 19:30:54 UTC
Are we ready to call for stable 2.8.14 or 2.8.10-r2? 
The 30 day wait is almost up (1 more day).
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-21 13:29:29 UTC
2.8.14-r1 and 2.8.10-r2 are stable.
Comment 7 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-05 08:46:15 UTC
All vulnerable versions purged.  Added to GLSA 20c35ef34.
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2016-03-06 19:57:14 UTC
This issue was resolved and addressed in
 GLSA 201603-01 at https://security.gentoo.org/glsa/201603-01
by GLSA coordinator Kristian Fiskerstrand (K_F).