442016 – (CVE-2012-4433) <media-libs/gegl-0.2.0-r2: PPM Image Processing Integer Overflow Vulnerability (CVE-2012-4433)

Bug 442016 (CVE-2012-4433) - <media-libs/gegl-0.2.0-r2: PPM Image Processing Integer Overflow Vulnerability (CVE-2012-4433)

Summary: <media-libs/gegl-0.2.0-r2: PPM Image Processing Integer Overflow Vulnerabilit...

Status:	RESOLVED FIXED

Alias:	CVE-2012-4433

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	http://www.openwall.com/lists/oss-sec...
Whiteboard:	B2 [glsa]
Keywords:

Depends on:	481736
Blocks:
	Show dependency tree

Reported:	2012-11-06 10:41 UTC by Agostino Sarubbo
Modified:	2014-11-24 22:31 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Agostino Sarubbo gentoo-dev

2012-11-06 10:41:00 UTC

From https://secunia.com/advisories/51114/ :

Description
A vulnerability has been reported in GEGL, which can be exploited by malicious people to compromise 
an application using the library.

The vulnerability is caused due to an integer overflow error in PPM image handler 
(operations/external/ppm-load.c) and can be exploited to cause a heap-based buffer overflow via 
specially crafted image dimensions.

Successful exploitation may allow execution of arbitrary code.

The vulnerability is reported in version 0.2.0. Other versions may also be affected.


Solution
Fixed in the source code repository.

Provided and/or discovered by
Murray McAllister, Red Hat Security Response Team

Original Advisory
Red Hat:
https://bugzilla.redhat.com/show_bug.cgi?id=856300

Comment 1 Sebastian Pipping gentoo-dev

2012-11-06 19:40:03 UTC

+*gegl-0.2.0-r1 (06 Nov 2012)
+
+  06 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.2.0-r1.ebuild,
+  +files/gegl-0.2.0-cve-2012-4433-1e92e523.patch,
+  +files/gegl-0.2.0-cve-2012-4433-4757cdf7.patch:
+  Integrate Redhat patches for CVE-2012-4433 (bug #442016)
+


0.1.6 and 0.1.8 unchecked.

Comment 2 Sean Amoss (RETIRED) gentoo-dev

2012-11-10 18:32:53 UTC

Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is =media-libs/gegl-0.2.0-r1 ready for stabilization?

Comment 3 Sebastian Pipping gentoo-dev

2012-11-17 15:48:31 UTC

(In reply to comment #2)
> Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is
> =media-libs/gegl-0.2.0-r1 ready for stabilization?

One of the two patches needed minimal "porting"...


+*gegl-0.1.8-r1 (17 Nov 2012)
+*gegl-0.1.6-r1 (17 Nov 2012)
+
+  17 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.1.6-r1.ebuild,
+  +gegl-0.1.8-r1.ebuild, +files/gegl-0.1.8-cve-2012-4433-4757cdf7.patch:
+  Patch 0.1.6 and 0.1.8 for CVE-2012-4433, too (bug #442016)
+

Comment 4 GLSAMaker/CVETool Bot gentoo-dev

2012-11-20 00:28:51 UTC

CVE-2012-4433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4433):
  Multiple integer overflows in operations/external/ppm-load.c in GEGL
  (Generic Graphics Library) 0.2.0 allow remote attackers to cause a denial of
  service (application crash) or possibly execute arbitrary code via a large
  (1) width or (2) height value in a Portable Pixel Map (ppm) image, which
  triggers a heap-based buffer overflow.

Comment 5 Tim Sammut (RETIRED) gentoo-dev

2013-01-03 00:29:32 UTC

(In reply to comment #3)
> (In reply to comment #2)
> > Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is
> > =media-libs/gegl-0.2.0-r1 ready for stabilization?
> 
> One of the two patches needed minimal "porting"...
> 
> 
> +*gegl-0.1.8-r1 (17 Nov 2012)
> +*gegl-0.1.6-r1 (17 Nov 2012)
> +
> +  17 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.1.6-r1.ebuild,
> +  +gegl-0.1.8-r1.ebuild, +files/gegl-0.1.8-cve-2012-4433-4757cdf7.patch:
> +  Patch 0.1.6 and 0.1.8 for CVE-2012-4433, too (bug #442016)
> +

Thanks, Sebastian. Shall we stabilize 0.1.6-r1 then, or another version?

Comment 6 Chris Reffett (RETIRED) gentoo-dev

2013-09-11 03:46:54 UTC

Arches, please test and stabilize:
=media-libs/gegl-0.1.6-r1
Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86

Comment 7 Sean Amoss (RETIRED) gentoo-dev

2013-09-30 23:14:13 UTC

GLSA drafted and ready for review.

Comment 8 Sean Amoss (RETIRED) gentoo-dev

2013-10-06 22:50:13 UTC

GLSA has been sent. 

Maintainers, please drop vulnerable versions so we can close this up. Thanks.

Comment 9 Sebastian Pipping gentoo-dev

2013-10-27 01:43:21 UTC

(In reply to Sean Amoss from comment #8)
> GLSA has been sent. 
> 
> Maintainers, please drop vulnerable versions so we can close this up. Thanks.

+  27 Oct 2013; Sebastian Pipping <sping@gentoo.org> -gegl-0.2.0-r1.ebuild:
+  Removing 0.2.0-r1 for security (bug #442016)
+

I'm keeping

  gegl-0.1.6.ebuild 
  gegl-0.1.6-r1.ebuild
  gegl-0.1.8-r1.ebuild

to keep "<media-libs/gegl-0.2" from media-gfx/gimp-2.6.12-r5 satisfied.
I'm open to suggestion on deleting more.

Comment 10 Sergey Popov gentoo-dev

2013-12-31 07:44:43 UTC

(In reply to Sebastian Pipping from comment #9)
> (In reply to Sean Amoss from comment #8)
> > GLSA has been sent. 
> > 
> > Maintainers, please drop vulnerable versions so we can close this up. Thanks.
> 
> +  27 Oct 2013; Sebastian Pipping <sping@gentoo.org> -gegl-0.2.0-r1.ebuild:
> +  Removing 0.2.0-r1 for security (bug #442016)
> +
> 
> I'm keeping
> 
>   gegl-0.1.6.ebuild 
>   gegl-0.1.6-r1.ebuild
>   gegl-0.1.8-r1.ebuild
> 
> to keep "<media-libs/gegl-0.2" from media-gfx/gimp-2.6.12-r5 satisfied.
> I'm open to suggestion on deleting more.

Two notes:

1) 0.1.6-r1 was not stabilized as requested. Should we proceed with it's stabilization? Or stabilizing 0.2.0-r2, which happened in bug #481736 is fine?
2) 0.1.6 is vulnerable, so it should be treecleaned. 0.1.6-r1 seems fine.

Comment 11 Pacho Ramos gentoo-dev

2013-12-31 17:44:53 UTC

0.2.0-r2 was stabilized and older versions are only needed by old gimp, then, dropping old versions of gimp and gegl would be enough

Comment 12 Yury German Gentoo Infrastructure

2014-08-27 03:01:48 UTC

Maintainer(s), Thank you for cleanup!

Added to existing GLSA

Comment 13 GLSAMaker/CVETool Bot gentoo-dev

2014-11-24 22:31:17 UTC

This issue was resolved and addressed in
 GLSA 201310-05 at http://security.gentoo.org/glsa/glsa-201310-05.xml
by GLSA coordinator Sean Amoss (ackle).