CVE-2006-3404: #377049 - gimp: Buffer overrun in XCF reading code

Debian Bug report logs - #377049
gimp: Buffer overrun in XCF reading code

Reported by: Henning Makholm [email protected]

Date: Thu, 6 Jul 2006 11:18:14 UTC

Severity: grave

Tags: fixed, fixed-in-experimental, fixed-upstream, patch, security

Found in versions gimp/2.2.6-1, gimp/2.2.11-3, gimp/2.3.9-1

Fixed in versions gimp/2.2.12-1, 2.2.12-1, 2.3.10-1

Done: Thijs Kinkhorst [email protected]

Bug is archived. No further changes may be made.

Toggle useless messages

Report forwarded to [email protected], Ari Pollak <[email protected]>:
Bug#377049; Package gimp. (full text, mbox, link).

Acknowledgement sent to Henning Makholm <[email protected]>:
New Bug report received and forwarded. Copy sent to Ari Pollak <[email protected]>. (full text, mbox, link).

Message #5 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Package: gimp Version: 2.2.6-1 Severity: grave Tags: security patch Justification: user security hole

I have reported this bug privately to the maintainer and the security team, but it turns out that the upstream developers have no way of reporting security bugs privately, so it is hereby in the open. It is #346742 in the upstream bug tracking system.

The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c of the source tree. For each “stroke” being read, the code reads an uint32 from the XCF file into the variable num_axes, and then for each control proint of the stroke reads num_axes floats from the file into the stack-allocated array coords whose size is hard-coded as 6.

A malicious XCF file creater could write a large number into the num_axes position and trick the XCF reader into overwriting part of the stack with raw data read from the file. On little-endian systems, the function xcf_read_float() that actually reads the floats does a byte-order conversion on the data it reads but does not do any special float processing, so an attacker has direct control of the data written to the stack.

I have not attempted to construct an working exploit (though I did verify being able to crash Gimp with a naively patched image file), but there seems to be no reason why the overrun could not be used to mount a standard arbitrary code execution attack if one can get the victim to try to load an appropriately crafted image file.

The attack is in the VECTORS property of an XCF file which pure XCF _viewers_ (e.g. imagemagick or xcftools) normally skip without parsing. Thus an attack file can easily be written such that the image will display correctly with no symptoms at all in a viewer application.

The same bug appears in the unstable (2.2.11) and experimental (2.3.9) versions, as well as the upsteam CVS head.

The attached patch should fix it (more gracefully than the one in my earlier private report).

[gimppatch2 (text/plain, attachment)]

Bug marked as found in version 2.2.11-3. Request was from Henning Makholm <[email protected]> to [email protected]. (full text, mbox, link).

Bug marked as found in version 2.3.9-1. Request was from Henning Makholm <[email protected]> to [email protected]. (full text, mbox, link).

Bug marked as found in version 2.3.9-1. Request was from Steve Langasek <[email protected]> to [email protected]. (full text, mbox, link).

Information forwarded to [email protected], Ari Pollak <[email protected]>:
Bug#377049; Package gimp. (full text, mbox, link).

Acknowledgement sent to Micah Anderson <[email protected]>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <[email protected]>. (full text, mbox, link).

Message #16 received at [email protected] (full text, mbox, reply):

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

Hi,

I’ve requested that a CVE ID be assigned for this issue. It has been allocated:

====================================================== Name: CVE-2006-3404 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=377049

Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for gimp 2.2.6 allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XCF file with a large num_axes value in the VECTORS property

Please be sure to mention this CVE ID in any changelog that fixes this issue.

Micah -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFErW6V9n4qXRzy1ioRAskhAJ9BZPKmnjPC7t6gO4k+VBqVnspSjACfU8uL 2oQvmKvnJ71p1fQs8mHVojM= =xIh2 -----END PGP SIGNATURE-----

Information forwarded to [email protected], Ari Pollak <[email protected]>:
Bug#377049; Package gimp. (full text, mbox, link).

Acknowledgement sent to Henning Makholm <[email protected]>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <[email protected]>. (full text, mbox, link).

Message #21 received at [email protected] (full text, mbox, reply):

tag 377049 fixed-upstream thanks

This bug is fixed in the upstream Gimp release 2.2.12.

The fix did not make it into the development release 2.3.10, but I have verified that it exists in the development CVS, so it will probably be fixed in 2.3.11.

– Henning Makholm “It was intended to compile from some approximation to the M-notation, but the M-notation was never fully defined, because representing LISP functions by LISP lists became the dominant programming language when the interpreter later became available.”

Tags added: fixed-upstream Request was from Henning Makholm <[email protected]> to [email protected]. (full text, mbox, link).

Tags added: fixed Request was from James Vega <[email protected]> to [email protected]. (full text, mbox, link).

Reply sent to Ari Pollak <[email protected]>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Henning Makholm <[email protected]>:
Bug acknowledged by developer. (full text, mbox, link).

Message #30 received at [email protected] (full text, mbox, reply):

Source: gimp Source-Version: 2.2.12-1

We believe that the bug you reported is fixed in the latest version of gimp, which is due to be installed in the Debian FTP archive:

gimp-data_2.2.12-1_all.deb to pool/main/g/gimp/gimp-data_2.2.12-1_all.deb gimp-dbg_2.2.12-1_amd64.deb to pool/main/g/gimp/gimp-dbg_2.2.12-1_amd64.deb gimp-helpbrowser_2.2.12-1_amd64.deb to pool/main/g/gimp/gimp-helpbrowser_2.2.12-1_amd64.deb gimp-python_2.2.12-1_amd64.deb to pool/main/g/gimp/gimp-python_2.2.12-1_amd64.deb gimp-svg_2.2.12-1_amd64.deb to pool/main/g/gimp/gimp-svg_2.2.12-1_amd64.deb gimp_2.2.12-1.diff.gz to pool/main/g/gimp/gimp_2.2.12-1.diff.gz gimp_2.2.12-1.dsc to pool/main/g/gimp/gimp_2.2.12-1.dsc gimp_2.2.12-1_amd64.deb to pool/main/g/gimp/gimp_2.2.12-1_amd64.deb gimp_2.2.12.orig.tar.gz to pool/main/g/gimp/gimp_2.2.12.orig.tar.gz libgimp2.0-dev_2.2.12-1_amd64.deb to pool/main/g/gimp/libgimp2.0-dev_2.2.12-1_amd64.deb libgimp2.0-doc_2.2.12-1_all.deb to pool/main/g/gimp/libgimp2.0-doc_2.2.12-1_all.deb libgimp2.0_2.2.12-1_amd64.deb to pool/main/g/gimp/libgimp2.0_2.2.12-1_amd64.deb

A summary of the changes between this version and the previous one is attached.

Thank you for reporting the bug, which will now be closed. If you have further comments please address them to [email protected], and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software pp. Ari Pollak [email protected] (supplier of updated gimp package)

(This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing [email protected])

-----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160

Format: 1.7 Date: Tue, 11 Jul 2006 14:30:03 -0400 Source: gimp Binary: gimp-python libgimp2.0-doc gimp-data gimp gimp-helpbrowser libgimp2.0 gimp-svg libgimp2.0-dev gimp-dbg Architecture: source amd64 all Version: 2.2.12-1 Distribution: unstable Urgency: low Maintainer: Ari Pollak [email protected] Changed-By: Ari Pollak [email protected] Description: gimp - The GNU Image Manipulation Program gimp-data - Data files for The GIMP gimp-dbg - Debugging symbols for The GIMP gimp-helpbrowser - Built-in Help Browser plugin for The GIMP gimp-python - Python support and plugins for The GIMP gimp-svg - SVG (Scalable Vector Graphics) plugin for The GIMP libgimp2.0 - Libraries necessary to Run the GIMP libgimp2.0-dev - Headers and other files for compiling plugins for The GIMP libgimp2.0-doc - Developers’ Documentation for the GIMP library Closes: 339115 377049 Changes: gimp (2.2.12-1) unstable; urgency=low . * New upstream release - Fixes segfault when closing image while saving it (Closes: #339115) * Acknowledge NMU (Closes: #377049), revert patch which has been applied upstream Files: cc817256038e6d142d848f6b75d2402b 1263 graphics optional gimp_2.2.12-1.dsc 89ececcfa9905b9100d2563334b221ec 18552000 graphics optional gimp_2.2.12.orig.tar.gz ac6368f894443ed21fe098185c738b13 27530 graphics optional gimp_2.2.12-1.diff.gz b8fdf89f7363740cff1e82ded2b75997 6770958 graphics optional gimp-data_2.2.12-1_all.deb 549f43544840daf05e0556d13783144a 567520 doc optional libgimp2.0-doc_2.2.12-1_all.deb 815b15169ea37cb4ed11722e093dd61c 574558 libs optional libgimp2.0_2.2.12-1_amd64.deb 8f63afa6269c495c1408bf36f61fec79 63566 graphics optional gimp-helpbrowser_2.2.12-1_amd64.deb 7effdb284ce44011b3bccddec11255a2 144322 graphics optional gimp-python_2.2.12-1_amd64.deb b582f7058bf523b94645f8f794881959 63838 graphics optional gimp-svg_2.2.12-1_amd64.deb 206aa40c0eef845e658d79f9c542cfb8 3235344 graphics optional gimp_2.2.12-1_amd64.deb 10cf85e3d095dc8fe4a2f9e37ac75f76 118980 libdevel optional libgimp2.0-dev_2.2.12-1_amd64.deb 1925045f0a7b03608d87a1298da66a97 8393180 graphics extra gimp-dbg_2.2.12-1_amd64.deb

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (GNU/Linux)

iD8DBQFEtAzZwO+u47cOQDsRAxXcAKCVO9oHYXOT9I8ivbLKLSHJLZT28gCfWCGt UePwKA6Mdp7qn8im6XDaZqY= =yxaT -----END PGP SIGNATURE-----

Tags added: fixed-in-experimental Request was from Ari Pollak <[email protected]> to [email protected]. (full text, mbox, link).

Bug archived. Request was from Debbugs Internal Request <[email protected]> to [email protected]. (Mon, 25 Jun 2007 13:25:09 GMT) (full text, mbox, link).

Bug unarchived. Request was from Lucas Nussbaum <[email protected]> to controlbugs.debian.org. (Sat, 09 Aug 2008 17:48:16 GMT) (full text, mbox, link).

Reply sent to Moritz Muehlenhoff <[email protected]>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Henning Makholm <[email protected]>:
Bug acknowledged by developer. (full text, mbox, link).

Message #41 received at [email protected] (full text, mbox, reply):

Version: 2.2.12-1

Reply sent to Thijs Kinkhorst <[email protected]>:
You have taken responsibility. (full text, mbox, link).

Notification sent to Henning Makholm <[email protected]>:
Bug acknowledged by developer. (full text, mbox, link).

Message #46 received at [email protected] (full text, mbox, reply):

[Message part 1 (text/plain, inline)]

Version: 2.3.10-1

This has also been fixed in the 2.3 branch that came in via experimental.

[Message part 2 (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <[email protected]> to [email protected]. (Thu, 11 Sep 2008 07:29:21 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <[email protected]>. Last modified: Mon Feb 7 17:30:16 2022; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.