Your message dated Tue, 11 Jul 2006 14:47:26 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#377049: fixed in gimp 2.2.12-1
has caused the attached Bug report to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere. Please contact me immediately.)
Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message ---
Package: gimp
Version: 2.2.6-1
Severity: grave
Tags: security patch
Justification: user security hole
I have reported this bug privately to the maintainer and the security
team, but it turns out that the upstream developers have no way of
reporting security bugs privately, so it is hereby in the open. It
is #346742 in the upstream bug tracking system.
The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c
of the source tree. For each "stroke" being read, the code reads an
uint32 from the XCF file into the variable num_axes, and then for each
control proint of the stroke reads num_axes floats from the file into
the stack-allocated array coords whose size is hard-coded as 6.
A malicious XCF file creater could write a large number into the
num_axes position and trick the XCF reader into overwriting part of
the stack with raw data read from the file. On little-endian systems,
the function xcf_read_float() that actually reads the floats does a
byte-order conversion on the data it reads but does not do any special
float processing, so an attacker has direct control of the data
written to the stack.
I have not attempted to construct an working exploit (though I did
verify being able to crash Gimp with a naively patched image file),
but there seems to be no reason why the overrun could not be used to
mount a standard arbitrary code execution attack if one can get the
victim to try to load an appropriately crafted image file.
The attack is in the VECTORS property of an XCF file which pure XCF
_viewers_ (e.g. imagemagick or xcftools) normally skip without
parsing. Thus an attack file can easily be written such that the
image will display correctly with no symptoms at all in a viewer
application.
The same bug appears in the unstable (2.2.11) and experimental (2.3.9)
versions, as well as the upsteam CVS head.
The attached patch should fix it (more gracefully than the one in my
earlier private report).
diff -rU6 gimp-2.2.6/app/xcf/xcf-load.c gimp-2.2.6.new/app/xcf/xcf-load.c
--- gimp-2.2.6/app/xcf/xcf-load.c 2004-11-03 12:50:37.000000000 +0100
+++ gimp-2.2.6.new/app/xcf/xcf-load.c 2006-07-06 12:27:33.982404488 +0200
@@ -1658,12 +1658,18 @@
xcf_seek_pos (info,
info->cp + 4 * num_axes * num_control_points,
NULL);
continue;
}
+ if (num_axes < 2 || num_axes > 6)
+ {
+ g_printerr ("bad number of axes in stroke description\n");
+ return FALSE;
+ }
+
control_points = g_value_array_new (num_control_points);
anchor.selected = FALSE;
for (j = 0; j < num_control_points; j++)
{
--- End Message ---
--- Begin Message ---
Source: gimp
Source-Version: 2.2.12-1
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive:
gimp-data_2.2.12-1_all.deb
to pool/main/g/gimp/gimp-data_2.2.12-1_all.deb
gimp-dbg_2.2.12-1_amd64.deb
to pool/main/g/gimp/gimp-dbg_2.2.12-1_amd64.deb
gimp-helpbrowser_2.2.12-1_amd64.deb
to pool/main/g/gimp/gimp-helpbrowser_2.2.12-1_amd64.deb
gimp-python_2.2.12-1_amd64.deb
to pool/main/g/gimp/gimp-python_2.2.12-1_amd64.deb
gimp-svg_2.2.12-1_amd64.deb
to pool/main/g/gimp/gimp-svg_2.2.12-1_amd64.deb
gimp_2.2.12-1.diff.gz
to pool/main/g/gimp/gimp_2.2.12-1.diff.gz
gimp_2.2.12-1.dsc
to pool/main/g/gimp/gimp_2.2.12-1.dsc
gimp_2.2.12-1_amd64.deb
to pool/main/g/gimp/gimp_2.2.12-1_amd64.deb
gimp_2.2.12.orig.tar.gz
to pool/main/g/gimp/gimp_2.2.12.orig.tar.gz
libgimp2.0-dev_2.2.12-1_amd64.deb
to pool/main/g/gimp/libgimp2.0-dev_2.2.12-1_amd64.deb
libgimp2.0-doc_2.2.12-1_all.deb
to pool/main/g/gimp/libgimp2.0-doc_2.2.12-1_all.deb
libgimp2.0_2.2.12-1_amd64.deb
to pool/main/g/gimp/libgimp2.0_2.2.12-1_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [EMAIL PROTECTED],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ari Pollak <[EMAIL PROTECTED]> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [EMAIL PROTECTED])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.7
Date: Tue, 11 Jul 2006 14:30:03 -0400
Source: gimp
Binary: gimp-python libgimp2.0-doc gimp-data gimp gimp-helpbrowser libgimp2.0
gimp-svg libgimp2.0-dev gimp-dbg
Architecture: source amd64 all
Version: 2.2.12-1
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <[EMAIL PROTECTED]>
Changed-By: Ari Pollak <[EMAIL PROTECTED]>
Description:
gimp - The GNU Image Manipulation Program
gimp-data - Data files for The GIMP
gimp-dbg - Debugging symbols for The GIMP
gimp-helpbrowser - Built-in Help Browser plugin for The GIMP
gimp-python - Python support and plugins for The GIMP
gimp-svg - SVG (Scalable Vector Graphics) plugin for The GIMP
libgimp2.0 - Libraries necessary to Run the GIMP
libgimp2.0-dev - Headers and other files for compiling plugins for The GIMP
libgimp2.0-doc - Developers' Documentation for the GIMP library
Closes: 339115 377049
Changes:
gimp (2.2.12-1) unstable; urgency=low
.
* New upstream release
- Fixes segfault when closing image while saving it (Closes: #339115)
* Acknowledge NMU (Closes: #377049), revert patch which has been applied
upstream
Files:
cc817256038e6d142d848f6b75d2402b 1263 graphics optional gimp_2.2.12-1.dsc
89ececcfa9905b9100d2563334b221ec 18552000 graphics optional
gimp_2.2.12.orig.tar.gz
ac6368f894443ed21fe098185c738b13 27530 graphics optional gimp_2.2.12-1.diff.gz
b8fdf89f7363740cff1e82ded2b75997 6770958 graphics optional
gimp-data_2.2.12-1_all.deb
549f43544840daf05e0556d13783144a 567520 doc optional
libgimp2.0-doc_2.2.12-1_all.deb
815b15169ea37cb4ed11722e093dd61c 574558 libs optional
libgimp2.0_2.2.12-1_amd64.deb
8f63afa6269c495c1408bf36f61fec79 63566 graphics optional
gimp-helpbrowser_2.2.12-1_amd64.deb
7effdb284ce44011b3bccddec11255a2 144322 graphics optional
gimp-python_2.2.12-1_amd64.deb
b582f7058bf523b94645f8f794881959 63838 graphics optional
gimp-svg_2.2.12-1_amd64.deb
206aa40c0eef845e658d79f9c542cfb8 3235344 graphics optional
gimp_2.2.12-1_amd64.deb
10cf85e3d095dc8fe4a2f9e37ac75f76 118980 libdevel optional
libgimp2.0-dev_2.2.12-1_amd64.deb
1925045f0a7b03608d87a1298da66a97 8393180 graphics extra
gimp-dbg_2.2.12-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
iD8DBQFEtAzZwO+u47cOQDsRAxXcAKCVO9oHYXOT9I8ivbLKLSHJLZT28gCfWCGt
UePwKA6Mdp7qn8im6XDaZqY=
=yxaT
-----END PGP SIGNATURE-----
--- End Message ---
