CLD-182 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-17785 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) Bug 739133

Basic Information:

Affected Package(s) gimp
Deficiency Type SECURITY
Date Created 2017-12-19 11:11:29
Date Last Modified 2017-12-19 13:36:51

Version Specific Information:

Cucumber 1.0 i686fixed in gimp-2.8.22-i686-2
Cucumber 1.0 x86_64fixed in gimp-2.8.22-x86_64-2 and gimp-lib_i686-2.8.22-lib_i686-2

Cucumber 1.1 i686 fixed in gimp-2.8.22-i686-2
Cucumber 1.1 x86_64 fixed in gimp-2.8.22-x86_64-2 and gimp-lib_i686-2.8.22-lib_i686-2


================================ Initial Report ================================

From Gnome Bugzilla (

I discovered an out-of-bounds write / heap overflow in the fli importer of
GIMP.  This can be triggered by the attached sample which has been generated by
the zzuf fuzzing tool. It will crash the plugin if gimp has been compiled with
-fsanitize=address.  I'll attach the sample and the output of address
sanitizer. This may be a security issue if a user opens files from untrusted

============================ Additional Information ============================

From Openwall's oss-security mailing list:


See also

Background: In 2014, back when I started the fuzzing project, I
reported two bugs in GIMP in their more obscure parsers. Recently I was
contacted by Tobias Stöckmann who wrote a working exploit (on freebsd <-
no aslr, thus easier) for one of those bugs in the FLIC parser. He also
submitted a patch.

The bugs were ignored all the time, patches as well.

I reported a couple of more bugs and also contacted the GNOME security
team. Some have patches, others not, ony one got handled. It seems
overall the file format importers are unmaintained.
I also tried to submit a fuzzing guide to the gimp wiki, which failed,
because the people who are supposed to hand out user accounts don't
answer. (gimp is not fuzzing friendly.)

The bugs:

Heap overflow in FLI import (the one where we have an exploit):

OOB read in TGA (with patch)

OOB read in XCF (patch, the only one that got merged and fixed)

OOB read in GBR (no patch, looks like string/utf8 issue)

Heap overflow in PSP (no patch, doesn't look straightforward to fix)

OOB read in PSP (no patch)

Hanno Böck

GPG: FE73757FA60E4E21B937579FA5880072BBB51E42

================================= Our Analysis =================================

----- Affected Products -----
Versions of GIMP up to and including 2.8.22 that have not had the patch from
applied are vulnerable to this. As of the writing of this analysis
(Tue Dec 19 11:44:44 EST 2017), 2.8.22 is the most recent stable version of

----- Scope and Impact of this Vulnerability -----
This vulnerability can result in an out of bounds write. Naturally, this has the
potential to lead to arbitrary code execution (as all out of bounds writes do).

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt GIMP.