CLD-182 Details
Other IDs this deficiency may be known by:
Basic Information:
Affected Package(s) |
gimp |
Deficiency Type |
SECURITY |
Date Created |
2017-12-19 11:11:29 |
Date Last Modified |
2017-12-19 13:36:51 |
Version Specific Information:
Cucumber 1.0 i686 | fixed in gimp-2.8.22-i686-2 |
Cucumber 1.0 x86_64 | fixed in gimp-2.8.22-x86_64-2 and gimp-lib_i686-2.8.22-lib_i686-2 |
Cucumber 1.1 i686 |
fixed in gimp-2.8.22-i686-2 |
Cucumber 1.1 x86_64 |
fixed in gimp-2.8.22-x86_64-2 and gimp-lib_i686-2.8.22-lib_i686-2 |
Details:
================================ Initial Report ================================
From Gnome Bugzilla (https://bugzilla.gnome.org/show_bug.cgi?id=739133):
I discovered an out-of-bounds write / heap overflow in the fli importer of
GIMP. This can be triggered by the attached sample which has been generated by
the zzuf fuzzing tool. It will crash the plugin if gimp has been compiled with
-fsanitize=address. I'll attach the sample and the output of address
sanitizer. This may be a security issue if a user opens files from untrusted
sources.
============================ Additional Information ============================
From Openwall's oss-security mailing list:
Hi,
See also
https://flimp.fuzzing-project.org/
Background: In 2014, back when I started the fuzzing project, I
reported two bugs in GIMP in their more obscure parsers. Recently I was
contacted by Tobias Stöckmann who wrote a working exploit (on freebsd <-
no aslr, thus easier) for one of those bugs in the FLIC parser. He also
submitted a patch.
The bugs were ignored all the time, patches as well.
I reported a couple of more bugs and also contacted the GNOME security
team. Some have patches, others not, ony one got handled. It seems
overall the file format importers are unmaintained.
I also tried to submit a fuzzing guide to the gimp wiki, which failed,
because the people who are supposed to hand out user accounts don't
answer. (gimp is not fuzzing friendly.)
The bugs:
Heap overflow in FLI import (the one where we have an exploit):
https://bugzilla.gnome.org/show_bug.cgi?id=739133
OOB read in TGA (with patch)
https://bugzilla.gnome.org/show_bug.cgi?id=739134
OOB read in XCF (patch, the only one that got merged and fixed)
https://bugzilla.gnome.org/show_bug.cgi?id=790783
OOB read in GBR (no patch, looks like string/utf8 issue)
https://bugzilla.gnome.org/show_bug.cgi?id=790784
Heap overflow in PSP (no patch, doesn't look straightforward to fix)
https://bugzilla.gnome.org/show_bug.cgi?id=790849
OOB read in PSP (no patch)
https://bugzilla.gnome.org/show_bug.cgi?id=790853
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
================================= Our Analysis =================================
----- Affected Products -----
Versions of GIMP up to and including 2.8.22 that have not had the patch from
https://bug739133.bugzilla-attachments.gnome.org/attachment.cgi?id=362488
applied are vulnerable to this. As of the writing of this analysis
(Tue Dec 19 11:44:44 EST 2017), 2.8.22 is the most recent stable version of
GIMP.
----- Scope and Impact of this Vulnerability -----
This vulnerability can result in an out of bounds write. Naturally, this has the
potential to lead to arbitrary code execution (as all out of bounds writes do).
----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://bug739133.bugzilla-attachments.gnome.org/attachment.cgi?id=362488
================================= Our Solution =================================
We have applied the aforementioned patch and rebuilt GIMP.