CLD-182 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-17785 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s) Bug 739133

Basic Information:

Affected Package(s) gimp
Deficiency Type SECURITY
Date Created 2017-12-19 11:11:29
Date Last Modified 2017-12-19 13:36:51

Version Specific Information:

Cucumber 1.0 i686fixed in gimp-2.8.22-i686-2
Cucumber 1.0 x86_64fixed in gimp-2.8.22-x86_64-2 and gimp-lib_i686-2.8.22-lib_i686-2

Cucumber 1.1 i686 fixed in gimp-2.8.22-i686-2
Cucumber 1.1 x86_64 fixed in gimp-2.8.22-x86_64-2 and gimp-lib_i686-2.8.22-lib_i686-2

Details:

================================ Initial Report ================================

From Gnome Bugzilla (https://bugzilla.gnome.org/show_bug.cgi?id=739133):

I discovered an out-of-bounds write / heap overflow in the fli importer of
GIMP.  This can be triggered by the attached sample which has been generated by
the zzuf fuzzing tool. It will crash the plugin if gimp has been compiled with
-fsanitize=address.  I'll attach the sample and the output of address
sanitizer. This may be a security issue if a user opens files from untrusted
sources.  

============================ Additional Information ============================

From Openwall's oss-security mailing list:

Hi,

See also
https://flimp.fuzzing-project.org/

Background: In 2014, back when I started the fuzzing project, I
reported two bugs in GIMP in their more obscure parsers. Recently I was
contacted by Tobias Stöckmann who wrote a working exploit (on freebsd <-
no aslr, thus easier) for one of those bugs in the FLIC parser. He also
submitted a patch.

The bugs were ignored all the time, patches as well.

I reported a couple of more bugs and also contacted the GNOME security
team. Some have patches, others not, ony one got handled. It seems
overall the file format importers are unmaintained.
I also tried to submit a fuzzing guide to the gimp wiki, which failed,
because the people who are supposed to hand out user accounts don't
answer. (gimp is not fuzzing friendly.)

The bugs:

Heap overflow in FLI import (the one where we have an exploit):
https://bugzilla.gnome.org/show_bug.cgi?id=739133

OOB read in TGA (with patch)
https://bugzilla.gnome.org/show_bug.cgi?id=739134

OOB read in XCF (patch, the only one that got merged and fixed)
https://bugzilla.gnome.org/show_bug.cgi?id=790783

OOB read in GBR (no patch, looks like string/utf8 issue)
https://bugzilla.gnome.org/show_bug.cgi?id=790784

Heap overflow in PSP (no patch, doesn't look straightforward to fix)
https://bugzilla.gnome.org/show_bug.cgi?id=790849

OOB read in PSP (no patch)
https://bugzilla.gnome.org/show_bug.cgi?id=790853


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno@hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42


================================= Our Analysis =================================

----- Affected Products -----
Versions of GIMP up to and including 2.8.22 that have not had the patch from
https://bug739133.bugzilla-attachments.gnome.org/attachment.cgi?id=362488
applied are vulnerable to this. As of the writing of this analysis
(Tue Dec 19 11:44:44 EST 2017), 2.8.22 is the most recent stable version of
GIMP.

----- Scope and Impact of this Vulnerability -----
This vulnerability can result in an out of bounds write. Naturally, this has the
potential to lead to arbitrary code execution (as all out of bounds writes do).

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from 
https://bug739133.bugzilla-attachments.gnome.org/attachment.cgi?id=362488

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt GIMP.