CLD-183 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-17786 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) gimp
Deficiency Type SECURITY
Date Created 2017-12-21 09:50:28
Date Last Modified 2017-12-22 17:49:56

Version Specific Information:

Cucumber 1.0 i686fixed in gimp-2.8.22-i686-3
Cucumber 1.0 x86_64fixed in gimp-2.8.22-x86_64-3 and gimp-lib_i686-2.8.22-lib_i686-3

Cucumber 1.1 i686 fixed in gimp-2.8.22-i686-3
Cucumber 1.1 x86_64 fixed in gimp-2.8.22-x86_64-3 and gimp-lib_i686-2.8.22-lib_i686-3

Details:

=================================== Overview ===================================

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786:

In GIMP 2.8.22, there is a heap-based buffer over-read in ReadImage in
plug-ins/common/file-tga.c (related to bgr2rgb.part.1) via an unexpected
bits-per-pixel value for an RGBA image.

================================ Initial Report ================================

From Hanno Bock on Gnome Bugzilla
(https://bugzilla.gnome.org/show_bug.cgi?id=739134):

The tga importer has an out of bounds read / heap overflow bug. The bug can be
triggered with the attached sample when GIMP was compiled with address
sanitizer. I'll attach the sample and the output of address sanitizer.
This is a potential (low severity) security issue, however as it is only a read
error it's unlikely there's a realistic exploit scenario. Still it should be
fixed.

============================ Additional Information ============================

See http://www.openwall.com/lists/oss-security/2017/12/19/5

================================= Our Analysis =================================

----- Affected Products -----
All versions of GIMP that have not had the patch from
https://git.gnome.org/browse/gimp/commit/?id=674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b
applied are vulnerable to this vulnerability. This includes versions of GIMP up
to and including 2.8.22. As of the writing of this analysis (Thu Dec 21
10:36:43 EST 2017), 2.8.22 is the latest stable version of GIMP; future
releases may or may not be affected. GIMP as originally packaged in Cucumber
Linux 1.0 and 1.1 is vulnerable.

----- Scope and Impact of this Vulnerability -----
This vulnerability can result in an out of bounds read/heap overflow.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://git.gnome.org/browse/gimp/commit/?id=674b62ad45b6579ec6d7923dc3cb1ef4e8b5498b.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt GIMP.