CLD-184 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-17788 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) gimp
Deficiency Type SECURITY
Date Created 2017-12-21 09:50:54
Date Last Modified 2017-12-22 17:49:56

Version Specific Information:

Cucumber 1.0 i686fixed in gimp-2.8.22-i686-3
Cucumber 1.0 x86_64fixed in gimp-2.8.22-x86_64-3 and gimp-lib_i686-2.8.22-lib_i686-3

Cucumber 1.1 i686 fixed in gimp-2.8.22-i686-3
Cucumber 1.1 x86_64 fixed in gimp-2.8.22-x86_64-3 and gimp-lib_i686-2.8.22-lib_i686-3

Details:

=================================== Overview ===================================

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17788:

In GIMP 2.8.22, there is a stack-based buffer over-read in xcf_load_stream in
app/xcf/xcf.c when there is no '\0' character after the version string.

================================ Initial Report ================================

From Hanno Bock on Gnome Bugzilla
(https://bugzilla.gnome.org/show_bug.cgi?id=790783):

I'll attach a file that will cause a stack overread in the XCF file import.
This was discovered by fuzzing with american fuzzy lop and address sanitizer.
I'll also attach the stack trace from asan. The overread can be detected by
compiling gimp with address sanitizer.

The bug is in xcf.c when reading the file version. According to the inofficial
XCF spec [1] the version is a string starting at offset 9 with a null
terminator at offset 13.

The code in xcf.c assumes that this null terminator is there and passes the
version string to atoi. So if you craft a file where it's missing then atoi
will overread. This can be fixed by checking that the null terminator is really
set to 0 and returning an error if it's not. Patch also attached.

See the Bugzilla page for the attachments

============================ Additional Information ============================

See http://www.openwall.com/lists/oss-security/2017/12/19/5

================================= Our Analysis =================================

----- Affected Products -----
Versions of GIMP up to and including 2.8.22 that have not had the patch from
https://git.gnome.org/browse/gimp/commit/?id=702c4227e8b6169f781e4bb5ae4b5733f51ab126
are vulnerable to this vulnerability. This includes GIMP as originally packaged
in Cucumber Linux 1.0 and 1.1.

----- Scope and Impact of this Vulnerability -----
This vulnerability can result in the atoi() function performing a buffer
overread.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://git.gnome.org/browse/gimp/commit/?id=702c4227e8b6169f781e4bb5ae4b5733f51ab126.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt GIMP.