CLD-187 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-17787 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) gimp
Deficiency Type SECURITY
Date Created 2017-12-21 09:51:24
Date Last Modified 2017-12-30 13:44:03

Version Specific Information:

Cucumber 1.0 i686fixed in gimp-2.8.22-i686-4
Cucumber 1.0 x86_64fixed in gimp-2.8.22-x86_64-4 and gimp-lib_i686-2.8.22-lib_i686-4

Cucumber 1.1 i686 fixed in gimp-2.8.22-i686-4
Cucumber 1.1 x86_64 fixed in gimp-2.8.22-x86_64-4 and gimp-lib_i686-2.8.22-lib_i686-4

Details:

=================================== Overview ===================================

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787

In GIMP 2.8.22, there is a heap-based buffer over-read in read_creator_block in
plug-ins/common/file-psp.c.

================================ Initial Report ================================

From Hanno Bock on Gnome Bugzilla
(https://bugzilla.gnome.org/show_bug.cgi?id=790853):

Created attachment 364440 [details]
poc file

The attached file will cause a heap out of bounds read access in the function read_creator_block, which can be seen with address sanitizer.

Stack trace:
==18118==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020000095d5 at pc 0x0000004738a5 bp 0x7ffe1c4c0460 sp 0x7ffe1c4bfc10
READ of size 6 at 0x6020000095d5 thread T0
    #0 0x4738a4 in __interceptor_strlen.part.31 (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4738a4)
    #1 0x7f124e39d0ec in g_string_insert_len (/usr/lib64/libglib-2.0.so.0+0x6c0ec)
    #2 0x51637f in read_creator_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:961:7
    #3 0x51637f in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1835
    #4 0x51637f in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949
    #5 0x7f1251de0afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7
    #6 0x7f1251de0afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997
    #7 0x7f1251de0afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618
    #8 0x7f124d0390cc in __libc_start_main (/lib64/libc.so.6+0x210cc)
    #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)

0x6020000095d5 is located 0 bytes to the right of 5-byte region [0x6020000095d0,0x6020000095d5)
allocated by thread T0 here:
    #0 0x4da048 in __interceptor_malloc (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4da048)
    #1 0x7f124e3806b8 in g_malloc (/usr/lib64/libglib-2.0.so.0+0x4f6b8)
    #2 0x5159b1 in read_creator_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:889:20
    #3 0x5159b1 in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1835
    #4 0x5159b1 in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949
    #5 0x7f1251de0afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7
    #6 0x7f1251de0afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997
    #7 0x7f1251de0afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618
    #8 0x7f124d0390cc in __libc_start_main (/lib64/libc.so.6+0x210cc)
    #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)

The attachments can be viewed at
https://bugzilla.gnome.org/show_bug.cgi?id=790853.

============================ Additional Information ============================

See http://www.openwall.com/lists/oss-security/2017/12/19/5

================================= Our Analysis =================================

----- Affected Products -----
Versions of GIMP up to and including 2.8.22 are vulnerable to this
vulnerability. This includes GIMP as originally packages in Cucumber Linux 1.0
and 1.1. As of the writing of this analysis (Thu Dec 21 11:13:35 EST 2017),
2.8.22 is the latest stable version of GIMP; future releases may or may not be
affected.

A patch was released on 2017-12-21 11:52:23 (GMT) fixing this vulnerability at:
https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d.

----- Scope and Impact of this Vulnerability -----
This vulnerability can result in a heap buffer overread.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://git.gnome.org/browse/gimp/commit/?id=87ba505fff85989af795f4ab6a047713f4d9381d.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt GIMP.