Package: gimp
Version: 2.2.6-1
Severity: grave
Tags: security patch
Justification: user security hole

I have reported this bug privately to the maintainer and the security
team, but it turns out that the upstream developers have no way of
reporting security bugs privately, so it is hereby in the open. It
is #346742 in the upstream bug tracking system.

The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c
of the source tree. For each "stroke" being read, the code reads an
uint32 from the XCF file into the variable num_axes, and then for each
control proint of the stroke reads num_axes floats from the file into
the stack-allocated array coords whose size is hard-coded as 6.

A malicious XCF file creater could write a large number into the
num_axes position and trick the XCF reader into overwriting part of
the stack with raw data read from the file. On little-endian systems,
the function xcf_read_float() that actually reads the floats does a
byte-order conversion on the data it reads but does not do any special
float processing, so an attacker has direct control of the data
written to the stack.

I have not attempted to construct an working exploit (though I did
verify being able to crash Gimp with a naively patched image file),
but there seems to be no reason why the overrun could not be used to
mount a standard arbitrary code execution attack if one can get the
victim to try to load an appropriately crafted image file.

The attack is in the VECTORS property of an XCF file which pure XCF
_viewers_ (e.g. imagemagick or xcftools) normally skip without
parsing.  Thus an attack file can easily be written such that the
image will display correctly with no symptoms at all in a viewer
application.

The same bug appears in the unstable (2.2.11) and experimental (2.3.9)
versions, as well as the upsteam CVS head.

The attached patch should fix it (more gracefully than the one in my
earlier private report).
diff -rU6 gimp-2.2.6/app/xcf/xcf-load.c gimp-2.2.6.new/app/xcf/xcf-load.c
--- gimp-2.2.6/app/xcf/xcf-load.c       2004-11-03 12:50:37.000000000 +0100
+++ gimp-2.2.6.new/app/xcf/xcf-load.c   2006-07-06 12:27:33.982404488 +0200
@@ -1658,12 +1658,18 @@
           xcf_seek_pos (info,
                         info->cp + 4 * num_axes * num_control_points,
                         NULL);
           continue;
         }
 
+      if (num_axes < 2 || num_axes > 6)
+        {
+          g_printerr ("bad number of axes in stroke description\n");
+          return FALSE;
+        }
+
       control_points = g_value_array_new (num_control_points);
 
       anchor.selected = FALSE;
 
       for (j = 0; j < num_control_points; j++)
         {

Reply via email to