[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

script-fu buffer overflow in GIMP 2.6

Vulnerability Summary

There is a buffer overflow in the script-fu server component of GIMP 
(the GNU Image Manipulation Program) in all 2.6 versions (Windows and Linux versions) affecting both 
the script-fu console and the script-fu network server. A crafted msg to the 
script-fu server overflows a buffer and overwrites several function pointers 
allowing the attacker to gain control of EIP and potentially execute arbitrary 
code. This issue is fixed in the latest, stable GIMP version (currently 2.8.0).

CVE number: CVE-2012-2763
Impact: high
Vendor Homepage: http://www.gimp.org/
Date found: 18/05/2012
Found by: Joseph Sheridan of Reaction Information Security
Homepage: http://www.reactionpenetrationtesting.co.uk

This advisory is posted at:

PoC Code is available here:

Affected Products

Vulnerable Products

The following products are known to be affected by this vulnerability:

  * GIMP <= 2.6.12 (Windows or Linux builds)

Products Confirmed Not Vulnerable

The following products are known not to be affected by this

  * GIMP 2.8.0 (current stable release)


There is a buffer overflow in the command parsing code such that a long command
overwrites various function pointers on the heap and gives the attacker full control 
of EIP. The following command sent to the script-fu server will trigger the 

(file-bmp-load 123


Successful exploitation of the vulnerability may result in remote code execution.

Upgrade to the latest stable version of GIMP (currently 2.8 branch) - the 2.6 branch is 
no longer supported by the GIMP development team.


A workaround would be not to use this feature on a vulnerable version of GIMP.
The GIMP development team have strongly suggested only using the 
script-fu network server in a secure/sandboxed environment due to 
security concerns.


Future updates of this advisory, if any, will be placed on the ReactionIS
corporate website, but may or may not be actively announced on
mailing lists or newsgroups. Users concerned about this problem are
encouraged to check the URL below for any updates:



Reaction Information Security 
Lombard House Business Centre,
Suite 117,
12-17 Upper Bridge Street,
Canterbury, Kent, CT1 2NF

Phone: +44 (0)1227 785050
Email: research () reactionis {dot} co {dot} uk
Web: http://www.reactionpenetrationtesting.co.uk

Joseph Sheridan
Technical Director
Principal Consultant
CHECK Team Leader, CREST Infrastructure, CREST Application, CISSP
Tel: 07812052515
Web: www.reactionis.com
Email: joe@xxxxxxxxxxxxxxxx

Reaction Information Security Limited.
Registered in England No: 6929383
Registered Office: 1, The Mews, 69 New Dover Road, Canterbury, CT1 3DZ
This email and any files transmitted with it are confidential and are intended solely for the use of the individual to whom they are addressed. If you are not the intended recipient please notify the sender. Any unauthorised dissemination or copying of this email or its attachments and any use or disclosure of any information contained in them, is strictly prohibited.

ï Please consider the environment before printing this email