[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
CPNI INFOSEC ADVISORY - 101/07 - iDefence - Security Advisory - Multiple Vendor GIMP Multiple Integer Overflow Vulnerabilities
___________________________________________________________________________
CPNI INFOSEC ADVISORY - 101/07 dated 10.07.07 time 14:42
Centre for the Protection of National Infrastructure
___________________________________________________________________________
Further details about CPNI, including information about our
products can be found at www.cpni.gov.uk
___________________________________________________________________________
Title
=====
iDefense Security Advisory:
Multiple Vendor GIMP Multiple Integer Overflow Vulnerabilities
Detail
======
Multiple Vendor GIMP Multiple Integer Overflow Vulnerabilities
iDefense Security Advisory 07.09.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 09, 2007
I. BACKGROUND
The GNU Image Manipulation Program is commonly known as the GIMP. It is a
freely distributed piece of software for such tasks as photo retouching, image
composition and image authoring. It is available, in many languages, for
multiple operating systems. More information is available at the following
URL.
http://www.gimp.org/
II. DESCRIPTION
Remote exploitation of multiple integer overflow vulnerabilities in several of
the image loader plug-ins included with distributions of 'The GIMP' allow
attackers to crash The GIMP or potentially execute arbitrary code with the
privileges of the user.
The following lines show the location of some vulnerabilities within the code
responsible for loading the DICOM, PNM, PSD, PSP, Sun RAS, XBM, and XWD file
formats. Each of the files are located within the plug-ins/common directory of
the source code.
dicom.c:391: value = g_new0 (guint8, element_length + 4);
pnm.c:566: data = g_new (guchar, gimp_tile_height () * info->xres * np);
pnm.c:628: data = g_new (guchar, gimp_tile_height () * info->xres *
info->np);
pnm.c:681: data = g_new (guchar, gimp_tile_height () * info->xres);
psd.c:2969: PSDheader.rowlength = g_malloc (PSDheader.rows *
psp.c:1225: pixel = g_malloc0 (height * width * bytespp);
sunras.c:955: data = g_malloc (tile_height * width);
sunras.c:1076: data = g_malloc (tile_height * width);
sunras.c:1146: data = g_malloc (tile_height * width * 3);
sunras.c:1231: data = g_malloc (tile_height * width * 3);
xbm.c:879: data = (guchar *) g_malloc (width * tileheight);
xwd.c:1193: data = g_malloc (tile_height * width);
xwd.c:1195: scanline = g_new (guchar, xwdhdr->l_bytes_per_line + 8);
xwd.c:1352: data = g_malloc (tile_height * width);
xwd.c:1441: data = g_malloc (tile_height * width * 3);
xwd.c:1601: data = g_malloc (tile_height * width * 3);
xwd.c:1812: data = g_malloc (tile_height * width * bytes_per_pixel);
In each case, an integer value from an untrusted input source has arithmetic
operations performed upon it to calculate the length to allocate. Since no
integer overflow checking is performed, a potentially exploitable heap
overflow may result.
This is not a complete list of integer overflow vulnerabilities in the code.
III. ANALYSIS
Exploitation allows attackers to execute arbitrary code in the context of the
user opening a malicious image file.
In order to be successful, the attacker must convince the victim into opening
a maliciously crafted image with The GIMP.
IV. DETECTION
iDefense has confirmed that version 2.2.15 of The GIMP is vulnerable on both
Linux and Windows platforms. It is suspected that all previous versions of the
GIMP are also affected.
V. WORKAROUND
Consider moving the affected loader modules from The GIMP's plug-in directory
to another location. The location in the file system may vary depending on
distributions. On Red Hat Linux and Debian systems the default plug-in
directory is /usr/lib/gimp/2.0/plug-ins.
VI. VENDOR RESPONSE
The GIMP maintainers have released version 2.2.16 to address these
vulnerabilities. For more information, consult the following URL.
http://developer.gimp.org/NEWS-2.2
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2006-4519 to this issue. This is a candidate for inclusion in the CVE list
(http://cve.mitre.org/), which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
08/17/2006 Initial vendor notification
10/06/2006 Second vendor notification
06/26/2007 Third vendor notification
06/26/2007 Initial vendor response
07/09/2007 Coordinated public disclosure
IX. CREDIT
These vulnerabilities were discovered by Sean Larsson (iDefense Labs).
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events http://labs.idefense.com/
X. LEGAL NOTICES
Copyright © 2007 iDefense, Inc.
Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of iDefense.
If you wish to reprint the whole or any part of this alert in any other medium
other than electronically, please e-mail customerservice@xxxxxxxxxxxx for
permission.
Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
________________________________________________________________________
For additional information or assistance, please contact our
help desk by telephone.
You may send Not Protectively Marked information via e-mail
to infosec@xxxxxxxxxxxxxxxx
Office hours:
Mon - Fri: 09:00 - 16:30 hours
Tel: +44 (0) 870 487 0748 and follow the voice prompts
Fax: +44 (0) 870 487 0749
On-call duty officer outside office hours:
Tel: +44 (0) 870 487 0748 and follow the voice prompts
___________________________________________________________________________
CPNI wishes to acknowledge the contributions of iDefence for the
information contained in this advisory.
___________________________________________________________________________
This advisory contains information released by the original author. Some of
the information may have changed since it was released. If the issue affects
you, it may be prudent to retrieve the advisory from the site of the original
source to ensure that
you receive the most current
information concerning that problem.
Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by CPNI. The views and opinions of
authors expressed within
this notice shall not be used for advertising or product endorsement purposes.
CPNI shall not accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable for
any loss or damage whatsoever, arising from or in connection with the usage of
information contained within this advisory.
CPNI is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to
incidents, and to promote
information sharing amongst its members and the community at large.
___________________________________________________________________________
______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________