Bugzilla – Bug 555166
VUL-0: CVE-2009-1570: gimp: PSD Integer Overflow Vulnerabilities
Last modified: 2016-04-15 10:56:58 UTC
Hi. There is a security bug in 'gimp'. This information is from 'vendor-sec'. This bug is NOT PUBLIC. There is no coordinated release date (CRD) set. More information can be found here: http://git.gnome.org/cgit/gimp/commit/?id=e3afc99b2fa7aeddf0dba4778663160a5bc682d3 CVE number: CVE-2009-1570 CVE description: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1570 Original posting: @public = no ----- Forwarded message from Secunia Research <vuln@secunia.com> ----- From: Secunia Research <vuln@secunia.com> To: vendor-sec@lst.de Cc: vuln@secunia.com Date: Thu, 12 Nov 2009 14:06:58 +0100 Subject: [vendor-sec] [Secunia] Gimp Integer Overflow Vulnerabilities Errors-To: vendor-sec-admin@lst.de Hi, There are two integer overflows in Gimp (our emails to gimp.org with more details are attached). The first one (within the handling of BMP files) was reported to a known Gimp community member (sven@gimp.org), who handled the report but politely asked us to contact security@gimp.org next time. Two days later we reported the second integer overflow (within the handling of PSD files) to security@gimp.org but received no response so far. Unfortunately, the BMP integer overflow is now fixed in the GIT repository [1] and we are forced to publish our advisory (SA37232). Our initial plan was to combine both vulnerabilities in SA37232, but the PSD integer overflow will now be handled in SA37348 (however, it will remain private for the time being). We assigned CVE-2009-1570 to both vulnerabilities, but if you prefer to have separate CVE identifiers we can assign a new one to the PSD vulnerability. [1] http://git.gnome.org/cgit/gimp/commit/?id=e3afc99b2fa7aeddf0dba4778663160a5bc682d3 Kind regards, -- Stefan Cornelius Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 Hello, Secunia Research has discovered a vulnerability in Gimp, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer overflow within the "read_channel_data()" function in plug-ins/file-psd/psd-load.c (confirmed in line 1764. Note that there are further calculations in e.g. line 1803, 1808, and 1813). This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted PSD file. Secunia Research has created a PoC, which is available upon request. The vulnerability is confirmed in version 2.6.7. Other versions may also be affected. We have assigned this vulnerability Secunia advisory SA37232 and CVE identifier CVE-2009-1570, which will be shared with the BMP integer overflow reported to Sven Neumann on Monday. If you prefer a separate CVE identifier, we can assign a new one. A preliminary disclosure date of 25-11-2009 10am CET has been set, where the details will be publicly disclosed. However, we are naturally prepared to push the disclosure date if you need more time to address the vulnerability. Please acknowledge receiving this e-mail and let us know when you expect to fix the vulnerability. Additionally, we would like to be able to follow the bug report regarding the BMP integer overflow. Credits should go to: Stefan Cornelius, Secunia Research Thanks in advance and kind regards, -- Stefan Cornelius Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 Hello, Secunia Research has discovered a vulnerability in Gimp, which potentially can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an integer overflow within the "ReadImage()" function in plug-ins/file-bmp/bmp-read.c. This can be exploited to cause a heap-based buffer overflow by e.g. tricking a user into opening a specially crafted BMP file. Secunia Research has created a PoC, which is available upon request. The vulnerability is confirmed in version 2.6.7. Other versions may also be affected. We have assigned this vulnerability Secunia advisory SA37232 and CVE identifier CVE-2009-1570. A preliminary disclosure date of 25-11-2009 10am CET has been set, where the details will be publicly disclosed. However, we are naturally prepared to push the disclosure date if you need more time to address the vulnerability. Please acknowledge receiving this e-mail and let us know when you expect to fix the vulnerability. Credits should go to: Stefan Cornelius, Secunia Research Thanks and kind regards, -- Stefan Cornelius Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 ----- End forwarded message -----
CVE-2009-3909
public
Created attachment 328165 [details] gimp-2.6.7-psd-hardening.patch from RH
CVE-2009-3909: CVSS v2 Base Score: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Seems also to affect 2.4 and 2.2.
mass change of priority p5 security bugs to p3
.. and here?
Sorry for late. I'm just back from vocation. SR id for SLE-11:4877 SR id for SLE-11-SP1:4880
Done patchinfo.
No openSUSE (box) affected?
Only the BMP issues is mentioned in the patchinfo files. I will reject them.
(In reply to comment #13) > No openSUSE (box) affected? I have to finish SLE first. And for openSUSE, I consider if we can upgrade to 2.6.8 which contains the fix.
(In reply to comment #13) > No openSUSE (box) affected? sr id for openSUSE:11.2: 33183
Please backport the patch.
(In reply to comment #17) > Please backport the patch. you mean we should keep 2.6.7 in openSUSE 11.2?
Hm, this is still an open question AFAIK. Just go ahead with version upgrades for 11.2.
opensuse maintenance: version upgrade ok for you too?
In this case, I think: yes It contains mainly bugfixes (except from the update-language feature). +1 Other opinions?
(In reply to comment #21) > In this case, I think: yes > > It contains mainly bugfixes (except from the update-language feature). > > +1 > > Other opinions? Hey, I have a question about openSUSE 11.1. There isn't any packages in openSUSE:11.1:Update:Test now. Does this mean 11.1 is deprecated?
nope. means nothing :)
oops. still needinfo for version update
Psd loader is totally rewrite between 2.2.x and 2.6.x. I'm not sure if the bug exists in SLE10. And bmp is safely backported to SLE10. Could you open another SWAMPID for SLE10 which only contain the information about bmp?
Doesnt need an extra swamp ID, I will just adjust the pachinfo for sle10.
HTH
still needinfo for opensuse maint. for version upgrade
for 11.2 we can take the 2.6.7 -> 2.6.8 upgrade I think. Please go ahead with that.
(In reply to comment #23) > nope. means nothing :) So I can still submit request to 11.1:Update:Test?
you can submit the 11.1:Update:Terst, yes
Update released for: gimp, gimp-branding-upstream, gimp-debuginfo, gimp-debugsource, gimp-devel, gimp-devel-debuginfo, gimp-help-browser, gimp-help-browser-debuginfo, gimp-lang, gimp-plugins-python, gimp-plugins-python-debuginfo Products: openSUSE 11.2 (debug, i586, x86_64)
Update released for: gimp, gimp-branding-upstream, gimp-debuginfo, gimp-debugsource, gimp-devel, gimp-doc, gimp-lang, gimp-plugins-python Products: openSUSE 11.1 (debug, i586, ppc, x86_64)
released
Update released for: gimp, gimp-branding-upstream, gimp-debuginfo, gimp-debugsource, gimp-devel, gimp-doc, gimp-lang, gimp-plugins-python Products: SLE-DEBUGINFO 11 (i386, ia64, ppc64, s390x, x86_64) SLE-DESKTOP 11 (i386, x86_64) SLE-SDK 11 (i386, ia64, ppc64, s390x, x86_64)
This is an autogenerated message for OBS integration: This bug (555166) was mentioned in https://build.opensuse.org/request/show/33183 11.2:Test / gimp