Bug 853423 (CVE-2013-1913) - VUL-0: CVE-2013-1913: gimp: xwd plugin g_new() integer overflow
Summary: VUL-0: CVE-2013-1913: gimp: xwd plugin g_new() integer overflow
Status: RESOLVED FIXED
Alias: CVE-2013-1913
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Deadline: 2014-01-27
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp3:56086
Keywords:
Depends on:
Blocks:
 
Reported: 2013-12-03 17:28 UTC by Alexander Bergmann
Modified: 2014-02-11 10:36 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2013-12-03 17:28:39 UTC 
Murray McAllister of the Red Hat Security Response Team has discovered an integer overflow in the way GIMP, the GNU Image Manipulation Program, performed loading of certain X Window System (XWD) image dumps containing large a color entries value. A remote attacker could provide a specially-crafted XWD format image file that, when processed, would lead to gimp XWD plug-in crash or, potentially, arbitrary code execution with the privileges of the user running the gimp executable.

CVE-2013-1913 was assigned for this issue.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1913
https://bugzilla.redhat.com/show_bug.cgi?id=947868
Comment 1 Swamp Workflow Management 2013-12-03 23:00:44 UTC 
bugbot adjusting priority
Comment 2 Scott Reeves 2013-12-06 18:15:02 UTC 
David - can you have someone from your team look into this (appears very similar to bug #853425)
Comment 3 Alexander Bergmann 2014-01-10 15:14:03 UTC 
Upstream commit:

file-xwd: sanity check colormap size (CVE-2013-1913)

https://git.gnome.org/browse/gimp/commit/?id=32ae0f83e5748299641cceaabe3f80f1b3afd03e

+ /* Guard against insanely huge color maps -- gimp_image_set_colormap() only
+ * accepts colormaps with 0..256 colors anyway. */
+ if (xwdhdr.l_colormap_entries > 256)
+ {
+ g_message (_("'%s':\nIllegal number of colormap entries: %ld"),
+ gimp_filename_to_utf8 (filename),
+ (long)xwdhdr.l_colormap_entries);
+ fclose (ifp);
+ return -1;
+ }
Comment 4 Swamp Workflow Management 2014-01-13 10:24:02 UTC 
The SWAMPID for this issue is 55797.
This issue was rated as moderate.
Please submit fixed packages until 2014-01-27.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 David Liang 2014-01-26 06:51:12 UTC 
submitted to sle11/sle11-sp1/sle11-sp2/sle11-sp3
Comment 8 Swamp Workflow Management 2014-02-10 11:50:32 UTC 
Update released for: gimp, gimp-branding-upstream, gimp-debuginfo, gimp-debugsource, gimp-devel, gimp-doc, gimp-lang, gimp-plugins-python
Products:
SLE-DEBUGINFO 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP3 (i386, x86_64)
SLE-SDK 11-SP3 (i386, ia64, ppc64, s390x, x86_64)
Comment 9 Swamp Workflow Management 2014-02-10 15:04:33 UTC 
SUSE-SU-2014:0214-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 791372,853423,853425
CVE References: CVE-2012-5576,CVE-2013-1913,CVE-2013-1978
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    gimp-2.6.2-3.34.45.1
SUSE Linux Enterprise Desktop 11 SP3 (src):    gimp-2.6.2-3.34.45.1
Comment 10 Marcus Meissner 2014-02-11 10:35:55 UTC 
released