Bug 647907 (CVE-2009-2175)

Summary: CVE-2009-2175 xcftools: stack-based buffer overflow in flatten.c
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED CURRENTRELEASE QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: nicoleau.fabien, pikachu.2014
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-09 11:53:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 647908    
Bug Blocks:    

Description Vincent Danen 2010-10-29 20:07:06 UTC 
This is an old issue that is not a problem with current Fedora releases (due to providing xcftools 1.0.7), however gnome-xcf-thumbnailer embedds what looks like xcftools 1.0.4 (vulnerable version) or earlier, as reported to Debian [1].  A patch [2] exists in the original Debian bug report [3] to correct the flaw.  The MITRE entry for this flaw follows:

Stack-based buffer overflow in the flattenIncrementally function in flatten.c in xcftools 1.0.4, as reachable from the (1) xcf2pnm and (2) xcf2png utilities, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted image that causes a conversion to a location "above or to the left of the canvas." NOTE: some of these details are obtained from third party information. 

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=601735
[2] http://bugs.debian.org/cgi-bin/bugreport.cgi?msg=10;filename=533361.patch;att=1;bug=533361
[3] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=533361
Comment 1 Vincent Danen 2010-10-29 20:08:17 UTC 
Created gnome-xcf-thumbnailer tracking bugs for this issue

Affects: fedora-all [bug 647908]
Comment 2 Mohamed El Morabity 2010-11-09 11:50:16 UTC 
This issue was fixed and pushed into updates:
   https://admin.fedoraproject.org/updates/gnome-xcf-thumbnailer-1.0-4.fc14
   https://admin.fedoraproject.org/updates/gnome-xcf-thumbnailer-1.0-4.fc13
   https://admin.fedoraproject.org/updates/gnome-xcf-thumbnailer-1.0-4.fc12
Thanks for this report.