Bug 947868 (CVE-2013-1913)
Summary: | CVE-2013-1913 gimp: xwd plugin g_new() integer overflow | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Stefan Cornelius <scorneli> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED ERRATA | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | nphilipp, scorneli, security-response-team | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2013-12-14 19:49:29 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 947891, 947894, 947895, 947896, 1030899, 1037720 | ||||||
Bug Blocks: | 879318 | ||||||
Attachments: |
|
Description
Stefan Cornelius
2013-04-03 12:58:15 UTC
Created attachment 829636 [details] updated patch for CVE-2013-1913 This problem is in load_image() in file-xwd.c. xwdcolmap (buffer to store color map) is allocated using glib's g_new using l_colormap_entries value from the image header, which wasn't previously validated. https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n471 g_new in glib versions before 2.24 does not have integer overflow checks. https://bugzilla.gnome.org/show_bug.cgi?id=608196 Hence this issue could result in allocation of memory not sufficient to store l_colormap_entries color map entries when using gimp with older glib version (such as the one shipped with Red Hat Enterprise Linux 5). Note that this problem is masked by the different issue tracked via bug 953902, as read_xwd_cols() function used to populate xwdcolmap uses different upper bound - l_ncolors instead of l_colormap_entries. Acknowledgment: This issue was discovered by Murray McAllister of the Red Hat Security Response Team. Created gimp tracking bugs for this issue: Affects: fedora-all [bug 1037720] This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1778 https://rhn.redhat.com/errata/RHSA-2013-1778.html |