Bug 947868 (CVE-2013-1913)

Summary: CVE-2013-1913 gimp: xwd plugin g_new() integer overflow
Product: [Other] Security Response Reporter: Stefan Cornelius <scorneli>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: nphilipp, scorneli, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-12-14 19:49:29 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 947891, 947894, 947895, 947896, 1030899, 1037720    
Bug Blocks: 879318    
Attachments:
Description Flags
updated patch for CVE-2013-1913 none

Description Stefan Cornelius 2013-04-03 12:58:15 UTC 
Murray McAllister of the Red Hat Security Response Team has discovered an integer overflow in the way GIMP, the GNU Image Manipulation Program, performed loading of certain X Window System (XWD) image dumps containing large a color entries value. A remote attacker could provide a specially-crafted XWD format image file that, when processed, would lead to gimp XWD plug-in crash or, potentially, arbitrary code execution with the privileges of the user running the gimp executable.
Comment 10 Nils Philippsen 2013-11-27 10:45:29 UTC 
Created attachment 829636 [details]
updated patch for CVE-2013-1913
Comment 11 Tomas Hoger 2013-11-27 22:54:22 UTC 
This problem is in load_image() in file-xwd.c.  xwdcolmap (buffer to store color map) is allocated using glib's g_new using l_colormap_entries value from the image header, which wasn't previously validated.

https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n471

g_new in glib versions before 2.24 does not have integer overflow checks.

https://bugzilla.gnome.org/show_bug.cgi?id=608196

Hence this issue could result in allocation of memory not sufficient to store l_colormap_entries color map entries when using gimp with older glib version (such as the one shipped with Red Hat Enterprise Linux 5).

Note that this problem is masked by the different issue tracked via bug 953902, as read_xwd_cols() function used to populate xwdcolmap uses different upper bound - l_ncolors instead of l_colormap_entries.
Comment 12 Tomas Hoger 2013-11-27 22:54:45 UTC 
Acknowledgment:

This issue was discovered by Murray McAllister of the Red Hat Security Response Team.
Comment 13 Vincent Danen 2013-12-03 16:28:44 UTC 
Created gimp tracking bugs for this issue:

Affects: fedora-all [bug 1037720]
Comment 14 errata-xmlrpc 2013-12-03 16:52:26 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1778 https://rhn.redhat.com/errata/RHSA-2013-1778.html
Comment 15 Tomas Hoger 2013-12-04 11:18:22 UTC 
Upstream commit:

https://git.gnome.org/browse/gimp/commit/?id=32ae0f83e5748299641cceaabe3f80f1b3afd03e