Bug 953902 (CVE-2013-1978)
Summary: | CVE-2013-1978 gimp: XWD plugin color map heap-based buffer overflow | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Stefan Cornelius <scorneli> | ||||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||||
Status: | CLOSED ERRATA | QA Contact: | |||||||
Severity: | medium | Docs Contact: | |||||||
Priority: | medium | ||||||||
Version: | unspecified | CC: | nphilipp, security-response-team | ||||||
Target Milestone: | --- | Keywords: | Security | ||||||
Target Release: | --- | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
Whiteboard: | |||||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||||
Doc Text: | Story Points: | --- | |||||||
Clone Of: | Environment: | ||||||||
Last Closed: | 2013-12-14 19:49:24 UTC | Type: | --- | ||||||
Regression: | --- | Mount Type: | --- | ||||||
Documentation: | --- | CRM: | |||||||
Verified Versions: | Category: | --- | |||||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
Cloudforms Team: | --- | Target Upstream Version: | |||||||
Embargoed: | |||||||||
Bug Depends On: | 955471, 955472, 955473, 955474, 1030899, 1037720 | ||||||||
Bug Blocks: | 879318 | ||||||||
Attachments: |
|
Description
Stefan Cornelius
2013-04-19 13:27:21 UTC
Created attachment 829128 [details] proposed patch for CVE-2013-1978 The attached patch checks that the number of colormap entries isn't less than the number of colors. While it's not clear if the format specification permits file with a higher number of colormap entries than colors, such files can be constructed and are readable by e.g. ImageMagick tools. Created attachment 829635 [details] updated patch for CVE-2013-1978 The problem here is that load_image() in file-xwd.c reads XWD image file header. Header contains l_colormap_entries (number of color map entries) and l_ncolors (number of image colors). xwdcolmap buffer used to store color map is allocated to contain space for l_colormap_entries items: https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n469 Subsequently, read_xwd_cols() is called to populate the color map buffer. https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n790 However, this function uses l_ncolors instead of l_colormap_entries as an upper bound when populating xwdcolmap. Image specifying higher value for l_ncolors than l_colormap_entries causes gimp to overflow the heap based buffer. Acknowledgment: This issue was discovered by Murray McAllister of the Red Hat Security Response Team. Created gimp tracking bugs for this issue: Affects: fedora-all [bug 1037720] This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1778 https://rhn.redhat.com/errata/RHSA-2013-1778.html |