Description of problem: There is a possible stack-based buffer overrun in function plug-ins/common/sunras.c:set_color_table() that can be exploited by an attacker to trigger execution of arbitrary code via crafted Sun RAS file. Version-Release number of selected component (if applicable): Affects: RHEL2.1 Affects: RHEL3 Affects: RHEL4 Affects: RHEL5 Affects: FC5 Affects: FC6 Steps to Reproduce: Either use the program referred to in URL to generate a POC, or use one that is attached to this bug. Additional info: Though I have reproduced a crash on all supported systems, as enumerated above, for some unknown reason gdb was detaching from the plugin run with GIMP_PLUGIN_DEBUG=sunras, so I was unable to do a depth-in investigation. I deduce, that it is a stack overflow because core dumps showed evidence of corrupt stack, with ssp glibc detects a stack smashing, and Secunia advisory also states the same: http://secunia.com/advisories/25012/?answer=57
Created attachment 153788 [details] Malformed Sun RAS file, that overflows stack in gimp's sunras plugin
Upstream already has a fix by Sven Neumann, I've extracted that from the SVN repo and I'm just building the package (with two minor, trivial packaging fixes) locally to see that it works out.
*** Bug 238684 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0343.html