Red Hat Bugzilla – Bug 238420
CVE-2007-2356 Stack overflow in gimp's sunras plugin
Last modified: 2007-11-30 17:07:43 EST
Description of problem:
There is a possible stack-based buffer overrun in function
plug-ins/common/sunras.c:set_color_table() that can be exploited by an
attacker to trigger execution of arbitrary code via crafted Sun RAS file.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
Either use the program referred to in URL to generate a POC, or use one
that is attached to this bug.
Though I have reproduced a crash on all supported systems, as enumerated
above, for some unknown reason gdb was detaching from the plugin run with
GIMP_PLUGIN_DEBUG=sunras, so I was unable to do a depth-in investigation.
I deduce, that it is a stack overflow because core dumps showed evidence
of corrupt stack, with ssp glibc detects a stack smashing, and Secunia
advisory also states the same:
Created attachment 153788 [details]
Malformed Sun RAS file, that overflows stack in gimp's sunras plugin
Upstream already has a fix by Sven Neumann, I've extracted that from the SVN
repo and I'm just building the package (with two minor, trivial packaging fixes)
locally to see that it works out.
*** Bug 238684 has been marked as a duplicate of this bug. ***
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.