Bug 704512 - (CVE-2011-1782) CVE-2011-1782 Gimp: Incomplete fix for CVE-2010-4543 PSP plug-in heap overflow issue
CVE-2011-1782 Gimp: Incomplete fix for CVE-2010-4543 PSP plug-in heap overflo...
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 537809 537810 537811 703803 703804 706939 833903
  Show dependency treegraph
Reported: 2011-05-13 10:01 EDT by Jan Lieskovsky
Modified: 2015-11-24 09:38 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jan Lieskovsky 2011-05-13 10:01:00 EDT
Originally Common Vulnerabilities and Exposures assigned an identifier
of CVE-2010-4543 to the following vulnerability:

Heap-based buffer overflow in the read_channel_data function in file-psp.c
in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to
cause a denial of service (application crash) or possibly execute arbitrary
code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long
run count at the end of the image. NOTE: some of these details are obtained
from third party information.

Upstream bug report:
[1] https://bugzilla.gnome.org/show_bug.cgi?id=639203

Original patch proposal from Vincent Untz:
[2] https://bugzilla.gnome.org/show_bug.cgi?id=639203#c12

And final patch applied by Gimp upstream was:
[3] http://git.gnome.org/browse/gimp/commit/?id=48ec15890e1751dede061f6d1f469b6508c13439

Later it was recognized by Nils Philippsen this patch to be incomplete
due the following reasoning:

I've looked at this a bit further and found that even Vincent Untz's patch
didn't take into account that the code that did runlength decoding actually
advances by bytespp through the buffer into which it writes, so the runcount
needs to be clamped to "(endq - q) / bytespp"(*) in order that subsequent loops
don't advance past the end of the buffer.

(*): This division is actually safe as bytespp is set by the plugin to one of
several known values, therefore can't be 0.
Comment 3 Jan Lieskovsky 2011-05-13 10:07:55 EDT
Proposed patch from Nils Philippsen to address this problem:

diff --git a/plug-ins/common/file-psp.c b/plug-ins/common/file-psp.c
index 7e620fb..9ae5395 100644
--- a/plug-ins/common/file-psp.c
+++ b/plug-ins/common/file-psp.c
@@ -1200,7 +1200,7 @@ read_channel_data (FILE       *f,
             fread (buf, runcount, 1, f);

           /* prevent buffer overflow for bogus data */
-          runcount = MIN (runcount, endq - q);
+          runcount = MIN (runcount, (endq - q) / bytespp);

           if (bytespp == 1)
Comment 6 Jan Lieskovsky 2011-05-13 10:38:04 EDT
The CVE identifier of CVE-2011-1782 has been assigned to this issue.
Comment 8 Jan Lieskovsky 2011-05-23 10:42:29 EDT
Created gimp tracking bugs for this issue

Affects: fedora-all [bug 706939]

Note You need to log in before you can comment on or make changes to this bug.