Murray McAllister of the Red Hat Security Response Team has discovered an integer overflow in the way GIMP, the GNU Image Manipulation Program, performed loading of certain X Window System (XWD) image dumps containing large a color entries value. A remote attacker could provide a specially-crafted XWD format image file that, when processed, would lead to gimp XWD plug-in crash or, potentially, arbitrary code execution with the privileges of the user running the gimp executable.
Created attachment 829636 [details] updated patch for CVE-2013-1913
This problem is in load_image() in file-xwd.c. xwdcolmap (buffer to store color map) is allocated using glib's g_new using l_colormap_entries value from the image header, which wasn't previously validated. https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n471 g_new in glib versions before 2.24 does not have integer overflow checks. https://bugzilla.gnome.org/show_bug.cgi?id=608196 Hence this issue could result in allocation of memory not sufficient to store l_colormap_entries color map entries when using gimp with older glib version (such as the one shipped with Red Hat Enterprise Linux 5). Note that this problem is masked by the different issue tracked via bug 953902, as read_xwd_cols() function used to populate xwdcolmap uses different upper bound - l_ncolors instead of l_colormap_entries.
Acknowledgment: This issue was discovered by Murray McAllister of the Red Hat Security Response Team.
Created gimp tracking bugs for this issue: Affects: fedora-all [bug 1037720]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1778 https://rhn.redhat.com/errata/RHSA-2013-1778.html
Upstream commit: https://git.gnome.org/browse/gimp/commit/?id=32ae0f83e5748299641cceaabe3f80f1b3afd03e