Bug 947868 (CVE-2013-1913) - CVE-2013-1913 gimp: xwd plugin g_new() integer overflow
Summary: CVE-2013-1913 gimp: xwd plugin g_new() integer overflow
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-1913
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20131203,repor...
Depends On: 947891 947894 947895 947896 1030899 1037720
Blocks: 879318
TreeView+ depends on / blocked
 
Reported: 2013-04-03 12:58 UTC by Stefan Cornelius
Modified: 2019-06-08 19:30 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-12-14 19:49:29 UTC


Attachments (Terms of Use)
updated patch for CVE-2013-1913 (1.14 KB, patch)
2013-11-27 10:45 UTC, Nils Philippsen
no flags Details | Diff


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2013:1778 normal SHIPPED_LIVE Moderate: gimp security update 2013-12-03 21:50:50 UTC

Description Stefan Cornelius 2013-04-03 12:58:15 UTC
Murray McAllister of the Red Hat Security Response Team has discovered an integer overflow in the way GIMP, the GNU Image Manipulation Program, performed loading of certain X Window System (XWD) image dumps containing large a color entries value. A remote attacker could provide a specially-crafted XWD format image file that, when processed, would lead to gimp XWD plug-in crash or, potentially, arbitrary code execution with the privileges of the user running the gimp executable.

Comment 10 Nils Philippsen 2013-11-27 10:45:29 UTC
Created attachment 829636 [details]
updated patch for CVE-2013-1913

Comment 11 Tomas Hoger 2013-11-27 22:54:22 UTC
This problem is in load_image() in file-xwd.c.  xwdcolmap (buffer to store color map) is allocated using glib's g_new using l_colormap_entries value from the image header, which wasn't previously validated.

https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n471

g_new in glib versions before 2.24 does not have integer overflow checks.

https://bugzilla.gnome.org/show_bug.cgi?id=608196

Hence this issue could result in allocation of memory not sufficient to store l_colormap_entries color map entries when using gimp with older glib version (such as the one shipped with Red Hat Enterprise Linux 5).

Note that this problem is masked by the different issue tracked via bug 953902, as read_xwd_cols() function used to populate xwdcolmap uses different upper bound - l_ncolors instead of l_colormap_entries.

Comment 12 Tomas Hoger 2013-11-27 22:54:45 UTC
Acknowledgment:

This issue was discovered by Murray McAllister of the Red Hat Security Response Team.

Comment 13 Vincent Danen 2013-12-03 16:28:44 UTC
Created gimp tracking bugs for this issue:

Affects: fedora-all [bug 1037720]

Comment 14 errata-xmlrpc 2013-12-03 16:52:26 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1778 https://rhn.redhat.com/errata/RHSA-2013-1778.html


Note You need to log in before you can comment on or make changes to this bug.