Bug 947868 - (CVE-2013-1913) CVE-2013-1913 gimp: xwd plugin g_new() integer overflow
CVE-2013-1913 gimp: xwd plugin g_new() integer overflow
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20131203,repor...
: Security
Depends On: 947891 947894 947895 947896 1030899 1037720
Blocks: 879318
  Show dependency treegraph
 
Reported: 2013-04-03 08:58 EDT by Stefan Cornelius
Modified: 2016-03-04 06:07 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-12-14 14:49:29 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
updated patch for CVE-2013-1913 (1.14 KB, patch)
2013-11-27 05:45 EST, Nils Philippsen
no flags Details | Diff

  None (edit)
Description Stefan Cornelius 2013-04-03 08:58:15 EDT
Murray McAllister of the Red Hat Security Response Team has discovered an integer overflow in the way GIMP, the GNU Image Manipulation Program, performed loading of certain X Window System (XWD) image dumps containing large a color entries value. A remote attacker could provide a specially-crafted XWD format image file that, when processed, would lead to gimp XWD plug-in crash or, potentially, arbitrary code execution with the privileges of the user running the gimp executable.
Comment 10 Nils Philippsen 2013-11-27 05:45:29 EST
Created attachment 829636 [details]
updated patch for CVE-2013-1913
Comment 11 Tomas Hoger 2013-11-27 17:54:22 EST
This problem is in load_image() in file-xwd.c.  xwdcolmap (buffer to store color map) is allocated using glib's g_new using l_colormap_entries value from the image header, which wasn't previously validated.

https://git.gnome.org/browse/gimp/tree/plug-ins/common/file-xwd.c?id=03df8c6#n471

g_new in glib versions before 2.24 does not have integer overflow checks.

https://bugzilla.gnome.org/show_bug.cgi?id=608196

Hence this issue could result in allocation of memory not sufficient to store l_colormap_entries color map entries when using gimp with older glib version (such as the one shipped with Red Hat Enterprise Linux 5).

Note that this problem is masked by the different issue tracked via bug 953902, as read_xwd_cols() function used to populate xwdcolmap uses different upper bound - l_ncolors instead of l_colormap_entries.
Comment 12 Tomas Hoger 2013-11-27 17:54:45 EST
Acknowledgment:

This issue was discovered by Murray McAllister of the Red Hat Security Response Team.
Comment 13 Vincent Danen 2013-12-03 11:28:44 EST
Created gimp tracking bugs for this issue:

Affects: fedora-all [bug 1037720]
Comment 14 errata-xmlrpc 2013-12-03 11:52:26 EST
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1778 https://rhn.redhat.com/errata/RHSA-2013-1778.html

Note You need to log in before you can comment on or make changes to this bug.