Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > July 2007 > iDefense Security Advisory: GIMP

July 2007

iDefense Security Advisory: GIMP

ID: 156
Ref: 101/2007
Date: 10 July 2007:16:23:09
Version: 1
Title: iDefense Security Advisory: GIMP
Abstract: Description of a multiple Vendor GIMP Multiple Integer Overflow Vulnerabilities
Vendors affected: Multiple
Operating systems affected: Multiple
Applications affected: Multiple
Multiple Vendor GIMP Multiple Integer Overflow Vulnerabilities

iDefense Security Advisory 07.09.07
http://labs.idefense.com/intelligence/vulnerabilities/
Jul 09, 2007

I. BACKGROUND

The GNU Image Manipulation Program is commonly known as the GIMP. It is a
freely distributed piece of software for such tasks as photo retouching, image
composition and image authoring. It is available, in many languages, for
multiple operating systems. More information is available at the following
URL.

http://www.gimp.org/

II. DESCRIPTION

Remote exploitation of multiple integer overflow vulnerabilities in several of
the image loader plug-ins included with distributions of 'The GIMP' allow
attackers to crash The GIMP or potentially execute arbitrary code with the
privileges of the user.

The following lines show the location of some vulnerabilities within the code
responsible for loading the DICOM, PNM, PSD, PSP, Sun RAS, XBM, and XWD file
formats. Each of the files are located within the plug-ins/common directory of
the source code.

dicom.c:391: value = g_new0 (guint8, element_length + 4);
pnm.c:566: data = g_new (guchar, gimp_tile_height () * info->xres * np);
pnm.c:628: data = g_new (guchar, gimp_tile_height () * info->xres *
info->np);
pnm.c:681: data = g_new (guchar, gimp_tile_height () * info->xres);
psd.c:2969: PSDheader.rowlength = g_malloc (PSDheader.rows *
psp.c:1225: pixel = g_malloc0 (height * width * bytespp);
sunras.c:955: data = g_malloc (tile_height * width);
sunras.c:1076: data = g_malloc (tile_height * width);
sunras.c:1146: data = g_malloc (tile_height * width * 3);
sunras.c:1231: data = g_malloc (tile_height * width * 3);
xbm.c:879: data = (guchar *) g_malloc (width * tileheight);
xwd.c:1193: data = g_malloc (tile_height * width);
xwd.c:1195: scanline = g_new (guchar, xwdhdr->l_bytes_per_line + 8);
xwd.c:1352: data = g_malloc (tile_height * width);
xwd.c:1441: data = g_malloc (tile_height * width * 3);
xwd.c:1601: data = g_malloc (tile_height * width * 3);
xwd.c:1812: data = g_malloc (tile_height * width * bytes_per_pixel);

In each case, an integer value from an untrusted input source has arithmetic
operations performed upon it to calculate the length to allocate. Since no
integer overflow checking is performed, a potentially exploitable heap
overflow may result.

This is not a complete list of integer overflow vulnerabilities in the code.

III. ANALYSIS

Exploitation allows attackers to execute arbitrary code in the context of the
user opening a malicious image file.

In order to be successful, the attacker must convince the victim into opening
a maliciously crafted image with The GIMP.

IV. DETECTION

iDefense has confirmed that version 2.2.15 of The GIMP is vulnerable on both
Linux and Windows platforms. It is suspected that all previous versions of the
GIMP are also affected.

V. WORKAROUND

Consider moving the affected loader modules from The GIMP's plug-in directory
to another location. The location in the file system may vary depending on
distributions. On Red Hat Linux and Debian systems the default plug-in
directory is /usr/lib/gimp/2.0/plug-ins.

VI. VENDOR RESPONSE

The GIMP maintainers have released version 2.2.16 to address these
vulnerabilities. For more information, consult the following URL.

http://developer.gimp.org/NEWS-2.2

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the name
CVE-2006-4519 to this issue. This is a candidate for inclusion in the CVE list
(http://cve.mitre.org/), which standardizes names for security problems.

VIII. DISCLOSURE TIMELINE

08/17/2006 Initial vendor notification
10/06/2006 Second vendor notification
06/26/2007 Third vendor notification
06/26/2007 Initial vendor response
07/09/2007 Coordinated public disclosure

IX. CREDIT

These vulnerabilities were discovered by Sean Larsson (iDefense Labs).

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events http://labs.idefense.com/

X. LEGAL NOTICES

Copyright © 2007 iDefense, Inc.

Permission is granted for the redistribution of this alert electronically. It
may not be edited in any way without the express written consent of iDefense.
If you wish to reprint the whole or any part of this alert in any other medium
other than electronically, please e-mail customerservice@idefense.com for
permission.

Disclaimer: The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the author
nor the publisher accepts any liability for any direct, indirect, or
consequential loss or damage arising from use of, or reliance on, this
information.
___________________________________________________________________________

CPNI wishes to acknowledge the contributions of iDefence for the
information contained in this advisory.
___________________________________________________________________________

This advisory contains information released by the original author. Some of
the information may have changed since it was released. If the issue affects
you, it may be prudent to retrieve the advisory from the site of the original
source to ensure that you receive the most current information concerning that problem.

Reference to any specific commercial product, process, or service by trade
name, trademark manufacturer, or otherwise, does not constitute or imply its
endorsement, recommendation, or favouring by CPNI. The views and opinions of
authors expressed within this notice shall not be used for advertising or product endorsement purposes.

CPNI shall not accept responsibility for any errors or omissions
contained within this advisory. In particular, they shall not be liable for
any loss or damage whatsoever, arising from or in connection with the usage of
information contained within this advisory.

CPNI is a member of the Forum of Incident Response and Security Teams (FIRST)
and has contacts with other international Incident Response Teams (IRTs) in
order to foster cooperation and coordination in incident prevention, to prompt
rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
___________________________________________________________________________

  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |