CLD-186 Details

Other IDs this deficiency may be known by:

CVE ID CVE-2017-17789 (nvd) (mitre) (debian) (archlinux) (red hat) (suse) (ubuntu)
Other ID(s)

Basic Information:

Affected Package(s) gimp
Deficiency Type SECURITY
Date Created 2017-12-21 09:51:14
Date Last Modified 2017-12-30 13:44:03

Version Specific Information:

Cucumber 1.0 i686 fixed in gimp-2.8.22-i686-4
Cucumber 1.0 x86_64 fixed in gimp-2.8.22-x86_64-4 and gimp-lib_i686-2.8.22-lib_i686-4

Cucumber 1.1 i686 fixed in gimp-2.8.22-i686-4
Cucumber 1.1 x86_64 fixed in gimp-2.8.22-x86_64-4 and gimp-lib_i686-2.8.22-lib_i686-4

Details:

=================================== Overview ===================================

From https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789

In GIMP 2.8.22, there is a heap-based buffer overflow in read_channel_data in
plug-ins/common/file-psp.c.

================================ Initial Report ================================

From Hanno Bock on Gnome Bugzilla
(https://bugzilla.gnome.org/show_bug.cgi?id=790849):

The attached file will cause a heap buffer overflow in the PSP import plugin.

Stack trace from address sanitizer:
==29046==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f64a922d100 at pc 0x0000004c3668 bp 0x7ffc2baf8a50 sp 0x7ffc2baf8200
WRITE of size 48 at 0x7f64a922d100 thread T0
    #0 0x4c3667 in __asan_memmove (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4c3667)
    #1 0x513628 in read_channel_data /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1237:17
    #2 0x513628 in read_layer_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1593
    #3 0x513628 in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1843
    #4 0x513628 in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949
    #5 0x7f64c0ad3afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7
    #6 0x7f64c0ad3afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997
    #7 0x7f64c0ad3afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618
    #8 0x7f64bbd2c0cc in __libc_start_main (/lib64/libc.so.6+0x210cc)
    #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)

0x7f64a922d100 is located 0 bytes to the right of 152176896-byte region [0x7f64a010c800,0x7f64a922d100)
allocated by thread T0 here:
    #0 0x4da260 in calloc (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4da260)
    #1 0x7f64bd073710 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x4f710)
    #2 0x512af1 in read_layer_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1510:15
    #3 0x512af1 in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1843
    #4 0x512af1 in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949
    #5 0x7f64c0ad3afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7
    #6 0x7f64c0ad3afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997
    #7 0x7f64c0ad3afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618
    #8 0x7f64bbd2c0cc in __libc_start_main (/lib64/libc.so.6+0x210cc)
    #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)

============================ Additional Information ============================

See http://www.openwall.com/lists/oss-security/2017/12/19/5

================================= Our Analysis =================================

----- Affected Products -----
Versions of GIMP up to and including 2.8.22 are vulnerable to this
vulnerability. This includes GIMP as originally packages in Cucumber Linux 1.0
and 1.1. As of the writing of this analysis (Thu Dec 21 11:13:35 EST 2017),
2.8.22 is the latest stable version of GIMP; future releases may or may not be
affected.

A patch was released on 2017-12-20 15:51:00 (GMT) fixing this vulnerability at
https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f.

----- Scope and Impact of this Vulnerability -----
This vulnerability can result in a heap buffer overflow.

----- Fix for this Vulnerability -----
This vulnerability can be fixed by applying the patch from
https://git.gnome.org/browse/gimp/commit/?id=01898f10f87a094665a7fdcf7153990f4e511d3f.

================================= Our Solution =================================

We have applied the aforementioned patch and rebuilt GIMP.