[NEWS] GIMP XCF Parsing xcf_load_vector() Function Overflow
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 25 Jul 2006 13:42:43 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
GIMP XCF Parsing xcf_load_vector() Function Overflow
------------------------------------------------------------------------
SUMMARY
Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for
GIMP before 2.2.12 allows user-complicit attackers to cause a denial of
service (crash) and possibly execute arbitrary code via an XCF file with a
large num_axes value in the VECTORS property.
DETAILS
Vulnerable Systems:
* GIMP version 2.2.11
Immune Systems:
* GIMP version 2.2.12
The problem is in the function xcf_load_vector() in app/xcf/xcf-load.c of
the source tree. For each "stroke" being read, the code reads an uint32
from the XCF file into the variable num_axes, and then for each control
proint of the stroke reads num_axes floats from the file into the
stack-allocated array coords whose size is hard-coded as 6.
A malicious XCF file creator could write a large number into the num_axes
position and trick the XCF reader into overwriting part of the stack with
raw data read from the file. On little-endian systems, the function
xcf_read_float() that actually reads the floats does a byte-order
conversion on the data it reads but does not do any special float
processing, so an attacker has direct control of the data written to the
stack.
The attack is in the VECTORS property of an XCF file which pure XCF
_viewers_ (e.g. imagemagick or xcftools) normally skip without parsing.
Thus an attack file can easily be written such that the image will display
correctly with no symptoms at all in a viewer application.
ADDITIONAL INFORMATION
The information has been provided by Justin M. Forbes.
The original article can be found at:
<https://issues.rpath.com/browse/RPL-522>
https://issues.rpath.com/browse/RPL-522
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] Siemens Speedstream Wireless/Router DoS
- Next by Date: [NT] Password Safe - Lock Password Database Configuration Not Enforced
- Previous by thread: [NEWS] Siemens Speedstream Wireless/Router DoS
- Next by thread: [NT] Password Safe - Lock Password Database Configuration Not Enforced
- Index(es):
Relevant Pages
|
|
