openSUSE has issued an advisory on April 12: https://lists.opensuse.org/opensuse-updates/2017-04/msg00046.html Mageia 5 is also affected.
Whiteboard: (none) => MGA5TOO
*** Bug 20662 has been marked as a duplicate of this bug. ***
Assigning to the registered maintainer.
CC: (none) => marja11Assignee: bugsquad => shlomif
QA Contact: (none) => securityComponent: RPM Packages => Security
The patch was applied in gimp-2.8.20-2mga6 in Cauldron. Still needs to be done for mga5.
Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
(In reply to Shlomi Fish from comment #3) > The patch was applied in gimp-2.8.20-2mga6 in Cauldron. Still needs to be > done for mga5. gimp-2.8.14-4.2.mga5 update sent to mga5 core/updates_testing . Assigning to QA. David, should I write an advisory?
Assignee: shlomif => qa-bugs
Thanks Shlomi! Advisory: ======================== Updated gimp packages fix security vulnerability: Context-dependent attackers were able to cause a denial of service via an ICO file with an InfoHeader containing a Height of zero (CVE-2007-3126). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3126 https://lists.opensuse.org/opensuse-updates/2017-04/msg00046.html ======================== Updated packages in core/updates_testing: ======================== gimp-2.8.14-4.2.mga5 libgimp2.0-devel-2.8.14-4.2.mga5 libgimp2.0_0-2.8.14-4.2.mga5 gimp-python-2.8.14-4.2.mga5 from gimp-2.8.14-4.2.mga5.src.rpm
Advisory added to svn.
Whiteboard: (none) => advisoryCC: (none) => davidwhodgins
Testing this on x86_64 real hardware. This looked like it should have a reproducer but could not find one so decided to have a go at editing an ICO file. Chose hugin.ico at random from system files. The GIMP and identify list 7 layers of various sizes. The main image is a PNG measuring 48x48. The CVE specifically mentions that a crafted image with height set to zero would cause trouble so I edited the height byte for the all seven components in the file header to 0 and let it loose. Note that value zero is interpreted as 256 so is a legitimate dimension. See https://en.wikipedia.org/wiki/ICO_%28file_format%29#Icon_resource_structure for details. Used bless and the 'AND 00' operation to edit a copy of the original image. $ identify hugin.ico hugin.ico[0] ICO 48x48 48x48+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000 hugin.ico[1] ICO 32x32 32x32+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000 hugin.ico[2] ICO 16x16 16x16+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000 hugin.ico[3] PNG 128x128 128x128+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000 hugin.ico[4] ICO 48x48 48x48+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000 hugin.ico[5] ICO 32x32 32x32+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000 hugin.ico[6] ICO 16x16 16x16+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000 Header before edit: $ od -x hugin.ico | less 0000000 0000 0001 0007 3030 0000 0001 0008 0ea8 0000020 0000 0076 0000 2020 0000 0001 0008 08a8 0000040 0000 0f1e 0000 1010 0000 0001 0008 0568 0000060 0000 17c6 0000 8080 0000 0001 0020 281d 0000100 0000 1d2e 0000 3030 0000 0001 0020 25a8 0000120 0000 454b 0000 2020 0000 0001 0020 10a8 0000140 0000 6af3 0000 1010 0000 0001 0020 0468 Header after edit: $ od -x poc.ico | less 0000000 0000 0001 0007 0030 0000 0001 0008 0ea8 0000020 0000 0076 0000 2020 0000 0001 0008 08a8 0000040 0000 0f1e 0000 1010 0000 0001 0008 0568 0000060 0000 17c6 0000 0080 0000 0001 0020 281d 0000100 0000 1d2e 0000 3030 0000 0001 0020 25a8 0000120 0000 454b 0000 2020 0000 0001 0020 10a8 0000140 0000 6af3 0000 1010 0000 0001 0020 0468 $ identify poc.ico poc.ico[0] ICO 48x256 48x256+0+0 8-bit sRGB 32.8KB 0.000u 0:00.009 poc.ico[1] ICO 32x32 32x32+0+0 8-bit sRGB 32.8KB 0.000u 0:00.009 poc.ico[2] ICO 16x16 16x16+0+0 8-bit sRGB 32.8KB 0.000u 0:00.009 poc.ico[3] PNG 128x128 128x128+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000 poc.ico[4] ICO 48x48 48x48+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000 poc.ico[5] ICO 32x32 32x32+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000 poc.ico[6] ICO 16x16 16x16+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000 display shows poc.ico as a scrambled version of the original image measuring 48x256 pixels, i.e. stretched vertically. The GIMP displays the both the original image and the poc.ico and they look exactly the same so I must confess to being baffled. Running functionality tests later.
CC: (none) => tarazed25
Error: main image is 128x128 in size.
Played with some of the simpler functions and tools, cropping an image, colourizing, geometric manipulations, exporting to different file types. Not much experience with this tool but within that limitation it looks OK.
Whiteboard: advisory => advisory MGA5-64-OK
Thanks Len. On i586, just testing that editing an ico file works, then using gwenview to view the before and after images. Validating the update.
Keywords: (none) => validated_updateWhiteboard: advisory MGA5-64-OK => advisory MGA5-64-OK MGA5-32-OKCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. http://advisories.mageia.org/MGASA-2017-0112.html
Status: NEW => RESOLVEDResolution: (none) => FIXED