Bug 20663 - gimp new security issue CVE-2007-3126
Summary: gimp new security issue CVE-2007-3126
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: advisory MGA5-64-OK MGA5-32-OK
Keywords: validated_update
: 20662 (view as bug list)
Depends on:
Blocks:
 
Reported: 2017-04-14 21:56 CEST by David Walser
Modified: 2017-04-21 09:25 CEST (History)
4 users (show)

See Also:
Source RPM: gimp-2.8.14-4.1.mga5.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2017-04-14 21:56:56 CEST
openSUSE has issued an advisory on April 12:
https://lists.opensuse.org/opensuse-updates/2017-04/msg00046.html

Mageia 5 is also affected.
Comment 1 David Walser 2017-04-14 22:28:03 CEST
*** Bug 20662 has been marked as a duplicate of this bug. ***
Comment 2 Marja van Waes 2017-04-15 09:50:49 CEST
Assigning to the registered maintainer.
Comment 3 Shlomi Fish 2017-04-19 15:28:32 CEST
The patch was applied in gimp-2.8.20-2mga6 in Cauldron. Still needs to be done for mga5.
Comment 4 Shlomi Fish 2017-04-19 16:37:20 CEST
(In reply to Shlomi Fish from comment #3)
> The patch was applied in gimp-2.8.20-2mga6 in Cauldron. Still needs to be
> done for mga5.

gimp-2.8.14-4.2.mga5 update sent to mga5 core/updates_testing . Assigning to QA. David, should I write an advisory?
Comment 5 David Walser 2017-04-19 16:51:13 CEST
Thanks Shlomi!

Advisory:
========================

Updated gimp packages fix security vulnerability:

Context-dependent attackers were able to cause a denial of service via an ICO
file with an InfoHeader containing a Height of zero (CVE-2007-3126).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3126
https://lists.opensuse.org/opensuse-updates/2017-04/msg00046.html
========================

Updated packages in core/updates_testing:
========================
gimp-2.8.14-4.2.mga5
libgimp2.0-devel-2.8.14-4.2.mga5
libgimp2.0_0-2.8.14-4.2.mga5
gimp-python-2.8.14-4.2.mga5

from gimp-2.8.14-4.2.mga5.src.rpm
Comment 6 Dave Hodgins 2017-04-19 21:09:09 CEST
Advisory added to svn.
Comment 7 Len Lawrence 2017-04-19 21:45:48 CEST
Testing this on x86_64 real hardware.

This looked like it should have a reproducer but could not find one so decided to have a go at editing an ICO file.  Chose hugin.ico at random from system files.  The GIMP and identify list 7 layers of various sizes.  The main image is a PNG measuring 48x48.  The CVE specifically mentions that a crafted image with height set to zero would cause trouble so I edited the height byte for the all seven components in the file header to 0 and let it loose.  Note that value zero is interpreted as 256 so is a legitimate dimension.

See https://en.wikipedia.org/wiki/ICO_%28file_format%29#Icon_resource_structure for details.
Used bless and the 'AND 00' operation to edit a copy of the original image.

$ identify hugin.ico
hugin.ico[0] ICO 48x48 48x48+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000
hugin.ico[1] ICO 32x32 32x32+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000
hugin.ico[2] ICO 16x16 16x16+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000
hugin.ico[3] PNG 128x128 128x128+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000
hugin.ico[4] ICO 48x48 48x48+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000
hugin.ico[5] ICO 32x32 32x32+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000
hugin.ico[6] ICO 16x16 16x16+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000

Header before edit:
$ od -x hugin.ico | less
0000000 0000 0001 0007 3030 0000 0001 0008 0ea8
0000020 0000 0076 0000 2020 0000 0001 0008 08a8
0000040 0000 0f1e 0000 1010 0000 0001 0008 0568
0000060 0000 17c6 0000 8080 0000 0001 0020 281d
0000100 0000 1d2e 0000 3030 0000 0001 0020 25a8
0000120 0000 454b 0000 2020 0000 0001 0020 10a8
0000140 0000 6af3 0000 1010 0000 0001 0020 0468

Header after edit:
$ od -x poc.ico | less
0000000 0000 0001 0007 0030 0000 0001 0008 0ea8
0000020 0000 0076 0000 2020 0000 0001 0008 08a8
0000040 0000 0f1e 0000 1010 0000 0001 0008 0568
0000060 0000 17c6 0000 0080 0000 0001 0020 281d
0000100 0000 1d2e 0000 3030 0000 0001 0020 25a8
0000120 0000 454b 0000 2020 0000 0001 0020 10a8
0000140 0000 6af3 0000 1010 0000 0001 0020 0468

$ identify poc.ico
poc.ico[0] ICO 48x256 48x256+0+0 8-bit sRGB 32.8KB 0.000u 0:00.009
poc.ico[1] ICO 32x32 32x32+0+0 8-bit sRGB 32.8KB 0.000u 0:00.009
poc.ico[2] ICO 16x16 16x16+0+0 8-bit sRGB 32.8KB 0.000u 0:00.009
poc.ico[3] PNG 128x128 128x128+0+0 8-bit sRGB 32.8KB 0.000u 0:00.000
poc.ico[4] ICO 48x48 48x48+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000
poc.ico[5] ICO 32x32 32x32+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000
poc.ico[6] ICO 16x16 16x16+0+0 32-bit sRGB 32.8KB 0.000u 0:00.000

display shows poc.ico as a scrambled version of the original image measuring 48x256 pixels, i.e. stretched vertically.

The GIMP displays the both the original image and the poc.ico and they look exactly the same so I must confess to being baffled.

Running functionality tests later.
Comment 8 Len Lawrence 2017-04-19 21:46:58 CEST
Error: main image is 128x128 in size.
Comment 9 Len Lawrence 2017-04-20 00:51:00 CEST
Played with some of the simpler functions and tools, cropping an image, colourizing, geometric manipulations, exporting to different file types.  Not much experience with this tool but within that limitation it looks OK.
Comment 10 Dave Hodgins 2017-04-20 18:02:12 CEST
Thanks Len. On i586, just testing that editing an ico file works, then using
gwenview to view the before and after images.

Validating the update.
Comment 11 Mageia Robot 2017-04-21 09:25:04 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0112.html

Note You need to log in before you can comment on or make changes to this bug.