Bug 3096 - CVE-2011-2896: gimp heap corruption and buffer overflow
Summary: CVE-2011-2896: gimp heap corruption and buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 1
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2011-10-18 18:08 CEST by Nicolas Vigier
Modified: 2011-10-25 13:33 CEST (History)
4 users (show)

See Also:
Source RPM: gimp
CVE:
Status comment:

Attachments
Gimp error message (31.12 KB, image/png)
2011-10-25 13:14 CEST, claire robinson 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Comment 1 Shlomi Fish 2011-10-20 14:17:33 CEST 
I would fix this bug, if I could figure out how to download the patch as plaintext using the web-interface (so it can be applied by GNU patch). Can anyone enlighten me?
Comment 2 Sander Lepik 2011-10-20 15:54:36 CEST 
There is link (patch): http://git.gnome.org/browse/gimp/patch/plug-ins/common/file-gif-load.c?id=376ad788c1a1c31d40f18494889c383f6909ebfc

CC: (none) => sander.lepik

Comment 3 Shlomi Fish 2011-10-24 13:16:27 CEST 
Assigning to QA, so they can update the GIMP package on Mageia 1 for CVE-2011-2896 . The updated package is in updates_testing.

Assignee: shlomif => qa-bugs

Comment 4 Dave Hodgins 2011-10-25 04:31:14 CEST 
I found what was supposed to be a poc at
http://www.swi-prolog.org/bugzilla/show_bug.cgi?id=9#c1
however the core release version of gimp does not crash here,
so I'm not sure our version is susceptible.

Looks like all we can test is that it installed cleanly,
and still works.

Testing complete on i586 for the srpm
gimp-2.6.11-7.mga1.src.rpm

CC: (none) => davidwhodgins

Comment 5 claire robinson 2011-10-25 12:51:55 CEST 
I think you are right Dave, I've tried with the one you found and a different one aswell and neither caused a crash.
Comment 6 claire robinson 2011-10-25 13:13:27 CEST 
Testing x86_64

I found 3 gif's in the end.

After update I get messages like..

GIF: bogus character 0xc8, ignoring.
GIF: bogus character 0xb0, ignoring.
GIF: bogus character 0x61, ignoring.
GIF: bogus character 0xc2, ignoring.
GIF: bogus character 0x80, ignoring.
GIF: bogus character 0x00, ignoring.
GIF: missing EOD in data stream (common occurence)GIF: missing EOD in data stream (common occurence)

and I'll attach a screenshot of the error being caught by gimp.

Testing complete x86_64
Comment 7 claire robinson 2011-10-25 13:14:12 CEST 
Created attachment 1007 [details]
Gimp error message
Comment 8 claire robinson 2011-10-25 13:21:08 CEST 
Update validated

Advisory
---------------------
This update addresses a security issue - CVE-2011-2896

GIF image file format readers in various open source projects are based on the
GIF decoder implementation written by David Koblas.  This implementation
contains a bug in the LZW decompressor, causing it to incorrectly handle
compressed streams that contain code words that were not yet added to the
decompression table.  LZW decompression has a special case (a KwKwK string)
when code word may match the first free entry in the decompression table.  The
implementation used in this GIF reading code allows code words not only
matching, but also exceeding the first free entry.

This problem is identical to a bug found in BSD compress (CVE-2011-2895), but given the unclear relationship between BSD compress and GIF
decoder code bases, separate CVE is used here.
---------------------


SRPM: gimp-2.6.11-7.mga1.src.rpm

Could sysadmin please push from core/updates_testing to core/updates

Thankyou!

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 Thomas Backlund 2011-10-25 13:33:28 CEST 
Update pushed.

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Note You need to log in before you can comment on or make changes to this bug.