Bug 7351 - gimp new security issues CVE-2012-2763 and CVE-2012-3236
: gimp new security issues CVE-2012-2763 and CVE-2012-3236
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: All Linux
: Low Severity: minor
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/514813/
: MGA1-64-OK MGA1-32-OK
: validated_update
: 6403
:
  Show dependency treegraph
 
Reported: 2012-09-04 20:30 CEST by David Walser
Modified: 2012-11-09 00:30 CET (History)
4 users (show)

See Also:
Source RPM: gimp-2.8.0-1.1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-09-04 20:30:40 CEST
OpenSuSE has issued an advisory on September 3:
http://lists.opensuse.org/opensuse-updates/2012-09/msg00001.html

CVE-2012-2763 only affects Mageia 1.

CVE-2012-3236 affects Mageia 1 and Mageia 2.

Cauldron is not affected, as these are fixed in 2.8.1.

I have committed patches for these in SVN, but have not submitted the packages yet, as these don't sound like very serious issues.  If there's another CVE for gimp soonish, we can release the fix for these then.
Comment 1 claire robinson 2012-10-04 11:24:36 CEST
Mga2 updated to gimp-2.8.2-1.1.mga2.src.rpm which addresses CVE-2012-3236
bug 6403
Comment 2 Manuel Hiebel 2012-11-05 16:53:25 CET
This message is a reminder that Mageia 1 is nearing its end of life. 
In approximately 25 days from now, Mageia will stop maintaining and issuing 
updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it 
remains open with a Mageia 'version' of '1'.

Package Maintainer: If you wish for this bug to remain open because you plan to 
fix it in a currently maintained version, simply change the 'version' to a later 
Mageia version prior to Mageia 1's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that we may not 
be able to fix it before Mageia 1 is end of life.  If you would still like to see 
this bug fixed and are able to reproduce it against a later version of Mageia, 
you are encouraged to click on "Version" and change it against that version 
of Mageia.

Although we aim to fix as many bugs as possible during every release's lifetime, 
sometimes those efforts are overtaken by events. Often a more recent Mageia 
release includes newer upstream software that fixes bugs or makes them obsolete.

--
Mageia Bugsquad
Comment 3 David Walser 2012-11-06 16:51:34 CET
Pushed to updates_testing.

Advisory:
========================

Updated gimp packages fix security vulnerabilities:

Buffer overflow in the readstr_upto function in
plug-ins/script-fu/tinyscheme/scheme.c in GIMP 2.6.12 and earlier, and
possibly 2.6.13, allows remote attackers to execute arbitrary code via a
long string in a command to the script-fu server (CVE-2012-2763).

fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a malformed
XTENSION header of a .fit file, as demonstrated using a long string
(CVE-2012-3236).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3236
http://lists.opensuse.org/opensuse-updates/2012-09/msg00001.html
========================

Updated packages in core/updates_testing:
========================
gimp-2.6.11-7.3.mga1
libgimp2.0-devel-2.6.11-7.3.mga1
libgimp2.0_0-2.6.11-7.3.mga1
gimp-python-2.6.11-7.3.mga1

from gimp-2.6.11-7.3.mga1.src.rpm
Comment 4 Marc Lattemann 2012-11-06 18:50:00 CET
possible PoC: http://www.openwall.com/lists/oss-security/2012/05/31/1
Comment 5 Dave Hodgins 2012-11-08 04:25:31 CET
Trying to compile the poc, I've installed wine-devel, and run
ln -s /usr/include/wine/windows/* /usr/include/

$ gcc scriptfubof.c 
/tmp/cc4OA6Dm.o: In function `main':
scriptfubof.c:(.text+0x8c): undefined reference to `WSAStartup'
scriptfubof.c:(.text+0xb9): undefined reference to `WSACleanup'
scriptfubof.c:(.text+0x157): undefined reference to `WSAGetLastError'
scriptfubof.c:(.text+0x17a): undefined reference to `WSACleanup'
scriptfubof.c:(.text+0x1a4): undefined reference to `closesocket'
scriptfubof.c:(.text+0x1a9): undefined reference to `WSACleanup'
/tmp/cc4OA6Dm.o: In function `senddata':
scriptfubof.c:(.text+0x24d): undefined reference to `WSAGetLastError'
scriptfubof.c:(.text+0x270): undefined reference to `WSACleanup'
/tmp/cc4OA6Dm.o: In function `recvdata':
scriptfubof.c:(.text+0x326): undefined reference to `WSAGetLastError'
scriptfubof.c:(.text+0x353): undefined reference to `closesocket'
scriptfubof.c:(.text+0x358): undefined reference to `WSACleanup'
collect2: ld returned 1 exit status

I'm guessing I need some linker option, but have no idea how to figure
out what's needed.
Comment 6 David Walser 2012-11-08 12:25:22 CET
winegcc scriptfubof.c -L/usr/lib/wine/ -lwsock32

that works for me on i586.
Comment 7 Dave Hodgins 2012-11-08 22:28:34 CET
On x86-64
winegcc -v scriptfubof.c -L/usr/lib/wine/ -lwsock32 -m32

Bug confirmed on both i586 and x86-64.

On i586, used Filters/Script-Fu/Start server, then ran ...
[dave@i1v ~]$ ./a.out 127.0.0.1 10008
/usr/lib/gimp/2.0/plug-ins/script-fu: fatal error: Segmentation fault

On x86-64, ...
[dave@x1v ~]$ ./a.out 127.0.0.1 10008
/usr/lib64/gimp/2.0/plug-ins/script-fu: fatal error: Segmentation fault

I'll install and test the updates now.
Comment 8 Dave Hodgins 2012-11-08 22:43:20 CET
Testing complete on Mageia 1 i586 and x86-64.

After the update, running the program causes the server to show
"Error: eval: unbound variable".  It no longer crashes.

Could someone from the sysadmin team push the srpm
gimp-2.6.11-7.3.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated gimp packages fix security vulnerabilities:

Buffer overflow in the readstr_upto function in
plug-ins/script-fu/tinyscheme/scheme.c in GIMP 2.6.12 and earlier, and
possibly 2.6.13, allows remote attackers to execute arbitrary code via a
long string in a command to the script-fu server (CVE-2012-2763).

fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial
of service (NULL pointer dereference and application crash) via a malformed
XTENSION header of a .fit file, as demonstrated using a long string
(CVE-2012-3236).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2763
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3236
http://lists.opensuse.org/opensuse-updates/2012-09/msg00001.html

https://bugs.mageia.org/show_bug.cgi?id=7351
Comment 9 Thomas Backlund 2012-11-09 00:30:27 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0327

Note You need to log in before you can comment on or make changes to this bug.