GIMP parser bugs (FLIMP and more)

[Hanno Böck <hanno () hboeck de>]

Hi,

See also
https://flimp.fuzzing-project.org/

Background: In 2014, back when I started the fuzzing project, I
reported two bugs in GIMP in their more obscure parsers. Recently I was
contacted by Tobias Stöckmann who wrote a working exploit (on freebsd <-
no aslr, thus easier) for one of those bugs in the FLIC parser. He also
submitted a patch.

The bugs were ignored all the time, patches as well.

I reported a couple of more bugs and also contacted the GNOME security
team. Some have patches, others not, ony one got handled. It seems
overall the file format importers are unmaintained.
I also tried to submit a fuzzing guide to the gimp wiki, which failed,
because the people who are supposed to hand out user accounts don't
answer. (gimp is not fuzzing friendly.)

The bugs:

Heap overflow in FLI import (the one where we have an exploit):
https://bugzilla.gnome.org/show_bug.cgi?id=739133

OOB read in TGA (with patch)
https://bugzilla.gnome.org/show_bug.cgi?id=739134

OOB read in XCF (patch, the only one that got merged and fixed)
https://bugzilla.gnome.org/show_bug.cgi?id=790783

OOB read in GBR (no patch, looks like string/utf8 issue)
https://bugzilla.gnome.org/show_bug.cgi?id=790784

Heap overflow in PSP (no patch, doesn't look straightforward to fix)
https://bugzilla.gnome.org/show_bug.cgi?id=790849

OOB read in PSP (no patch)
https://bugzilla.gnome.org/show_bug.cgi?id=790853


-- 
Hanno Böck
https://hboeck.de/

mail/jabber: hanno () hboeck de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42