Re: GIMP parser bugs (FLIMP and more)

[Salvatore Bonaccorso <carnil () debian org>]

Hi

On Tue, Dec 19, 2017 at 05:11:19PM +0100, Hanno B??ck wrote:
> Hi,
>
> See also
> https://flimp.fuzzing-project.org/
>
> Background: In 2014, back when I started the fuzzing project, I
> reported two bugs in GIMP in their more obscure parsers. Recently I was
> contacted by Tobias St??ckmann who wrote a working exploit (on freebsd <-
> no aslr, thus easier) for one of those bugs in the FLIC parser. He also
> submitted a patch.
>
> The bugs were ignored all the time, patches as well.
>
> I reported a couple of more bugs and also contacted the GNOME security
> team. Some have patches, others not, ony one got handled. It seems
> overall the file format importers are unmaintained.
> I also tried to submit a fuzzing guide to the gimp wiki, which failed,
> because the people who are supposed to hand out user accounts don't
> answer. (gimp is not fuzzing friendly.)
>
> The bugs:

The following CVEs were assigned:

> Heap overflow in FLI import (the one where we have an exploit):
> https://bugzilla.gnome.org/show_bug.cgi?id=739133

CVE-2017-17785

> OOB read in TGA (with patch)
> https://bugzilla.gnome.org/show_bug.cgi?id=739134

CVE-2017-17786

> OOB read in XCF (patch, the only one that got merged and fixed)
> https://bugzilla.gnome.org/show_bug.cgi?id=790783

CVE-2017-17788

> OOB read in GBR (no patch, looks like string/utf8 issue)
> https://bugzilla.gnome.org/show_bug.cgi?id=790784

CVE-2017-17784

> Heap overflow in PSP (no patch, doesn't look straightforward to fix)
> https://bugzilla.gnome.org/show_bug.cgi?id=790849

CVE-2017-17789

> OOB read in PSP (no patch)
> https://bugzilla.gnome.org/show_bug.cgi?id=790853

CVE-2017-17787

Regards,
Salvatore