oss-sec mailing list archives
Re: GIMP parser bugs (FLIMP and more)
From: Salvatore Bonaccorso <carnil () debian org>
Date: Wed, 20 Dec 2017 06:59:18 +0100
Hi On Tue, Dec 19, 2017 at 05:11:19PM +0100, Hanno B??ck wrote:
Hi, See also https://flimp.fuzzing-project.org/ Background: In 2014, back when I started the fuzzing project, I reported two bugs in GIMP in their more obscure parsers. Recently I was contacted by Tobias St??ckmann who wrote a working exploit (on freebsd <- no aslr, thus easier) for one of those bugs in the FLIC parser. He also submitted a patch. The bugs were ignored all the time, patches as well. I reported a couple of more bugs and also contacted the GNOME security team. Some have patches, others not, ony one got handled. It seems overall the file format importers are unmaintained. I also tried to submit a fuzzing guide to the gimp wiki, which failed, because the people who are supposed to hand out user accounts don't answer. (gimp is not fuzzing friendly.) The bugs:
The following CVEs were assigned:
Heap overflow in FLI import (the one where we have an exploit): https://bugzilla.gnome.org/show_bug.cgi?id=739133
CVE-2017-17785
OOB read in TGA (with patch) https://bugzilla.gnome.org/show_bug.cgi?id=739134
CVE-2017-17786
OOB read in XCF (patch, the only one that got merged and fixed) https://bugzilla.gnome.org/show_bug.cgi?id=790783
CVE-2017-17788
OOB read in GBR (no patch, looks like string/utf8 issue) https://bugzilla.gnome.org/show_bug.cgi?id=790784
CVE-2017-17784
Heap overflow in PSP (no patch, doesn't look straightforward to fix) https://bugzilla.gnome.org/show_bug.cgi?id=790849
CVE-2017-17789
OOB read in PSP (no patch) https://bugzilla.gnome.org/show_bug.cgi?id=790853
CVE-2017-17787 Regards, Salvatore
Current thread:
- GIMP parser bugs (FLIMP and more) Hanno Böck (Dec 19)
- Re: GIMP parser bugs (FLIMP and more) Salvatore Bonaccorso (Dec 19)