[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] GIMP parser bugs (FLIMP and more)
From:       Salvatore Bonaccorso <carnil () debian ! org>
Date:       2017-12-20 5:59:18
Message-ID: 20171220055918.GA32086 () lorien ! valinor ! li
[Download RAW message or body]

Hi

On Tue, Dec 19, 2017 at 05:11:19PM +0100, Hanno B??ck wrote:
> Hi,
> 
> See also
> https://flimp.fuzzing-project.org/
> 
> Background: In 2014, back when I started the fuzzing project, I
> reported two bugs in GIMP in their more obscure parsers. Recently I was
> contacted by Tobias St??ckmann who wrote a working exploit (on freebsd <-
> no aslr, thus easier) for one of those bugs in the FLIC parser. He also
> submitted a patch.
> 
> The bugs were ignored all the time, patches as well.
> 
> I reported a couple of more bugs and also contacted the GNOME security
> team. Some have patches, others not, ony one got handled. It seems
> overall the file format importers are unmaintained.
> I also tried to submit a fuzzing guide to the gimp wiki, which failed,
> because the people who are supposed to hand out user accounts don't
> answer. (gimp is not fuzzing friendly.)
> 
> The bugs:

The following CVEs were assigned:

> Heap overflow in FLI import (the one where we have an exploit):
> https://bugzilla.gnome.org/show_bug.cgi?id=739133

CVE-2017-17785

> OOB read in TGA (with patch)
> https://bugzilla.gnome.org/show_bug.cgi?id=739134

CVE-2017-17786

> OOB read in XCF (patch, the only one that got merged and fixed)
> https://bugzilla.gnome.org/show_bug.cgi?id=790783

CVE-2017-17788

> OOB read in GBR (no patch, looks like string/utf8 issue)
> https://bugzilla.gnome.org/show_bug.cgi?id=790784

CVE-2017-17784

> Heap overflow in PSP (no patch, doesn't look straightforward to fix)
> https://bugzilla.gnome.org/show_bug.cgi?id=790849

CVE-2017-17789

> OOB read in PSP (no patch)
> https://bugzilla.gnome.org/show_bug.cgi?id=790853

CVE-2017-17787

Regards,
Salvatore
[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic