After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 676804 - file handling DoS for fit file format
file handling DoS for fit file format
Status: RESOLVED FIXED
Product: GIMP
Classification: Other
Component: Plugins
2.8.0
Other All
: Normal normal
: 2.8
Assigned To: GIMP Bugs
GIMP Bugs
Depends on:
Blocks:
 
 
Reported: 2012-05-25 09:06 UTC by joe
Modified: 2012-06-08 14:11 UTC
See Also:
GNOME target: ---
GNOME version: ---

Attachments
vulnerable fit file (753.52 KB, application/octet-stream)
2012-05-25 09:45 UTC, joe 		Details

Description joe 2012-05-25 09:06:45 UTC 
There is a file handling DoS in GIMP (the GNU Image Manipulation Program) for the 
'fit' file format affecting all versions (Windows and Linux) up to 2.8.0. A file 
in the fit format with a malformed 'XTENSION' header will cause a crash in the 
GIMP program. The flaw is triggered by opening a crafted 'fit' file or allowing the file explorer dialog to preview the file.

A file in the fit format starting as follows will trigger the crash:
XTENSIONaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaHEADER2...

The vulnerable code is in the fits-io.c lines where the program attempts to copy from a null pointer:

 {
   fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
   strcpy (hdulist->xtension, fdat->fstring);
 }
Comment 1 Michael Natterer 2012-05-25 09:34:12 UTC 
Can you attach such a file, a small one please?
Comment 2 joe 2012-05-25 09:45:03 UTC 
Created attachment 214926 [details]
vulnerable fit file

vulnerable fit file attached.
Comment 3 joe 2012-05-28 14:19:32 UTC 
Hi guys,

Do you plan to release a fix for this issue - if so what version and when?
I plan to issue an advisory when you have done so.

Best regards,

Joe
Comment 4 Michael Natterer 2012-05-28 15:12:01 UTC 
There have not been any changes to the fits code in ages, apart from
following other changes in GIMP, unrelated to loading/saving. Your
best chance for getting this fixed is attaching a patch yourself.
Comment 5 joe 2012-05-31 14:44:14 UTC 
The code:
 {
   fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
   strcpy (hdulist->xtension, fdat->fstring);
 }

needs to change to:

   fdat = fits_decode_card (fits_search_card (hdr, "XTENSION"), typ_fstring);
   if(fdat != NULL) {
    strcpy (hdulist->xtension, fdat->fstring);
   } else {
     strcpy (errmsg, "No valid XTENSION header found.");
     goto err_return;
   }

I've recompiled this and it seems to work.
Comment 6 joe 2012-06-06 11:26:41 UTC 
I will release my advisory on June 13th 2012.

BRs,

Joe
Comment 7 Michael Natterer 2012-06-06 12:40:27 UTC 
Thanks for the patch, it will be in 2.8.1. Raising priority to release
blocker as reminder for myself.
Comment 8 Michael Natterer 2012-06-06 19:24:50 UTC 
Fixed in master and gimp-2-8:

commit 0474376d234bc3d0901fd5e86f89d778a6473dd8
Author: Michael Natterer <mitch@gimp.org>
Date:   Wed Jun 6 21:21:10 2012 +0200

    Bug 676804 - file handling DoS for fit file format
    
    Apply patch from joe@reactionis.co.uk which fixes a buffer overflow on
    broken/malicious fits files.
    (cherry picked from commit ace45631595e8781a1420842582d67160097163c)

 plug-ins/file-fits/fits-io.c |   16 ++++++++++++----
 1 file changed, 12 insertions(+), 4 deletions(-)
Comment 9 joe 2012-06-08 13:56:46 UTC 
Thanks Micheal.

When will version 2.8.1 be released? I will release my advisory at the same time.

Cheers,

Joe
Comment 10 Michael Natterer 2012-06-08 14:11:31 UTC 
When it's done, no date known yet :)