GNOME Bugzilla – Bug 708098
Further mitigation for CVE-2012-4245 (script-fu-server)
Last modified: 2014-04-23 20:29:12 UTC
Hello! In 2012 vulnerability was reported [1] that the Gimp script-fu server would allow to run abritary Python code for anyone who would connect to the server, with no access control and even from sources other than localhost. It was called CVE-2012-4245. My impression is that this vulnerability still exist in Gimp 2.8.6. Since the server needs human action to be started, one could argue there is not too much of a risk. Still, there are some easy steps that would help a lot to protect users in my eyes: * In dialog "Script-Fu Server Options" offer a third box to customize the IP address to bind to. Make it default to 127.0.0.1. The user could change it back to 0.0.0.0 if he/she wishes and it would turn a remote vulnerability into a local one. * In the same dialog add a label with a detailed warning. What do you think? [1] http://thread.gmane.org/gmane.comp.security.oss.general/8173/focus=11115
We consider scrip-fu server an utter hack that cannot be made safe, but this is clearly a good ides. Do you plan to provide a patch?
(In reply to comment #0) > My impression is that this vulnerability still exist in Gimp 2.8.6. Yes. To clarify, nothing has been done to change anything. See bug 676342. And currently the script-fu server seems to be broken on the Windows platforms without anyone really noticing/caring about it - this could be an indication of its overall importance... :)
Sebastian, do you have a patch for this?
Not yet, no. I have advertised this task among a few peers and interest has been voiced. If that does not work out, I might still make a patch myself, will see. We can agree on a deadline for closing in case of no action by that date if you like.
We can just leave it open until somebody has the urge of bugging you again ;)
In comment #2, the reference to Script-Fu server being broken on windows is covered by bug #703364.
Created attachment 274926 [details] [review] resolves a possible script-fu vulnerability
Created attachment 274927 [details] [review] adds a warning, informing about a possible script-fu vulnerability
Created attachment 274928 [details] [review] new function announcement fpr the pdb
Hi there, I filed a patch changing the default binding address to 127.0.0.1 and added a warning message to the start-server dialog. If someone ever likes to use it I created an additional plug-in-script-fu-server-ext function announcement for the procedural database, including the listen-to ip as a fourth parameter (in addition to the existing plug-in-script-fu-server function). Is that useable to you?
Thanks, that looks very good. I'm even considering changing the default server procedure to require the IP, because the current state is just too much of a risk.
Pushed all patches to master and gimp-2-8. Changed them and made any old-style procedure calls fail. Please review and check if I messed :) commit 401d21b12412e69f0dc813bb8795082184d9c94e Author: Christian Lehmann <dev@christianl.de> Date: Thu Nov 14 22:58:31 2013 +0100 Bug 708098 - Further mitigation for CVE-2012-4245 (script-fu-server) Add an "ip" parameter as *first* argument to the plug-in-script-fu-server procedure. This is an incompatible change with the intent to make any old-style calls to the procedure fail. Also reorder the GUI to have the IP in the first line. (cherry picked from commit 83741044fc6f6409910b1690dc601c98e0f7ec3f) plug-ins/script-fu/script-fu-server.c | 46 ++++++++++++++++++++++++---------------------- plug-ins/script-fu/script-fu.c | 8 +++++++- 2 files changed, 31 insertions(+), 23 deletions(-) commit 4f83fd3f13631bb6d89cc5c3527fb2ca802f5489 Author: Christian Lehmann <dev@christianl.de> Date: Thu Nov 14 22:48:38 2013 +0100 Bug 708098 - Further mitigation for CVE-2012-4245 (script-fu-server) Added a warning message informing about the danger of running a script-fu server on any PI but 127.0.0.1. (cherry picked from commit 3705f54300b29f4a21857e8d404e545480c6aeff) plug-ins/script-fu/script-fu-server.c | 47 +++++++++++++++++++++++++++++++++++++---------- 1 file changed, 37 insertions(+), 10 deletions(-) commit 95269e922b486fceb28670fc21073fe1a61c8046 Author: Christian Lehmann <dev@christianl.de> Date: Thu Nov 14 22:43:02 2013 +0100 Bug 708098 - Further mitigation for CVE-2012-4245 (script-fu-server) added listen-to-ip field to the script-fu start server dialog (cherry picked from commit f98592afa31331fd376131fee2c4cf33d6f99151) plug-ins/script-fu/script-fu-server.c | 37 +++++++++++++++++++++++++++---------- 1 file changed, 27 insertions(+), 10 deletions(-)
The warning looks more urgent now, I had a hard time crafting something with gtk. Unfortunately changing both interfaces, the pdb and the start_server argument order, leads to an ordered parameter passing again when calling start_server ;)
Created attachment 274958 [details] [review] parameter reordering for script_fu pdb call
Gah, evidence that I never tested that "cleanup" ;) Thanks, will push.
Fixed in master and gimp-2-8: commit d6e7557001000e6aaf93cee7c4d3379642d72d4a Author: Christian Lehmann <dev@christianl.de> Date: Wed Apr 23 18:07:45 2014 +0200 Bug 708098 - Further mitigation for CVE-2012-4245 (script-fu-server) Reorder server_start()'s arguments so they match the PDB signature. (cherry picked from commit 3b72ad8939c3a1463492d102dfe457e5fef68d04) plug-ins/script-fu/script-fu-server.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-)
FYI, this issue will apply to servers provided in other language bindings. At the moment it only affects gimp-perl. The Ruby and Python bindings don't include a server mode plug-in.