GNOME Bugzilla – Bug 773233
CVE-2007-3126 - Gimp 2.3.14 allows context-dependent attackers to cause a denial of service (crash) via an ICO file with an InfoHeader containing a Height of zero,
Last modified: 2017-12-26 16:09:11 UTC
Found this in the Debian Security tracker at https://security-tracker.debian.org/tracker/source-package/gimp https://security-tracker.debian.org/tracker/CVE-2007-3126 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3126 It's classified as unimportant, and I guess only the ICO plug-in crashes. I can't find any evidence of this ever being brought to our attention, nor being addressed by us. It is possible that current versions of GIMP still suffer from the issue. I couldn't find any test files attached to any of the messages referenced by the various threads and sites, either.
Created attachment 338272 [details] Sample exploit ICO file for CVE-2007-3126 Found the exploit file at http://www.securityfocus.com/bid/24346/exploit
No crash (of neither GIMP nor the ICO plug-in), but a couple of errors that could probably be avoided by checking whether a layer can be created: ----- GIMP Error Calling error for procedure 'gimp-layer-new': Procedure 'gimp-layer-new' has been called with value '0' for argument 'height' (#3, type GimpInt32). This value is out of range. GIMP Error Calling error for procedure 'gimp-image-insert-layer': Procedure 'gimp-image-insert-layer' has been called with an invalid ID for argument 'layer'. Most likely a plug-in is trying to work on a layer that doesn't exist any longer. GIMP Error Calling error for procedure 'gimp-drawable-width': Procedure 'gimp-drawable-width' has been called with an invalid ID for argument 'drawable'. Most likely a plug-in is trying to work on a layer that doesn't exist any longer. GIMP Error Calling error for procedure 'gimp-drawable-height': Procedure 'gimp-drawable-height' has been called with an invalid ID for argument 'drawable'. Most likely a plug-in is trying to work on a layer that doesn't exist any longer. GIMP Error Calling error for procedure 'gimp-drawable-bpp': Procedure 'gimp-drawable-bpp' has been called with an invalid ID for argument 'drawable'. Most likely a plug-in is trying to work on a layer that doesn't exist any longer. GIMP Error Opening '/home/schumaml/Downloads/24346.ico' failed: Procedure 'file-ico-load' returned no return values -----
Fixed in master: commit 46bcd82800e37b0f5aead76184430ef2fe802748 Author: Michael Natterer <mitch@gimp.org> Date: Sun Nov 6 21:34:43 2016 +0100 Bug 773233 - CVE-2007-3126 - Gimp 2.3.14 allows context-dependent attackers... ...to cause a denial of service (crash) via an ICO file with an InfoHeader containing a Height of zero Add some error handling to ico-load.c and bail out on zero width or height icons. Also some formatting cleanup. plug-ins/file-ico/ico-load.c | 103 ++++++++++++++++++++++++++++++++++++------------------------ 1 file changed, 62 insertions(+), 41 deletions(-)