After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 773233 - (CVE-2007-3126) CVE-2007-3126 - Gimp 2.3.14 allows context-dependent attackers to cause a denial of service (crash) via an ICO file with an InfoHeader containing a Height of zero,
(CVE-2007-3126)
CVE-2007-3126 - Gimp 2.3.14 allows context-dependent attackers to cause a den...
Status: RESOLVED FIXED
Product: GIMP
Classification: Other
Component: Plugins
2.8.18
Other All
: Normal normal
: 2.10
Assigned To: GIMP Bugs
GIMP Bugs
Depends on:
Blocks: 778604
 
 
Reported: 2016-10-19 20:40 UTC by Michael Schumacher
Modified: 2017-12-26 16:09 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
Sample exploit ICO file for CVE-2007-3126 (198 bytes, image/vnd.microsoft.icon)
2016-10-22 21:26 UTC, Michael Schumacher
Details

Description Michael Schumacher 2016-10-19 20:40:38 UTC
Found this in the Debian Security tracker at 
https://security-tracker.debian.org/tracker/source-package/gimp

https://security-tracker.debian.org/tracker/CVE-2007-3126
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-3126

It's classified as unimportant, and I guess only the ICO plug-in crashes.

I can't find any evidence of this ever being brought to our attention, nor being addressed by us. It is possible that current versions of GIMP still suffer from the issue. I couldn't find any test files attached to any of the messages referenced by the various threads and sites, either.
Comment 1 Michael Schumacher 2016-10-22 21:26:27 UTC
Created attachment 338272 [details]
Sample exploit ICO file for CVE-2007-3126

Found the exploit file at http://www.securityfocus.com/bid/24346/exploit
Comment 2 Michael Schumacher 2016-10-22 21:31:13 UTC
No crash (of neither GIMP nor the ICO plug-in), but a couple of errors that could probably be avoided by checking whether a layer can be created:

-----

  GIMP Error
Calling error for procedure 'gimp-layer-new':
Procedure 'gimp-layer-new' has been called with value '0' for argument 'height' (#3, type GimpInt32). This value is out of range.

  GIMP Error
Calling error for procedure 'gimp-image-insert-layer':
Procedure 'gimp-image-insert-layer' has been called with an invalid ID for argument 'layer'. Most likely a plug-in is trying to work on a layer that doesn't exist any longer.

  GIMP Error
Calling error for procedure 'gimp-drawable-width':
Procedure 'gimp-drawable-width' has been called with an invalid ID for argument 'drawable'. Most likely a plug-in is trying to work on a layer that doesn't exist any longer.

  GIMP Error
Calling error for procedure 'gimp-drawable-height':
Procedure 'gimp-drawable-height' has been called with an invalid ID for argument 'drawable'. Most likely a plug-in is trying to work on a layer that doesn't exist any longer.

  GIMP Error
Calling error for procedure 'gimp-drawable-bpp':
Procedure 'gimp-drawable-bpp' has been called with an invalid ID for argument 'drawable'. Most likely a plug-in is trying to work on a layer that doesn't exist any longer.

  GIMP Error
Opening '/home/schumaml/Downloads/24346.ico' failed:

Procedure 'file-ico-load' returned no return values

-----
Comment 3 Michael Natterer 2016-11-06 20:36:14 UTC
Fixed in master:

commit 46bcd82800e37b0f5aead76184430ef2fe802748
Author: Michael Natterer <mitch@gimp.org>
Date:   Sun Nov 6 21:34:43 2016 +0100

    Bug 773233 - CVE-2007-3126 - Gimp 2.3.14 allows context-dependent attackers...
    
    ...to cause a denial of service (crash) via an ICO file with an
    InfoHeader containing a Height of zero
    
    Add some error handling to ico-load.c and bail out on zero width or height
    icons. Also some formatting cleanup.

 plug-ins/file-ico/ico-load.c | 103 ++++++++++++++++++++++++++++++++++++------------------------
 1 file changed, 62 insertions(+), 41 deletions(-)