After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.
Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow in PSP importer, function read_channel_data
(CVE-2017-17789)
CVE-2017-17789 Heap buffer overflow in PSP importer, function read_channel_data
Status: RESOLVED FIXED
Product: GIMP
Classification: Other
Component: Plugins
2.9.6
Other All
: Normal normal
: 2.8
Assigned To: GIMP Bugs
GIMP Bugs
CVE-2017-17789
Depends on:
Blocks:
 
 
Reported: 2017-11-26 12:00 UTC by Hanno Böck
Modified: 2017-12-21 08:31 UTC
See Also:
GNOME target: ---
GNOME version: ---


Attachments
poc file (801 bytes, application/octet-stream)
2017-11-26 12:00 UTC, Hanno Böck
Details

Description Hanno Böck 2017-11-26 12:00:32 UTC
Created attachment 364422 [details]
poc file

The attached file will cause a heap buffer overflow in the PSP import plugin.

Stack trace from address sanitizer:
==29046==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7f64a922d100 at pc 0x0000004c3668 bp 0x7ffc2baf8a50 sp 0x7ffc2baf8200
WRITE of size 48 at 0x7f64a922d100 thread T0
    #0 0x4c3667 in __asan_memmove (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4c3667)
    #1 0x513628 in read_channel_data /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1237:17
    #2 0x513628 in read_layer_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1593
    #3 0x513628 in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1843
    #4 0x513628 in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949
    #5 0x7f64c0ad3afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7
    #6 0x7f64c0ad3afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997
    #7 0x7f64c0ad3afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618
    #8 0x7f64bbd2c0cc in __libc_start_main (/lib64/libc.so.6+0x210cc)
    #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)

0x7f64a922d100 is located 0 bytes to the right of 152176896-byte region [0x7f64a010c800,0x7f64a922d100)
allocated by thread T0 here:
    #0 0x4da260 in calloc (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x4da260)
    #1 0x7f64bd073710 in g_malloc0 (/usr/lib64/libglib-2.0.so.0+0x4f710)
    #2 0x512af1 in read_layer_block /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1510:15
    #3 0x512af1 in load_image /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1843
    #4 0x512af1 in run /f/gimp/gimp-2.9.6/plug-ins/common/file-psp.c:1949
    #5 0x7f64c0ad3afd in gimp_proc_run /f/gimp/gimp-2.9.6/libgimp/gimp.c:2168:7
    #6 0x7f64c0ad3afd in gimp_loop /f/gimp/gimp-2.9.6/libgimp/gimp.c:1997
    #7 0x7f64c0ad3afd in gimp_main /f/gimp/gimp-2.9.6/libgimp/gimp.c:618
    #8 0x7f64bbd2c0cc in __libc_start_main (/lib64/libc.so.6+0x210cc)
    #9 0x41b479 in _start (/usr/local/lib64/gimp/2.0/plug-ins/file-psp+0x41b479)
Comment 1 Raphael Hertzog 2017-12-20 08:45:27 UTC
FYI this security issue has been given the following CVE number: CVE-2017-17789
Comment 2 Jehan 2017-12-20 15:50:23 UTC
Fixed. Thanks for the report!

commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8 (HEAD -> master, origin/master, origin/HEAD)
Author: Jehan <jehan@girinstud.io>
Date:   Wed Dec 20 16:44:20 2017 +0100

    Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow...
    
    ... in PSP importer.
    Check if declared block length is valid (i.e. within the actual file)
    before going further.
    Consider the file as broken otherwise and fail loading it.

 plug-ins/common/file-psp.c | 9 +++++++++
 1 file changed, 9 insertions(+)
Comment 3 Jehan 2017-12-20 15:51:21 UTC
Also pushed to gimp-2-8:

commit 01898f10f87a094665a7fdcf7153990f4e511d3f (HEAD -> gimp-2-8, origin/gimp-2-8)
Author: Jehan <jehan@girinstud.io>
Date:   Wed Dec 20 16:44:20 2017 +0100

    Bug 790849 - (CVE-2017-17789) CVE-2017-17789 Heap buffer overflow...
    
    ... in PSP importer.
    Check if declared block length is valid (i.e. within the actual file)
    before going further.
    Consider the file as broken otherwise and fail loading it.
    
    (cherry picked from commit 28e95fbeb5720e6005a088fa811f5bf3c1af48b8)
Comment 4 Jehan 2017-12-20 15:54:39 UTC
Of course, if I missed something, feel free to reopen the bug report. But I tested it with your file, and it is properly rejected as it should.
Comment 5 Jehan 2017-12-20 16:01:54 UTC
P.S.: by the way, I searched the web but have been unable to find any valid PSP sample. I think I understood correctly the current code logics, and therefore my commit should not break importing valid PSP files.
Yet this is untested with valid PSP files. So if I did a mistake and actually broke normal PSP import, please reopen and provide me with a PSP sample so that I can better understand what went wrong and test appropriately. :-)
Comment 6 Hanno Böck 2017-12-20 16:07:19 UTC
here are some psp files:
https://files.fuzzing-project.org/graphics/bitmap/
I think only the psp5 file is supported and I think it's only a few pixels.

I guess this confirmes my point of having a test suite with rendering examples :-)
Comment 7 Jehan 2017-12-21 00:15:46 UTC
Well it all looks fine. The PSP 5 looks like it is loaded fine like before. PSP7 and 13 won't load but that was the same without the commit. So I assume there are no regression.