Bug 763595 - VUL-0: CVE-2012-2763: gimp: buffer overflow in script-fu's server component
VUL-0: CVE-2012-2763: gimp: buffer overflow in script-fu's server component
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
Security Team bot
. maint:released:sle11-sp1:48255
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-05-23 07:55 UTC by Matthias Weckbecker
Modified: 2012-09-11 12:00 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-05-23 07:55:23 UTC
This issue is NOT public yet, please keep any information inside SUSE!
The open build service must not be used to prepare fixed packages!

Quoted from the original advisory:

----------------------------------------------------------------------

There is a buffer overflow in the script-fu server component of GIMP 

(the GNU Image Manipulation Program) in all 2.6 versions (Windows and 
Linux versions) affecting both 

the script-fu console and the script-fu network server.

----------------------------------------------------------------------

A specially crafted message can cause a crash or potentially allow the
execution of arbitrary code.
Comment 3 Swamp Workflow Management 2012-05-23 22:00:11 UTC
bugbot adjusting priority
Comment 4 Matthias Weckbecker 2012-05-31 09:35:11 UTC
Public as per

http://seclists.org/oss-sec/2012/q2/445
Comment 5 Scott Reeves 2012-06-01 23:45:13 UTC
OK - I can see the advisory now. hmmm, the suggested solutions of upgrading to 2.8 won't work for sled (missing multiple dependencies like gtk 2.24) and disabling the script-fu functionality might spark complaints. I'll ping some heavy gimp users about that.

I wonder if we could patch the internal tinyscheme version to the version included in 2.8 which reportedly does not suffer the vulnerability.

Note that the Red Hat security team has marked this vulnerability as low enough that they are WONTFIX on this bug.
https://bugzilla.redhat.com/show_bug.cgi?id=824541
Comment 6 Ludwig Nussel 2012-06-05 07:36:14 UTC
Question is whether script-fu scripts should be considered safe or whether running a script-fu script already qualifies as running arbitrary code. Looks like script-fu at least has the ability to read and write files anywhere.
Comment 8 Joey Zheng 2012-06-27 02:24:14 UTC
Roy, have a try to fix this one.
Comment 9 Sebastian Krahmer 2012-07-02 07:03:09 UTC
Date: Sat, 30 Jun 2012
To: oss-security
From: mancha [at] mac.hush.com

Below find a patch for the 2.6.x branch of GIMP to address a potential
buffer overflow in the script-fu server (CVE-2012-2763) reported on this list
by J. Sheridan (http://www.openwall.com/lists/oss-security/2012/05/31/1)

 --mancha

======================

Fix for CVE-2012-2763 for GIMP 2.6.x by mancha. Based on commit
76155d79df8d497. Thanks to muks, Kevin, and Ankh for identifying the
relevant code change.

Ref: Fixed potential buffer overflow in readstr_upto().

----------

--- a/plug-ins/script-fu/tinyscheme/scheme.c            2012-06-30
+++ b/plug-ins/script-fu/tinyscheme/scheme.c            2012-06-30
@@ -1727,7 +1727,8 @@ static char *readstr_upto(scheme *sc, ch
     c = inchar(sc);
     len = g_unichar_to_utf8(c, p);
     p += len;
-  } while (c && !is_one_of(delim, c));
+  } while ((p - sc->strbuff < sizeof(sc->strbuff)) &&
+          (c && !is_one_of(delim, c)));

   if(p==sc->strbuff+2 && c_prev=='\\')
     *p = '\0';
Comment 10 Mu Lei 2012-07-04 03:18:25 UTC
My vote is to use the newest "readstr_upto" implementation, it fixed this issue and more elegant:

-------------------patch----------------
 /* read characters up to delimiter, but cater to character constants */
 static char *readstr_upto(scheme *sc, char *delim) {
   char *p = sc->strbuff;
-  gunichar c = 0;
-  gunichar c_prev = 0;
-  int  len = 0;
 
-#if 0
-  while (!is_one_of(delim, (*p++ = inchar(sc))))
-      ;
-  if(p==sc->strbuff+2 && p[-2]=='\\') {
+  while ((p - sc->strbuff < sizeof(sc->strbuff)) &&
+         !is_one_of(delim, (*p++ = inchar(sc))));
+
+  if(p == sc->strbuff+2 && p[-2] == '\\') {
     *p=0;
   } else {
     backchar(sc,p[-1]);
     *--p = '\0';
   }
-#else
-  do {
-    c_prev = c;
-    c = inchar(sc);
-    len = g_unichar_to_utf8(c, p);
-    p += len;
-  } while (c && !is_one_of(delim, c));
-
-  if(p==sc->strbuff+2 && c_prev=='\\')
-    *p = '\0';
-  else
-  {
-    backchar(sc,c);    /* put back the delimiter */
-    p[-len] = '\0';
-  }
-#endif
   return sc->strbuff;
 }
-------------------patch end-------------------

Nevertheless, I suggest us use the newest stable tinyscheme. I believe it fixed more than we found.
Though tinyscheme is standalone from GIMP, I'm not sure if newest tinyscheme passes all the tests of our GIMP version. 
Anyone give me a hint?
Comment 11 Sebastian Krahmer 2012-07-04 07:18:05 UTC
For me it looks like its the same patch, but I dont know what
our gimp test experts would say.
Comment 12 Mu Lei 2012-07-05 07:46:11 UTC
Yes, actually they are the same. Either could fix the issue.

If any possible, I expect to use the whole newest tinyScheme to be the patch since it's totally independent with GIMP. 
Maybe it's too radical?
Comment 20 Matthias Weckbecker 2012-07-12 10:11:04 UTC
Thanks for the submission, Roy. Looks good so far except two minor issues:

  1) Please always add the bug id to the changes log.
  2) Please also include fix for bnc#769565. It makes sense to include it
     right away instead of doing one after the other.

Thanks! 

PS: Welcome to SUSE, btw! Cool to have you aboard! :)
Comment 22 Swamp Workflow Management 2012-07-13 11:46:08 UTC
The SWAMPID for this issue is 48253.
This issue was rated as moderate.
Please submit fixed packages until 2012-07-27.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 29 Matthias Weckbecker 2012-08-07 10:08:33 UTC
released
Comment 31 Swamp Workflow Management 2012-08-07 13:26:42 UTC
Update released for: gimp, gimp-branding-upstream, gimp-debuginfo, gimp-debugsource, gimp-devel, gimp-doc, gimp-lang, gimp-plugins-python
Products:
SLE-DEBUGINFO 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-DESKTOP 11-SP1 (i386, x86_64)
SLE-DESKTOP 11-SP1-FOR-SP2 (i386, x86_64)
SLE-SDK 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SDK 11-SP1-FOR-SP2 (i386, ia64, ppc64, s390x, x86_64)
Comment 33 Mu Lei 2012-08-22 08:48:47 UTC
sorry, openSUSE-11.4 reqms id 131342
Comment 34 Matthias Weckbecker 2012-08-23 10:44:10 UTC
This is not a submitrequest.

mweckbecker@s3gfault:~$ eosc rq show 131342
Request: #131342

  add_role:     person: NalaGinrut as maintainer home:NalaGinrut:branches:openSUSE:11.4:Update/gimp
[...]

Please do it with sr / submitpac / submitreq.
Comment 35 Mu Lei 2012-08-24 02:55:33 UTC
openSUSE-11.4 request id #131467


PS: It throws "maintenance incident" with "osc sr", I'm not sure if it's the right way. I attached here:
Correct me if I'm wrong please. Thanks!

-------------------------warning msg-----------------------------------
nalaginrut@Renee-SUSE:gimp> osc sr
WARNING:
WARNING: Project does not accept submit request, request to open a NEW maintenance incident instead
WARNING:
created request id Request: #131467

  maintenance_incident: home:NalaGinrut:branches:openSUSE:11.4:Update/gimp -> openSUSE:Maintenance (release in openSUSE:11.4:Update)


Message:
- fixed bnc#724628
  VUL-0: CVE-2012-3481: gimp: GIF plugin 'height' / 'len' integer overflow leading to heap-based buffer overflow
- fixed bnc#763595
  VUL-0: CVE-2012-2763: gimp: buffer overflow in script-fu's server component
- fixed bnc#769565
  VUL-1: CVE-2012-3236: gimp: NULL ptr crash in fit format handler
- fixed bnc#775433
  VUL-0: CVE-2012-3403: gimp: Heap buffer overflow when loading external palette files

State:   new        2012-08-24T04:46:54 NalaGinrut
Comment: <no comment>
------------------------------end--------------------------------
Comment 36 Matthias Weckbecker 2012-08-24 10:23:38 UTC
This is the right way. These days we use maintenancerequests instead of the old
submitrequests.
Comment 37 Mu Lei 2012-08-27 04:39:53 UTC
openSUSE-12.1 request id #131726
Comment 38 Marcus Meissner 2012-08-27 07:07:41 UTC
submission was good, there were some strange more changes then mentiuoned, did you perhaps copy it from some other places?

anyway, i accepted it.



a submitrequest will be auto-rewritten to a maintenancerequest.

you can also do:

osc mbranch gimp
... check this out ... 
.... fix the packages in their subdirectories ... 
osc maintenancerequest 


or for specific distros use the -M option to branch for maintenance branches.


osc branch -M openSUSE:12.1 gimp
... work like with any other branch.

but again, i accepted your current submit.


MISSING:
- Fix for openSUSE 12.2 (if this is a minor gimp version update, we can take a minor version update)
- Fix for openSUSE Factory (likely can just get the gimp version update containing the fix)
Comment 39 Mu Lei 2012-08-27 08:51:04 UTC
(In reply to comment #38)
> submission was good, there were some strange more changes then mentiuoned, did
> you perhaps copy it from some other places?
> 
> anyway, i accepted it.
> 
> 

Something wrong with my request id before, so I revoked it.
And when I sent request I include all the newest fixes. So there're not only bnc#763595.
You may checkout the change log.
Comment 40 Mu Lei 2012-08-29 02:37:28 UTC
openSUSE-12.2 request id #131913
Since the GIMP in 12.2 is 2.8.x, so we don't have to fix bnc#763595 &
bnc#769565.
Only for bnc#724628 & bnc#763595


PS: I tried "mbranch" and didn't find openSUSE Factory, so I decide to fix openSUSE-12.2. Correct me if anything wrong thanks!
Comment 41 Marcus Meissner 2012-08-29 06:32:22 UTC
factory submits would happen with a regular branch like e.g.:

osc branch openSUSE:Factory gimp
Comment 42 Mu Lei 2012-08-29 09:52:36 UTC
done.
openSUSE-Factory request id 131929

PS: Only for bnc#724628 & bnc#763595
Comment 43 Marcus Meissner 2012-08-30 07:32:53 UTC
everything is suibmitted, back to security team
Comment 44 Swamp Workflow Management 2012-09-03 09:09:38 UTC
openSUSE-SU-2012:1080-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 724628,763595,769565,775433
CVE References: CVE-2012-2763,CVE-2012-3236,CVE-2012-3403,CVE-2012-3481
Sources used:
openSUSE 12.1 (src):    gimp-2.6.11-28.26.1
openSUSE 11.4 (src):    gimp-2.6.11-13.58.1
Comment 45 Swamp Workflow Management 2012-09-07 09:09:00 UTC
openSUSE-SU-2012:1131-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 724628,763595
CVE References: CVE-2012-2763,CVE-2012-3481
Sources used:
openSUSE 12.2 (src):    gimp-2.8.0-3.5.1
Comment 46 Bernhard Wiedemann 2012-09-07 13:00:23 UTC
This is an autogenerated message for OBS integration:
This bug (763595) was mentioned in
https://build.opensuse.org/request/show/133225 Evergreen:11.2 / gimp
Comment 47 Marcus Meissner 2012-09-07 13:54:56 UTC
we are done I think.
Comment 48 Bernhard Wiedemann 2012-09-11 12:00:25 UTC
This is an autogenerated message for OBS integration:
This bug (763595) was mentioned in
https://build.opensuse.org/request/show/133620 Evergreen:11.2 / gimp