REDHAT-BUG-704512: Buffer Overflow
First published: Fri May 13 2011(Updated: )
Originally Common Vulnerabilities and Exposures assigned an identifier of <a href="https://access.redhat.com/security/cve/CVE-2010-4543">CVE-2010-4543</a> to the following vulnerability: Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information. Upstream bug report: [1] <a href="https://bugzilla.gnome.org/show_bug.cgi?id=639203">https://bugzilla.gnome.org/show_bug.cgi?id=639203</a> Original patch proposal from Vincent Untz: [2] <a href="https://bugzilla.gnome.org/show_bug.cgi?id=639203#c12">https://bugzilla.gnome.org/show_bug.cgi?id=639203#c12</a> And final patch applied by Gimp upstream was: [3] <a href="http://git.gnome.org/browse/gimp/commit/?id=48ec15890e1751dede061f6d1f469b6508c13439">http://git.gnome.org/browse/gimp/commit/?id=48ec15890e1751dede061f6d1f469b6508c13439</a> Later it was recognized by Nils Philippsen this patch to be incomplete due the following reasoning: I've looked at this a bit further and found that even Vincent Untz's patch didn't take into account that the code that did runlength decoding actually advances by bytespp through the buffer into which it writes, so the runcount needs to be clamped to "(endq - q) / bytespp"(*) in order that subsequent loops don't advance past the end of the buffer. (*): This division is actually safe as bytespp is set by the plugin to one of several known values, therefore can't be 0.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| GIMP |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://access.redhat.com/security/cve/CVE-2010-4543
- https://bugzilla.gnome.org/show_bug.cgi?id=639203
- https://bugzilla.gnome.org/show_bug.cgi?id=639203#c12
- http://git.gnome.org/browse/gimp/commit/?id=48ec15890e1751dede061f6d1f469b6508c13439
- https://access.redhat.com/security/cve/CVE-2011-1782
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=706939
- https://bugzilla.redhat.com/show_bug.cgi?id=704512
- agent/type
- agent/last-modified-date
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2011-1782
- agent/weakness
- agent/severity
- agent/references
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- agent/softwarecombine
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/gimp
- canonical/gimp