发布时间 :2006-07-06 16:05:00
修订时间 :2017-10-10 21:31:01

[原文]Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for gimp before 2.2.12 allows user-assisted attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XCF file with a large num_axes value in the VECTORS property.

[CNNVD]Gimp XCF_load_vector函数栈溢出漏洞(CNNVD-200607-091)

        GIMP是GNU Image Manipulation Program(GNU图像处理程序)的缩写,是一款跨平台的图像处理软件。

- CVSS (基础分值)

CVSS分值: 5.1 [中等(MEDIUM)]
机密性影响: [--]
完整性影响: [--]
可用性影响: [--]
攻击复杂度: [--]
攻击向量: [--]
身份认证: [--]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)

oval:org.mitre.oval:def:5908Security Vulnerability in GIMP(1) May Lead to Denial of Service (DoS) or Execution of Arbitrary Code
oval:org.mitre.oval:def:11259Buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for gimp before 2.2.12 allows user-assisted attackers to cause a denia...

- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BUGTRAQ  20060724 Re: [ GLSA 200607-08 ] GIMP: Buffer overflow
(UNKNOWN)  BUGTRAQ  20060724 ERRATA: [ GLSA 200607-08 ] GIMP: Buffer overflow
(UNKNOWN)  BUGTRAQ  20060724 rPSA-2006-0135-1 gimp
(PATCH)  BID  18877
(UNKNOWN)  VUPEN  ADV-2006-2703
(UNKNOWN)  VUPEN  ADV-2006-4634
(UNKNOWN)  XF  gimp-xcfloadvector-bo(27687)

- 漏洞信息

Gimp XCF_load_vector函数栈溢出漏洞
中危 缓冲区溢出
2006-07-06 00:00:00 2009-03-04 00:00:00
        GIMP是GNU Image Manipulation Program(GNU图像处理程序)的缩写,是一款跨平台的图像处理软件。

- 公告与补丁


- 漏洞信息 (F48465)

Debian Linux Security Advisory 1116-1 (PacketStormID:F48465)
2006-07-24 00:00:00

Debian Security Advisory 1116-1 - Henning Makholm discovered a buffer overflow in the XCF loading code of Gimp, an image editing program. Opening a specially crafted XCF image might cause the application to execute arbitrary code.

Hash: SHA1

- --------------------------------------------------------------------------
Debian Security Advisory DSA 1116-1                                   Moritz Muehlenhoff
July 21st, 2006               
- --------------------------------------------------------------------------

Package        : gimp
Vulnerability  : buffer overflow
Problem-Type   : local(remote)
Debian-specific: no
CVE ID         : CVE-2006-3404
Debian Bug     : 377049

Henning Makholm discovered a buffer overflow in the XCF loading code
of Gimp, an image editing program. Opening a specially crafted XCF
image might cause the application to execute arbitrary code.

For the stable distribution (sarge) this problem has been fixed in
version 2.2.6-1sarge1.

For the unstable distribution (sid) this problem has been fixed in
version 2.2.11-3.1.

We recommend that you upgrade your gimp package.

Upgrade Instructions
- --------------------

wget url
        will fetch the file for you
dpkg -i file.deb
        will install the referenced file.

If you are using the apt-get package manager, use the line for
sources.list as given below:

apt-get update
        will update the internal database
apt-get upgrade
        will install corrected packages

You may use an automated update by adding the resources from the
footer to the proper configuration.

Debian GNU/Linux 3.1 alias sarge
- --------------------------------

  Source archives:
      Size/MD5 checksum:     1089 979559b33614105fa58413378d7c204b
      Size/MD5 checksum:    26122 c56e7ce33568fa577bb965d91a5c9e1c
      Size/MD5 checksum: 20496404 a6450200858c59bb46ace6987f1fc6ee

  Architecture independent components:
      Size/MD5 checksum:  6276584 013c82da61ca8f0c34e7b02995f9a2dc
      Size/MD5 checksum:    31674 f5bf9b1c4d272b6d6a293da92ff1b4cc
      Size/MD5 checksum:   514958 5dcc11d084fd4e79e055493205cded03

  Alpha architecture:
      Size/MD5 checksum:  3872520 f14c5800c1bb4da15eef57a6c9122c61
      Size/MD5 checksum:    44970 2476f295f24498674678c8f21b35f26f
      Size/MD5 checksum:   126646 244ae4e14a57803e0e04eed254ee845b
      Size/MD5 checksum:    44794 5cc2a15a835d6649bbebdd068beaf5d3
      Size/MD5 checksum:   576492 bf73a2b8130cc7a945cdcccb0546ce0b
      Size/MD5 checksum:    98262 7ff13a929c089f127fd29836f780dd38

  AMD64 architecture:
      Size/MD5 checksum:  3266104 17d46a5010fb7451f6dfbd783caf73e6
      Size/MD5 checksum:    43722 0956d860d60ff4394ca0c9b9aac2957f
      Size/MD5 checksum:   122012 61a1ca703333bfad94692943c0e6ba86
      Size/MD5 checksum:    43464 496e21eff61fedf892eb2f8a52e92857
      Size/MD5 checksum:   543840 224ea85332d7e525aafa14cb1a639614
      Size/MD5 checksum:    98234 a9f687bb252e9adbc91f81b67e42d3d9

  ARM architecture:
      Size/MD5 checksum:  2938416 b0901f13d679d1bb41e91c56f22c41d8
      Size/MD5 checksum:    41934 042f39449706ba1362676520935d98a0
      Size/MD5 checksum:   114028 d3adb0e677eee5f8484674f1ec29ef11
      Size/MD5 checksum:    42280 2300ed4a4de2537e30ad4f4df2cf540d
      Size/MD5 checksum:   507710 0592a4510f85ebb8c03e74cb2d410d95
      Size/MD5 checksum:    98332 57de081bea0749832e5c82e6cbdb28e9

  Intel IA-32 architecture:
      Size/MD5 checksum:  3087556 d4a3d583f932d75e1c49f72a32e9de56
      Size/MD5 checksum:    42692 35dedb9373d46897709de62a6ba56f22
      Size/MD5 checksum:   117012 0a76a982e406a236658882f2dabdf464
      Size/MD5 checksum:    43238 4e585d74f341874b8a31aad60d246caf
      Size/MD5 checksum:   521758 bc33f00f99995ffd91ff9bb84c83c4c1
      Size/MD5 checksum:    98248 a7d5db0fdf8401bdaef4a9266db6c705

  Intel IA-64 architecture:
      Size/MD5 checksum:  4581614 af2d82f8c7d4373286f6872709d8bca4
      Size/MD5 checksum:    46600 9186a0e6efb81e461d725fa761694f07
      Size/MD5 checksum:   135808 7fa53fef4e3772b8f3087e9c5e37e5a0
      Size/MD5 checksum:    46852 24434b0212a6792901bc9e2fbbd2bb1f
      Size/MD5 checksum:   632324 c4335842b443c43c0dbe68797264d943
      Size/MD5 checksum:    98240 f07c6a9cd8f7941ff7fd4a93589f7973

  HP Precision architecture:
      Size/MD5 checksum:  3468190 e9a04a87c97ee78815a3e332dbcccff8
      Size/MD5 checksum:    43394 fed2f6e699416c5a03c1d3a130554418
      Size/MD5 checksum:   125686 19e8ee051e193546d55788c7b3fb1e7d
      Size/MD5 checksum:    43720 b4c52c60b267751689bc57fe7f1e3ded
      Size/MD5 checksum:   583078 bda2acb1a3b23edcd435730ea9c6cd0c
      Size/MD5 checksum:    98302 618bf48bcfe82ee886ad1ec2c9da8746

  Motorola 680x0 architecture:
      Size/MD5 checksum:  2697910 e90af18d0136fbf8d60e2089bac3dbc0
      Size/MD5 checksum:    42302 6cffc71d58aa261293428323840eadfa
      Size/MD5 checksum:   118392 e533fe00cf69d53713fea16f7c3c351b
      Size/MD5 checksum:    42140 b77201f3a42f7be876c13ce803833891
      Size/MD5 checksum:   520078 29e62d2417f9d4bd266e81a65e4d5201
      Size/MD5 checksum:    98478 fe3705144e976a25c49330f2d0f958ab

  Big endian MIPS architecture:
      Size/MD5 checksum:  3448914 3236ee1f78e5d6a30cece944ea1c149e
      Size/MD5 checksum:    42690 e3a903955904332f1d6e14341de5c55d
      Size/MD5 checksum:   116280 4e4425ac5ccf0f7923aaa33817f4d3a9
      Size/MD5 checksum:    42960 8b6f4e92ed5b881e74fca99c4eac478f
      Size/MD5 checksum:   524600 978e3ab35f44bd1e516ded87d0fa1a11
      Size/MD5 checksum:    98256 b34836f926dea9bc7855c4fec1313db2

  Little endian MIPS architecture:
      Size/MD5 checksum:  3445558 fa88e0923517217e1ebc47dcc9e13e91
      Size/MD5 checksum:    42626 7df6dd0e0bcf0fd800b603ff62b088e4
      Size/MD5 checksum:   115598 f5e2fa780ab32a0e8d192209f42cf22c
      Size/MD5 checksum:    42882 8f2c5ead0311336fe8f9d5f73840bd66
      Size/MD5 checksum:   522138 172dad30e71dacab1aaedfbe2b9ab404
      Size/MD5 checksum:    98268 b7ad697195e7a622d584caef468bf24b

  PowerPC architecture:
      Size/MD5 checksum:  3341118 c3bd01a81f343030030f7285fd35a9a2
      Size/MD5 checksum:    43938 66f8bf50052e465ab6306c0f93441fc1
      Size/MD5 checksum:   118214 7b22438747c7d7eb3ff1112607f36942
      Size/MD5 checksum:    44314 1452917365ca44d0849fd8783d5dc2b9
      Size/MD5 checksum:   539510 17896bbe9f778c125eed47e96f2582b0
      Size/MD5 checksum:    98282 c0c35190756c7bc71306d9e32e20770e

  IBM S/390 architecture:
      Size/MD5 checksum:  3134704 5e3ee587e3af969dbe6b2acf8add98a6
      Size/MD5 checksum:    43896 17adcff9df203fcee2a2eccb4a7a78f6
      Size/MD5 checksum:   123904 b0f18ce58f5eb93fa64033b82b64f192
      Size/MD5 checksum:    43512 5ec341436fcf87c883a7bdff50eba154
      Size/MD5 checksum:   555508 eb2c9b65d19b333113a216499ca5b429
      Size/MD5 checksum:    98226 1883143a487595484af2def276b08017

  Sun Sparc architecture:
      Size/MD5 checksum:  2929592 ab276607e00e8159b855d2d3ddbd7f49
      Size/MD5 checksum:    42236 0a2217eeb70903e12052b4111aac2c1d
      Size/MD5 checksum:   116426 3eac44e9e3e28330e075385b1197a984
      Size/MD5 checksum:    42440 464fe9823e9544cce55688ed1840bd38
      Size/MD5 checksum:   527522 ea220cad0822aaf7f580c0ad76f44cb2
      Size/MD5 checksum:    98290 b543cfe8b332246e3e33c4d785fa8957

  These files will probably be moved into the stable distribution on
  its next update.

- ---------------------------------------------------------------------------------
For apt-get: deb stable/updates main
For dpkg-ftp: dists/stable/updates/main
Mailing list:
Package info: `apt-cache show <pkg>' and<pkg>
Version: GnuPG v1.4.3 (GNU/Linux)



- 漏洞信息 (F48410)

Mandriva Linux Security Advisory 2006.127 (PacketStormID:F48410)
2006-07-20 00:00:00
advisory,denial of service,overflow,arbitrary

Mandriva Linux Security Advisory MDKSA-2006-127 - A buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c for gimp 2.2.x allows user-complicit attackers to cause a denial of service (crash) and possibly execute arbitrary code via an XCF file with a large num_axes value in the VECTORS property.

Hash: SHA1

 Mandriva Linux Security Advisory                         MDKSA-2006:127
 Package : gimp
 Date    : July 18, 2006
 Affected: 2006.0
 Problem Description:
 A buffer overflow in the xcf_load_vector function in app/xcf/xcf-load.c 
 for gimp 2.2.x allows user-complicit attackers to cause a denial of
 service (crash) and possibly execute arbitrary code via an XCF file
 with a large num_axes value in the VECTORS property.
 Updated packages have been patched to correct this issue.

 Updated Packages:
 Mandriva Linux 2006.0:
 ef770a8f1e5b894589b8f591486e00b9  2006.0/RPMS/gimp-2.2.8-6.1.20060mdk.i586.rpm
 f39e2f6d7bd2e88e47b696b58aa8023b  2006.0/RPMS/gimp-python-2.2.8-6.1.20060mdk.i586.rpm
 465e5b21384bc501d2e991922695811f  2006.0/RPMS/libgimp2.0_0-2.2.8-6.1.20060mdk.i586.rpm
 1df661eb0a251358f5bc7c6e35929b71  2006.0/RPMS/libgimp2.0-devel-2.2.8-6.1.20060mdk.i586.rpm
 708dd714d5514cfb89a947bca6604b73  2006.0/SRPMS/gimp-2.2.8-6.1.20060mdk.src.rpm

 Mandriva Linux 2006.0/X86_64:
 20fe9e1f09f22f770c608303edfad886  x86_64/2006.0/RPMS/gimp-2.2.8-6.1.20060mdk.x86_64.rpm
 a61b7e401cf01bb3715702d557b0fca6  x86_64/2006.0/RPMS/gimp-python-2.2.8-6.1.20060mdk.x86_64.rpm
 e1d614c2befbec26c478eb1303ad887e  x86_64/2006.0/RPMS/lib64gimp2.0_0-2.2.8-6.1.20060mdk.x86_64.rpm
 8b7168186005e221d8aa58d37349d36d  x86_64/2006.0/RPMS/lib64gimp2.0-devel-2.2.8-6.1.20060mdk.x86_64.rpm
 708dd714d5514cfb89a947bca6604b73  x86_64/2006.0/SRPMS/gimp-2.2.8-6.1.20060mdk.src.rpm

 To upgrade automatically use MandrivaUpdate or urpmi.  The verification
 of md5 checksums and GPG signatures is performed automatically for you.

 All packages are signed by Mandriva for security.  You can obtain the
 GPG public key of the Mandriva Security Team by executing:

  gpg --recv-keys --keyserver 0x22458A98

 You can view other update advisories for Mandriva Linux at:

 If you want to report vulnerabilities, please contact


 Type Bits/KeyID     Date       User ID
 pub  1024D/22458A98 2000-07-10 Mandriva Security Team
Version: GnuPG v1.4.2.2 (GNU/Linux)



- 漏洞信息 (F48171)

Ubuntu Security Notice 312-1 (PacketStormID:F48171)
2006-07-12 00:00:00

Ubuntu Security Notice 312-1 - Henning Makholm discovered that the gimp does not sufficiently validate the 'num_axes' parameter in XCF files. By tricking a user into opening a specially crafted XCF file with Gimp, an attacker could exploit this to execute arbitrary code with the user's privileges.

Ubuntu Security Notice USN-312-1              July 10, 2006
gimp vulnerability

A security issue affects the following Ubuntu releases:

Ubuntu 5.04
Ubuntu 5.10
Ubuntu 6.06 LTS

This advisory also applies to the corresponding versions of
Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the
following package versions:

Ubuntu 5.04:
  gimp                           2.2.2-1ubuntu5.1
  libgimp2.0                     2.2.2-1ubuntu5.1

Ubuntu 5.10:
  gimp                           2.2.8-2ubuntu6.1
  libgimp2.0                     2.2.8-2ubuntu6.1

Ubuntu 6.06 LTS:
  gimp                           2.2.11-1ubuntu3.1
  libgimp2.0                     2.2.11-1ubuntu3.1

In general, a standard system upgrade is sufficient to effect the
necessary changes.

Details follow:

Henning Makholm discovered that gimp did not sufficiently validate the
'num_axes' parameter in XCF files. By tricking a user into opening a
specially crafted XCF file with Gimp, an attacker could exploit this
to execute arbitrary code with the user's privileges.

Updated packages for Ubuntu 5.04:

  Source archives:
      Size/MD5:    25366 1c89e7a4876c8922baf9c3be9cce72b9
      Size/MD5:     1053 41cbd27c48207a245d8486d37c3bea44
      Size/MD5: 20151209 eccbe0b2438be095222a6723e57c51a3

  Architecture independent packages:
      Size/MD5:  2057404 4d2655688e65317c1cce1f7938c415b3
      Size/MD5:    23028 c55d030036cc817eba07f15a31cd2ab9
      Size/MD5:   516766 2bddbe64aae9009428e16f40ff0ac92c

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:    34686 1491899331d67c323414df5625b378ad
      Size/MD5:   114452 c0d1e1ea2cb6ec1ed06b6327a91e5da6
      Size/MD5:    34686 c3726bb2cf00dc202439253ab8e5f47f
      Size/MD5:  3138104 4cbd06980a263a956eaf2ed8a61fae14
      Size/MD5:    90072 e876c374828beb7951d8d1bb6323ef00
      Size/MD5:   434012 4ef7e7e58e45d192a8877747c432efdf

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:    33386 e3249682facaedc43430c2a02f55be4f
      Size/MD5:   108648 883b24c54ef4fec71777d601eca58b64
      Size/MD5:    33806 ff701d78ebb13b876ea4651a00e06dce
      Size/MD5:  2822064 333aba3cca28c59606ef01e688a98fdc
      Size/MD5:    90074 13fa37935cb5334bd13406119f326bee
      Size/MD5:   404102 a9812964cf7257f5ae9609a95efb6a0f

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:    34918 d46155c0c3ec7e265972c27156255595
      Size/MD5:   110434 d0c4290c8a30db183db627df47b901ce
      Size/MD5:    35606 c8f11092c804ba676de10fb0ee0206e5
      Size/MD5:  3208564 ee4badf2b0ccaebd84dabeb123f5e98a
      Size/MD5:    90100 073cc2a24d7be2923c1a1750661bbc9e
      Size/MD5:   428626 65b3e8b890dbcf005442c935a061169d

Updated packages for Ubuntu 5.10:

  Source archives:
      Size/MD5:    30972 004d46b2721db233a1037378a76ad219
      Size/MD5:     1084 e1f078639ad1201614e0c830fad88f61
      Size/MD5: 20529098 4d543228967a8d33a8276339c40ffe64

  Architecture independent packages:
      Size/MD5:  2079192 d100e3e9b066e18a9fc1358237eecc90
      Size/MD5:    34806 ffd1badac2770f6f7fd2af0382a8d4f0
      Size/MD5:   519014 5557d213c447c8719475b63b4f275570

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:    46334 cf5aa30f0a710e0a2a5d3b5d1f31de82
      Size/MD5:   126774 57b5c7fb31d5fd4c7a893a46aa9f59c8
      Size/MD5:    46420 f8540a7d00dc18d5d014c9c5d571a280
      Size/MD5:  3178830 1d4a121e227396c6c67558dd62c3e66e
      Size/MD5:   101984 04238d839cba2fb1f62e12178f27f06f
      Size/MD5:   446672 49cc4af975ae1820ac27431f0dfc382b

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:    45178 32211947773168a74e8a32a96f1d7977
      Size/MD5:   119216 9c8ea7d961f3008894ae311c88c51a4a
      Size/MD5:    45512 181b1d11a870434b6143a05f817abba3
      Size/MD5:  2805454 3751247190e54a478dd3e4bd09ec1d01
      Size/MD5:   101976 01cf59d7bd98979b7f4731a156454c8d
      Size/MD5:   403820 e1d8643a2f489f570ec4cbff690de43e

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:    46774 283d55a3942da3e25f91222292256260
      Size/MD5:   122710 d73fc3e1820c125e18af9bc5f546c489
      Size/MD5:    47426 9640175231edeb56cefbcd1b2b64942c
      Size/MD5:  3263286 21ee97ed61ca4cf5814c4c16bfa25390
      Size/MD5:   102008 6155784e2c64ec20a2e2dedb207b835b
      Size/MD5:   438484 9ecff496283a2ce8eb1c80ecfe462e39

  sparc architecture (Sun SPARC/UltraSPARC)
      Size/MD5:    45234 69d43426f6ad3b9df471a8f6cf17ce7a
      Size/MD5:   120352 1ef0f1997cd115e06c0e70afdc7ae3ec
      Size/MD5:    45708 c8b2309d4456cec39618f02e203ff701
      Size/MD5:  2876458 7bc16fd12c4388293176983a874785f4
      Size/MD5:   101994 a0875688cfcdc478b88a8bd0488435f8
      Size/MD5:   422928 e0ba6fd3923075ee5856dd7bbcb47b01

Updated packages for Ubuntu 6.06 LTS:

  Source archives:
      Size/MD5:    33861 004dcc1835345fc1d474f6fa2dbf15ab
      Size/MD5:     1266 d353df1f507926d72eedaba11c564932
      Size/MD5: 18549092 c4312189e3a7f869a26874854dc6a1d7

  Architecture independent packages:
      Size/MD5:  2093412 4cdda893bedc7e4e8cecdfd68b73cc04
      Size/MD5:   527466 8edee6915a0ad1a6d45a14ab8ecc847a

  amd64 architecture (Athlon64, Opteron, EM64T Xeon)
      Size/MD5:  8473344 1a6612ca5386e16e44adc93554c2567e
      Size/MD5:    53096 665807789fecc435294fdda90d58fe35
      Size/MD5:   133490 2cb5b3d370051bad846a5963fbccaf24
      Size/MD5:    53156 148b06d4fc0661241adbf234c4f814fa
      Size/MD5:  3147966 763f65666e85c50004284d518ccfc4f5
      Size/MD5:   108734 16ad76637519d42d8afdc780978db281
      Size/MD5:   453440 620657d5342af6e5fb9736b56c49e322

  i386 architecture (x86 compatible Intel/AMD)
      Size/MD5:  7197248 997dcf3438d2df3f97515b57069b0a6d
      Size/MD5:    51792 37ea6be3a30463338060e70a4de58ec0
      Size/MD5:   125872 ce230923c066949ec6314b50a666484c
      Size/MD5:    52220 0a094c0178ed7034404a87e391f66f73
      Size/MD5:  2777714 4faf75153a46135a8d8c7b9d6b10c986
      Size/MD5:   108758 b4ed9b42f95fc07aa809fc49e2538ba8
      Size/MD5:   410296 0725cc03751a2bbcee0707a0975bc2ed

  powerpc architecture (Apple Macintosh G3/G4/G5)
      Size/MD5:  8506604 46a43967bff3eb77bf8a2018208fc847
      Size/MD5:    53564 b44a95cf20502d19c8e331c8577c07d8
      Size/MD5:   129400 986c1e4c82efc7c81a7aa7b72e44d90a
      Size/MD5:    54222 2efc43f1a03e224bd342514b0d01a799
      Size/MD5:  3229098 e500ce8a902d0837ec4d19f7b511c3ba
      Size/MD5:   108760 153b87573a51321a5d1ecd5cfc0f0698
      Size/MD5:   444870 b5bb55e95bb99d6b091a52a06997ddcd

  sparc architecture (Sun SPARC/UltraSPARC)
      Size/MD5:  7493990 d1a7b839cf5ede21cdb9017d031fd404
      Size/MD5:    51956 209e08ed952a02a16acbe32de2cdc760
      Size/MD5:   127186 36c4e2ec85bce5a19d8dac0573bf0436
      Size/MD5:    52422 908d3b06661d753ccbc7f445080aeb14
      Size/MD5:  2821484 2a90f76cb39506c026577a1ecdad031d
      Size/MD5:   108758 07790df1c789e274534c5506e463288f
      Size/MD5:   428780 86eaed52e36beb83a3eef41f21f810a9


- 漏洞信息

GIMP XCF Parsing xcf_load_vector() Function Overflow
Remote / Network Access Denial of Service, Input Manipulation, Other
Loss of Integrity, Loss of Availability
Exploit Unknown Vendor Verified

- 漏洞描述

A remote overflow exists in Gimp. The xcf_load_vector() function fails to handle XCF files with a large 'num_axes' value resulting in a buffer overflow. With a specially crafted XCF file, an attacker can execute remote arbitrary code or cause denial of service resulting in a loss of integrity or availability.

- 时间线

2006-07-06 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 2.2.12 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

- 相关参考

- 漏洞作者

- 漏洞信息

Gimp XCF_load_vector Function Buffer Overflow Vulnerability
Boundary Condition Error 18877
Yes No
2006-07-07 12:00:00 2008-09-10 07:10:00
Henning Makholm discovered this issue.

- 受影响的程序版本

Ubuntu Ubuntu Linux 5.10 sparc
Ubuntu Ubuntu Linux 5.10 powerpc
Ubuntu Ubuntu Linux 5.10 i386
Ubuntu Ubuntu Linux 5.10 amd64
Ubuntu Ubuntu Linux 5.0 4 powerpc
Ubuntu Ubuntu Linux 5.0 4 i386
Ubuntu Ubuntu Linux 5.0 4 amd64
Ubuntu Ubuntu Linux 6.06 LTS sparc
Ubuntu Ubuntu Linux 6.06 LTS powerpc
Ubuntu Ubuntu Linux 6.06 LTS i386
Ubuntu Ubuntu Linux 6.06 LTS amd64
SuSE SUSE Linux Enterprise Server 8
+ Linux kernel 2.4.21
+ Linux kernel 2.4.19
SuSE SUSE Linux Enterprise Server 10
SuSE SUSE Linux Enterprise Desktop 10
Sun Solaris 10_x86
Sun Solaris 10
Sun Java Desktop System (JDS) 2.0
Slackware Linux 10.2
Slackware Linux -current
S.u.S.E. UnitedLinux 1.0
S.u.S.E. SuSE Linux Standard Server 8.0
S.u.S.E. SuSE Linux School Server for i386
S.u.S.E. SUSE LINUX Retail Solution 8.0
S.u.S.E. Open-Enterprise-Server 9.0
S.u.S.E. Open-Enterprise-Server 1
S.u.S.E. Office Server
S.u.S.E. Novell Linux Desktop 9.0
S.u.S.E. Novell Linux Desktop 1.0
S.u.S.E. Linux Professional 10.0 OSS
S.u.S.E. Linux Professional 10.0
S.u.S.E. Linux Professional 9.3 x86_64
S.u.S.E. Linux Professional 9.3
S.u.S.E. Linux Professional 9.2 x86_64
S.u.S.E. Linux Professional 9.2
S.u.S.E. Linux Professional 9.1 x86_64
S.u.S.E. Linux Professional 9.1
S.u.S.E. Linux Professional 10.1
S.u.S.E. Linux Personal 10.0 OSS
S.u.S.E. Linux Personal 9.3 x86_64
S.u.S.E. Linux Personal 9.3
S.u.S.E. Linux Personal 9.2 x86_64
S.u.S.E. Linux Personal 9.2
S.u.S.E. Linux Personal 9.1 x86_64
S.u.S.E. Linux Personal 9.1
S.u.S.E. Linux Personal 10.1
S.u.S.E. Linux Openexchange Server
S.u.S.E. Linux Office Server
S.u.S.E. Linux Enterprise Server for S/390 9.0
S.u.S.E. Linux Enterprise Server for S/390
S.u.S.E. Linux Enterprise Server 9
S.u.S.E. Linux Desktop 1.0
S.u.S.E. Linux Database Server 0
S.u.S.E. Linux Connectivity Server
rPath rPath Linux 1
RedHat Enterprise Linux WS 4
RedHat Enterprise Linux ES 4
RedHat Enterprise Linux Desktop version 4
Red Hat Enterprise Linux AS 4
Mandriva Linux Mandrake 2006.0 x86_64
Mandriva Linux Mandrake 2006.0
GIMP GIMP 2.2.11
Gentoo Linux
Debian Linux 3.1 sparc
Debian Linux 3.1 s/390
Debian Linux 3.1 ppc
Debian Linux 3.1 mipsel
Debian Linux 3.1 mips
Debian Linux 3.1 m68k
Debian Linux 3.1 ia-64
Debian Linux 3.1 ia-32
Debian Linux 3.1 hppa
Debian Linux 3.1 arm
Debian Linux 3.1 amd64
Debian Linux 3.1 alpha
Debian Linux 3.1
Avaya Interactive Response 1.3
Avaya Interactive Response 1.2.1
Avaya Interactive Response
Avaya Integrated Management 2.1
Avaya Integrated Management
GIMP GIMP 2.2.12

- 不受影响的程序版本

GIMP GIMP 2.2.12

- 漏洞讨论

Gimp is prone to a buffer-overflow vulnerability because it fails to properly bounds-check user-supplied input data before copying it to an insufficiently sized memory buffer.

An attacker may cause malicious code to execute by forcing the application to read raw data from a malicious image file, with the privileges of the user running the GIMP application.

- 漏洞利用

Currently we are not aware of any exploits for this issue. If you feel we are in error or if you are aware of more recent information, please mail us at:

- 解决方案

The vendor has released version 2.2.12 to address this issue.

Please see the referenced vendor advisories for more information.

Sun Solaris 10

Sun Solaris 10_x86

GIMP GIMP 2.2.11




- 相关参考