Date: Sun, 1 Jul 2012 07:41:50 -0700 From: Eitan Adler <lists@eitanadler.com> To: gnome@freebsd.org Cc: ports-security@freebsd.org Subject: Fwd: [oss-security] Re: ScriptFu Server Buffer Overflow in GIMP <= 2.6 Message-ID: <CAF6rxg=m%2BZcqVnSZefXcgGWqrp4D161V-682aBJ%2BP8aLCDOFWQ@mail.gmail.com> In-Reply-To: <20120701024401.ED97214DBD8@smtp.hushmail.com> References: <20120701024401.ED97214DBD8@smtp.hushmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
A vulnerability has been found in a port you maintain. If you haven't yet done so please update the port and write up a VuXML report. If you need help feel free to email ports-security@freebsd.org. ---------- Forwarded message ---------- From: <mancha@mac.hush.com> Date: 30 June 2012 19:44 Subject: [oss-security] Re: ScriptFu Server Buffer Overflow in GIMP <= 2.6 To: oss-security@lists.openwall.com Below find a patch for the 2.6.x branch of GIMP to address a potential buffer overflow in the script-fu server (CVE-2012-2763) reported on this list by J. Sheridan (http://www.openwall.com/lists/oss-security/2012/05/31/1) --mancha ====================== Fix for CVE-2012-2763 for GIMP 2.6.x by mancha. Based on commit 76155d79df8d497. Thanks to muks, Kevin, and Ankh for identifying the relevant code change. Ref: Fixed potential buffer overflow in readstr_upto(). ---------- --- a/plug-ins/script-fu/tinyscheme/scheme.c 2012-06-30 +++ b/plug-ins/script-fu/tinyscheme/scheme.c 2012-06-30 @@ -1727,7 +1727,8 @@ static char *readstr_upto(scheme *sc, ch c = inchar(sc); len = g_unichar_to_utf8(c, p); p += len; - } while (c && !is_one_of(delim, c)); + } while ((p - sc->strbuff < sizeof(sc->strbuff)) && + (c && !is_one_of(delim, c))); if(p==sc->strbuff+2 && c_prev=='\\') *p = '\0'; -- Eitan Adler
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAF6rxg=m%2BZcqVnSZefXcgGWqrp4D161V-682aBJ%2BP8aLCDOFWQ>