Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 30 May 2012 23:38:29 +0100
From: "Joseph Sheridan" <>
To: "'full-disclosure'" <>,
	"'bugtraq'" <>,
	"'vuln'" <>,
Subject: ScriptFu Server Buffer Overflow in GIMP <= 2.6

Vulnerability Summary



There is a buffer overflow in the script-fu server component of GIMP 

(the GNU Image Manipulation Program) in all 2.6 versions (Windows and Linux
versions) affecting both 

the script-fu console and the script-fu network server. A crafted msg to the

script-fu server overflows a buffer and overwrites several function pointers

allowing the attacker to gain control of EIP and potentially execute

code. This issue is fixed in the latest, stable GIMP version (currently


CVE number: CVE-2012-2763

Impact: high

Vendor Homepage:

Date found: 18/05/2012

Found by: Joseph Sheridan of Reaction Information Security



This advisory is posted at:


PoC Code is available here:


Affected Products



Vulnerable Products



The following products are known to be affected by this vulnerability:


  * GIMP <= 2.6.12 (Windows or Linux builds)


Products Confirmed Not Vulnerable



The following products are known not to be affected by this



  * GIMP 2.8.0 (current stable release)





There is a buffer overflow in the command parsing code such that a long

overwrites various function pointers on the heap and gives the attacker full

of EIP. The following command sent to the script-fu server will trigger the 



(file-bmp-load 123







Successful exploitation of the vulnerability may result in remote code




Upgrade to the latest stable version of GIMP (currently 2.8 branch) - the
2.6 branch is 

no longer supported by the GIMP development team.





A workaround would be not to use this feature on a vulnerable version of

The GIMP development team have strongly suggested only using the 

script-fu network server in a secure/sandboxed environment due to 

security concerns.





Future updates of this advisory, if any, will be placed on the ReactionIS

corporate website, but may or may not be actively announced on

mailing lists or newsgroups. Users concerned about this problem are

encouraged to check the URL below for any updates:




Reaction Information Security 

Lombard House Business Centre,

Suite 117,

12-17 Upper Bridge Street,

Canterbury, Kent, CT1 2NF


Phone: +44 (0)1227 785050

Email: research () reactionis {dot} co {dot} uk


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.