Vulnerability CVE-2017-17788

Vulnerability Name:

CVE-2017-17788 (CCN-136547)

Assigned:

2017-12-20

Published:

2017-12-20

Updated:

2022-02-07

Summary:

In GIMP 2.8.22, there is a stack-based buffer over-read in xcf_load_stream in app/xcf/xcf.c when there is no '\0' character after the version string.

CVSS v3 Severity:

5.5 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H)
4.9 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): High

7.8 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
6.9 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:U/RC:R)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): Required
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): None Availibility (A): Partial

6.8 Medium (CCN CVSS v2 Vector: AV:L/AC:L/Au:S/C:C/I:C/A:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): Low Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

CWE-125

Vulnerability Consequences:

Gain Access

References:

Source: MITRE
Type: CNA
CVE-2017-17788

Source: CCN
Type: oss-security Mailing List, Tue, 19 Dec 2017 17:11:19 +0100
GIMP parser bugs (FLIMP and more)

Source: MISC
Type: Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2017/12/19/5

Source: CCN
Type: GNOME Bug 790783
(CVE-2017-17788) buffer overread in XCF parser if version field has no null terminator

Source: MISC
Type: Issue Tracking, Third Party Advisory
https://bugzilla.gnome.org/show_bug.cgi?id=790783

Source: XF
Type: UNKNOWN
gimp-cve201717788-bo(136547)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20171223 [SECURITY] [DLA 1220-1] gimp security update

Source: UBUNTU
Type: Third Party Advisory
USN-3539-1

Source: DEBIAN
Type: Third Party Advisory
DSA-4077

Source: CCN
Type: GIMP Web site
GIMP

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2017-17788

Vulnerable Configuration:

Configuration 1:

cpe:/a:gimp:gimp:2.8.22:*:*:*:*:*:*:*

Configuration 2:

cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:9.0:*:*:*:*:*:*:*

OR cpe:/o:debian:debian_linux:7.0:*:*:*:*:*:*:*

Configuration 3:

cpe:/o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.opensuse.security:def:201717788	V	CVE-2017-17788	2022-09-02
oval:org.opensuse.security:def:57108	P	Security update for MozillaFirefox (Important)	2021-10-15
oval:org.opensuse.security:def:47715	P	libgypsy0-0.9-6.22 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47705	P	libexif12-0.6.21-8.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47403	P	libquicktime0-1.2.4-10.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47249	P	emacs-24.3-19.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47549	P	ant-1.9.4-3.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:48353	P	yast2-core-3.3.1-1.7 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47776	P	libquicktime0-1.2.4-14.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46951	P	glib2-lang-2.48.2-10.2 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47487	P	qemu-2.9.0-5.10 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47463	P	perl-32bit-5.18.2-11.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47613	P	g3utils-1.1.36-58.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47609	P	fontconfig-2.11.1-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13826	P	gdk-pixbuf-loader-rsvg-2.40.15-4.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47042	P	libldap-2_4-2-2.4.41-18.25.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47009	P	libasan2-32bit-5.3.1+r233831-9.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47547	P	accountsservice-0.6.42-16.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47644	P	hyper-v-7-7.5 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47674	P	libXext6-1.3.2-4.3.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:13848	P	hyper-v-7-13.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47189	P	xscreensaver-5.22-7.1 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:47101	P	logrotate-3.8.7-3.14 on GA media (Moderate)	2021-08-16
oval:org.opensuse.security:def:46819	P	perl-YAML-LibYAML-0.38-10.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46684	P	java-1_7_0-openjdk-1.7.0.91-21.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46494	P	liblzo2-2-2.08-1.13 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46877	P	xorg-x11-server-7.6_1.15.2-36.21 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48407	P	dstat-0.7.2-1.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48414	P	expat-2.1.0-17.1 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46493	P	liblua5_2-32bit-5.2.2-4.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46507	P	libpoppler-glib8-0.24.4-3.14 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46549	P	pcsc-ccid-1.4.14-1.42 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:48468	P	libXi6-1.7.4-9.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46548	P	patch-2.7.1-5.127 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46627	P	cifs-utils-6.4-6.4 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:46563	P	python-libxml2-2.9.1-6.2 on GA media (Moderate)	2021-06-08
oval:org.opensuse.security:def:57182	P	Security update for the Linux Kernel (Live Patch 37 for SLE 12 SP3) (Important)	2021-03-17
oval:org.opensuse.security:def:26204	P	Security update for freeradius-server (Low)	2021-03-04
oval:org.opensuse.security:def:55832	P	Security update for openssh (Moderate)	2021-01-05
oval:org.opensuse.security:def:12875	P	emacs-24.3-25.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13005	P	libjavascriptcoregtk-3_0-0-2.4.11-23.20 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13175	P	sblim-sfcb-1.4.8-17.3.4 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12897	P	gnome-settings-daemon-3.20.1-50.16.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13024	P	libmpfr4-3.1.2-7.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13188	P	sysconfig-0.84.0-13.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12943	P	libSDL-1_2-0-1.2.15-15.11.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13099	P	libxcb-dri2-0-1.10-4.3.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12990	P	libgme0-0.6.0-5.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13124	P	openvpn-2.3.8-16.20.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:13166	P	rpcbind-0.2.3-24.9.1 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:12867	P	dosfstools-3.0.26-6.5 on GA media (Moderate)	2020-12-03
oval:org.opensuse.security:def:55639	P	Security update for strongswan (Important)	2020-12-01
oval:org.opensuse.security:def:24854	P	Security update for vino (Moderate)	2020-12-01
oval:org.opensuse.security:def:18231	P	Security update for bind (Moderate)	2020-12-01
oval:org.opensuse.security:def:18440	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:18398	P	Security update for libquicktime (Moderate)	2020-12-01
oval:org.opensuse.security:def:18640	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:24872	P	Security update for squid (Important)	2020-12-01
oval:org.opensuse.security:def:25218	P	Security update for samba (Moderate)	2020-12-01
oval:org.opensuse.security:def:24865	P	Security update for MozillaFirefox, MozillaFirefox-branding-SLE, llvm4, mozilla-nspr, mozilla-nss, apache2-mod_nss (Important)	2020-12-01
oval:org.opensuse.security:def:25194	P	Security update for adns (Important)	2020-12-01
oval:org.opensuse.security:def:18497	P	Security update for oracleasm kmp (Moderate)	2020-12-01
oval:org.opensuse.security:def:19195	P	Security update for gimp (Moderate)	2020-12-01
oval:org.opensuse.security:def:54309	P	libsilc-1_1-2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54882	P	libksba8 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55547	P	Security update for MozillaFirefox, mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:19405	P	Security update for bluez (Important)	2020-12-01
oval:org.opensuse.security:def:18047	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:25566	P	Security update for openexr (Moderate)	2020-12-01
oval:org.opensuse.security:def:25583	P	Security update for python36 (Important)	2020-12-01
oval:org.opensuse.security:def:55713	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:18055	P	Security update for java-1_7_1-ibm (Important)	2020-12-01
oval:org.opensuse.security:def:18262	P	Security update for curl (Moderate)	2020-12-01
oval:org.opensuse.security:def:54308	P	libruby2_1-2_1 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18456	P	Security update for git (Important)	2020-12-01
oval:org.opensuse.security:def:18673	P	Security update for MozillaFirefox, mozilla-nspr and mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:24998	P	Security update for tcpdump (Moderate)	2020-12-01
oval:org.opensuse.security:def:25368	P	Security update for libX11 (Important)	2020-12-01
oval:org.opensuse.security:def:24929	P	Security update for openssh (Important)	2020-12-01
oval:org.opensuse.security:def:25278	P	Security update for mozilla-nspr, mozilla-nss (Important)	2020-12-01
oval:org.opensuse.security:def:18509	P	Security update for bluez (Moderate)	2020-12-01
oval:org.opensuse.security:def:54331	P	libzip2 on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:54988	P	ppp on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18731	P	Security update for corosync (Important)	2020-12-01
oval:org.opensuse.security:def:19431	P	Security update for gimp (Moderate)	2020-12-01
oval:org.opensuse.security:def:18269	P	Security update for graphite2 (Important)	2020-12-01
oval:org.opensuse.security:def:25627	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:55751	P	Security update for strongswan (Important)	2020-12-01
oval:org.opensuse.security:def:18089	P	Security update for libxml2 (Moderate)	2020-12-01
oval:org.opensuse.security:def:18298	P	Security update for ImageMagick (Moderate)	2020-12-01
oval:org.opensuse.security:def:18277	P	Security update for libxslt (Moderate)	2020-12-01
oval:org.opensuse.security:def:18490	P	Security update for evince (Important)	2020-12-01
oval:org.opensuse.security:def:25079	P	Security update for java-1_7_0-openjdk (Important)	2020-12-01
oval:org.opensuse.security:def:25421	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:25056	P	Security update for samba (Important)	2020-12-01
oval:org.opensuse.security:def:25428	P	Security update for LibVNCServer (Important)	2020-12-01
oval:org.opensuse.security:def:18531	P	Security update for ImageMagick (Important)	2020-12-01
oval:org.opensuse.security:def:54471	P	fuse on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55154	P	kbd on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:18743	P	Security update for librsvg (Moderate)	2020-12-01
oval:org.opensuse.security:def:25508	P	Security update for mailman (Important)	2020-12-01
oval:org.opensuse.security:def:26239	P	Security update for gimp (Moderate)	2020-12-01
oval:org.opensuse.security:def:26265	P	Security update for guile (Low)	2020-12-01
oval:org.opensuse.security:def:24799	P	Security update for krb5 (Moderate)	2020-12-01
oval:org.opensuse.security:def:18174	P	Security update for webkit2gtk3 (Important)	2020-12-01
oval:org.opensuse.security:def:18408	P	Security update for librsvg (Low)	2020-12-01
oval:org.opensuse.security:def:18312	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:18528	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:24809	P	Security update for MozillaFirefox (Important)	2020-12-01
oval:org.opensuse.security:def:25135	P	Security update for xen (Important)	2020-12-01
oval:org.opensuse.security:def:25137	P	Security update for SDL (Moderate)	2020-12-01
oval:org.opensuse.security:def:25481	P	Security update for the Linux Kernel (Important)	2020-12-01
oval:org.opensuse.security:def:19169	P	Security update for openssl-1_0_0 (Moderate)	2020-12-01
oval:org.opensuse.security:def:54709	P	xorg-x11-libs on GA media (Moderate)	2020-12-01
oval:org.opensuse.security:def:55439	P	Security update for openvpn (Important)	2020-12-01
oval:org.opensuse.security:def:18767	P	Security update for libssh2_org (Important)	2020-12-01
oval:org.opensuse.security:def:25522	P	Security update for vim (Moderate)	2020-12-01
oval:org.opensuse.security:def:25569	P	Security update for tomcat (Important)	2020-12-01
oval:org.opensuse.security:def:26300	P	Security update for gimp (Moderate)	2020-12-01
oval:org.opensuse.security:def:79816	P	Security update for gimp (Moderate)	2020-03-06
oval:org.opensuse.security:def:125051	P	Security update for gimp (Moderate)	2020-03-06
oval:org.opensuse.security:def:126152	P	Security update for gimp (Moderate)	2020-03-06
oval:org.opensuse.security:def:127484	P	Security update for gimp (Moderate)	2020-03-06
oval:com.ubuntu.xenial:def:2017177880000000	V	CVE-2017-17788 on Ubuntu 16.04 LTS (xenial) - low.	2017-12-20
oval:com.ubuntu.artful:def:201717788000	V	CVE-2017-17788 on Ubuntu 17.10 (artful) - low.	2017-12-20
oval:com.ubuntu.xenial:def:201717788000	V	CVE-2017-17788 on Ubuntu 16.04 LTS (xenial) - low.	2017-12-20
oval:com.ubuntu.disco:def:2017177880000000	V	CVE-2017-17788 on Ubuntu 19.04 (disco) - low.	2017-12-20
oval:com.ubuntu.bionic:def:201717788000	V	CVE-2017-17788 on Ubuntu 18.04 LTS (bionic) - low.	2017-12-20
oval:com.ubuntu.cosmic:def:2017177880000000	V	CVE-2017-17788 on Ubuntu 18.10 (cosmic) - low.	2017-12-20
oval:com.ubuntu.cosmic:def:201717788000	V	CVE-2017-17788 on Ubuntu 18.10 (cosmic) - low.	2017-12-20
oval:com.ubuntu.bionic:def:2017177880000000	V	CVE-2017-17788 on Ubuntu 18.04 LTS (bionic) - low.	2017-12-20
oval:com.ubuntu.trusty:def:201717788000	V	CVE-2017-17788 on Ubuntu 14.04 LTS (trusty) - low.	2017-12-20

BACK