176226 2007-04-27 11:29 0000 media-gfx/gimp buffer overflow in sunras plugin (CVE-2007-2356) 2007-05-11 02:04:26 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://secunia.com/advisories/25012/ A2 [glsa] p-y P2 enhancement --- 168131 1 py@gentoo.org security@gentoo.org hanno@gentoo.org py@gentoo.org 2007-04-27 11:29:38 0000 Marsu has discovered a vulnerability in Gimp, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error within the "set_color_table()" function in plug-ins/common/sunras.c. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted .RAS file. Successful exploitation may allow the execution of arbitrary code. The vulnerability is confirmed in version 2.2.14. Other versions may also be affected. Solution: Do not open untrusted .RAS files. py@gentoo.org 2007-04-27 11:31:11 0000 setting status and cc'ing maintainer. hanno@gentoo.org 2007-04-27 16:04:13 0000 No patch, no upstream information... I'll try to get some statement from upstream asap. hanno@gentoo.org 2007-04-28 07:35:13 0000 Bumped with patch from upstream svn. Fixed in 2.2.14 and 2.3.16. Archs please go on with stablemarking 2.2.14. armin76@gentoo.org 2007-04-28 16:03:05 0000 ia64 + x86 stable hanno@gentoo.org 2007-04-28 17:43:05 0000 mips, fyi, I've removed the ~mips-keyword from 2.3.16, if you wanna have gimp 2.4 look that you get your dependencies ready. gustavoz@gentoo.org 2007-04-30 17:42:58 0000 sparc stable. corsair@gentoo.org 2007-05-01 12:50:39 0000 ppc64 stable yoswink@gentoo.org 2007-05-02 09:34:45 0000 alpha stable. dang@gentoo.org 2007-05-02 18:53:23 0000 amd64 done. dertobi123@gentoo.org 2007-05-03 18:42:30 0000 ppc stable je_fro@gentoo.org 2007-05-04 16:22:27 0000 gimp--2.2.14 fails with collision-detect on * checking 1768 files for package collisions existing file /usr/lib64/gimp/2.0/python/gimpenums.pyc is not owned by this package existing file /usr/lib64/gimp/2.0/python/gimpfu.pyc is not owned by this package 1000 files checked ... hanno@gentoo.org 2007-05-04 17:32:20 0000 Jeffrey, collision with what? I can't think of another package owning these files, so I wonder why they are there on your system. jer@gentoo.org 2007-05-05 12:06:13 0000 hppa cannot currently test gimp, as we need glibc-2.5 stable before gimp will work (again). Right now, gimp does not even finish loading, and hangs before it could possibly do damage through this vulnerability. When hppa's glibc-2.5 ship comes in, I will be sure to revisit gimp, test it and mark it, but as for now, gimp cannot possibly pose a threat. Please move forward without us. hanno@gentoo.org 2007-05-06 16:51:59 0000 security: I think we're ready for GLSA. collission-issues should be fixed now, but anyway, if they still occur, please open a new bug as they've nothing to do with this security-issue. falco@gentoo.org 2007-05-07 21:53:20 0000 GLSA 200705-08 is out! falco@gentoo.org 2007-05-07 21:55:24 0000 well hum, keeping opened in "enhancement" pending hppa/glibc resolution. Feel hanno@gentoo.org 2007-05-07 22:09:26 0000 sorry for crashing the party, but I think the glsa is wrong. It's not "fixed in >=2.2.14", but "fixed in (>=2.2.14 <2.2.999) and >=2.3.16. It's important that ~-users update their gimp 2.3.x as well (and, of course, svn/9999-users shoudl re-merge). Don't know if this is worth releasing an updated glsa, I leave this up to security. jaervosz@gentoo.org 2007-05-08 05:49:07 0000 2.3.x seems to be marked ~ so we don't consider that. However I do think that the GLSA lacks a warning for hppa users. falco@gentoo.org 2007-05-08 06:13:58 0000 Hi jer or any member of HPPA team, please could you fix the keywording stuff of gimp so that the hppa users don't remain with an apparently/possibly vulnerable version on their system: - either mark stable 2.2.14, - either dekeyword 2.2.*, as you prefer, thanks jer@gentoo.org 2007-05-08 14:27:09 0000 (In reply to comment #19) > Hi jer or any member of HPPA team, Hi there! > - either mark stable 2.2.14, Done. falco@gentoo.org 2007-05-08 20:04:49 0000 Thanks Jeroen kumba@gentoo.org 2007-05-11 02:04:26 0000 mips done