CVE-2009-1570 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-1570): Integer overflow in the ReadImage function in plug-ins/file-bmp/bmp-read.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a BMP file with crafted width and height values that trigger a heap-based buffer overflow.
Just sidenote hello from QA team. Hanno is currently not entirely active in gimp development (last commit at 18 March). We would recommend that someone who care backport the patch and stable the 2.9.7, then dropping of all older versions should be proceeded. Cheers
I've added 2.6.7-r1 with the patch from gimp git. I found no sample bmp in the security reports so I couldn't test it but it should be fine. CC-ing archs. ppc64 also needs to stabilize babl and gegl. mips and x86-fbsd have no keyword on 2.6.7-r1 yet, cc-ing them also. If you can't re-keyword 2.6.7-r1, your arch will be without gimp soon.
Stable for HPPA.
amd64/x86 stable
Secunia discovered more heap-based buffer overflows when parsing .PSD files (CVE-2009-3909): http://secunia.com/secunia_research/2009-43/ The following two commits fix the PSD issue: http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6&id=88eccea84aa375197cc04a2a0e2e29debb56bfa5 http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6&id=687ec47914ec08d6e460918cb641c196d80140a3 According to upstream, a new 2.6 release is planned "in the next few days"
The patch linked in $URL is not sufficient. These are also required to fix the BMP issue: http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6&id=0214e1ff271a5310731de81d00450a92d9bf0fcd http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6&id=6e8ff603a2ee6a0940373723d1f075930dfd3ce0 http://git.gnome.org/cgit/gimp/commit/?h=gimp-2-6&id=153ae579f7e7508d7a5b95bd569e91890f6b666e Maybe we should wait for an official release.
*** Bug 287478 has been marked as a duplicate of this bug. ***
CVE-2009-3909 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3909): Integer overflow in the read_channel_data function in plug-ins/file-psd/psd-load.c in GIMP 2.6.7 might allow remote attackers to execute arbitrary code via a crafted PSD file that triggers a heap-based buffer overflow.
Added 2.6.8. Citing myself from comment #2: ppc64 also needs to stabilize babl and gegl. mips and x86-fbsd have no keyword on 2.6.8 yet, cc-ing them also. If you can't re-keyword 2.6.8, your arch will be without gimp soon.
ppc64 done
amd64 stable
x86 stable
alpha/ia64/sparc stable, and bsd/mips doesn't do stable keywords.
Marked ppc stable.
bsd/mips don't have keywords at all on 2.6.8, so they'll loose gimp-support altogether. I wrote them a mail, though I'll remove all old ebuilds within a few days. Else I think we're ready for glsa. I think it deserves a GLSA, security, what do you think?
No vote needed. GLSA request filed according to policy (http://www.gentoo.org/security/en/vulnerability-policy.xml).
This issue was resolved and addressed in GLSA 201209-23 at http://security.gentoo.org/glsa/glsa-201209-23.xml by GLSA coordinator Sean Amoss (ackle).