Marsu has discovered a vulnerability in Gimp, which can be exploited by malicious people to compromise a user's system. The vulnerability is caused due to an error within the "set_color_table()" function in plug-ins/common/sunras.c. This can be exploited to cause a stack-based buffer overflow by e.g. tricking a user into opening a specially crafted .RAS file. Successful exploitation may allow the execution of arbitrary code. The vulnerability is confirmed in version 2.2.14. Other versions may also be affected. Solution: Do not open untrusted .RAS files.
setting status and cc'ing maintainer.
No patch, no upstream information... I'll try to get some statement from upstream asap.
Bumped with patch from upstream svn. Fixed in 2.2.14 and 2.3.16. Archs please go on with stablemarking 2.2.14.
ia64 + x86 stable
mips, fyi, I've removed the ~mips-keyword from 2.3.16, if you wanna have gimp 2.4 look that you get your dependencies ready.
sparc stable.
ppc64 stable
alpha stable.
amd64 done.
ppc stable
gimp--2.2.14 fails with collision-detect on * checking 1768 files for package collisions existing file /usr/lib64/gimp/2.0/python/gimpenums.pyc is not owned by this package existing file /usr/lib64/gimp/2.0/python/gimpfu.pyc is not owned by this package 1000 files checked ...
Jeffrey, collision with what? I can't think of another package owning these files, so I wonder why they are there on your system.
hppa cannot currently test gimp, as we need glibc-2.5 stable before gimp will work (again). Right now, gimp does not even finish loading, and hangs before it could possibly do damage through this vulnerability. When hppa's glibc-2.5 ship comes in, I will be sure to revisit gimp, test it and mark it, but as for now, gimp cannot possibly pose a threat. Please move forward without us.
security: I think we're ready for GLSA. collission-issues should be fixed now, but anyway, if they still occur, please open a new bug as they've nothing to do with this security-issue.
GLSA 200705-08 is out!
well hum, keeping opened in "enhancement" pending hppa/glibc resolution. Feel
sorry for crashing the party, but I think the glsa is wrong. It's not "fixed in >=2.2.14", but "fixed in (>=2.2.14 <2.2.999) and >=2.3.16. It's important that ~-users update their gimp 2.3.x as well (and, of course, svn/9999-users shoudl re-merge). Don't know if this is worth releasing an updated glsa, I leave this up to security.
2.3.x seems to be marked ~ so we don't consider that. However I do think that the GLSA lacks a warning for hppa users.
Hi jer or any member of HPPA team, please could you fix the keywording stuff of gimp so that the hppa users don't remain with an apparently/possibly vulnerable version on their system: - either mark stable 2.2.14, - either dekeyword 2.2.*, as you prefer, thanks
(In reply to comment #19) > Hi jer or any member of HPPA team, Hi there! > - either mark stable 2.2.14, Done.
Thanks Jeroen
mips done