Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 379289 (CVE-2011-2896)

Summary: <media-gfx/gimp-2.6.11-r5 Buffer Overflow Vulnerability (CVE-2011-2896)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: hanno, mjo
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://git.gnome.org/browse/gimp/commit/?id=376ad788c1a1c31d40f18494889c383f6909ebfc
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2011-08-15 16:35:32 UTC 
Patch at $URL
Comment 1 Sebastian Pipping gentoo-dev 2011-09-03 19:27:09 UTC 
+*gimp-2.6.11-r5 (03 Sep 2011)
+
+  03 Sep 2011; Sebastian Pipping <sping@gentoo.org> +gimp-2.6.11-r5.ebuild,
+  +files/gimp-2.6.11-cve-2011-2896.patch:
+  Integrate patch for security issue CVE-2011-2896 (bug #379289)
+

Do we need a dedicated bug for stabalizing 2.6.11-r5?
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-04 00:50:27 UTC 
Thanks Sebastian,

(In reply to comment #1)
> Do we need a dedicated bug for stabalizing 2.6.11-r5?

We usually stabilize in the same bug.


Arches, please test and mark stable:
=media-gfx/gimp-2.6.11-r5 
target KEYWORDS : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-04 00:51:32 UTC 
*** Bug 368967 has been marked as a duplicate of this bug. ***
Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-04 04:42:31 UTC 
amd64: pass
Comment 5 Agostino Sarubbo gentoo-dev 2011-09-04 10:24:05 UTC 
amd64 ok
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-09-04 19:30:29 UTC 
x86 stable
Comment 7 Tony Vroon (RETIRED) gentoo-dev 2011-09-04 19:42:28 UTC 
+  04 Sep 2011; Tony Vroon <chainsaw@gentoo.org> gimp-2.6.11-r5.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #379289.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-09 14:26:55 UTC 
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-09-10 17:40:19 UTC 
alpha/ia64/sparc stable
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-12 15:20:53 UTC 
ppc/ppc64 stable, last arch done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-09-12 15:31:38 UTC 
Thanks, everyone. Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:43:54 UTC 
CVE-2011-2896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-2896):
  The LZW decompressor in the LWZReadByte function in giftoppm.c in the David
  Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in
  filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in
  plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte
  function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and
  other products, does not properly handle code words that are absent from the
  decompression table when encountered, which allows remote attackers to
  trigger an infinite loop or a heap-based buffer overflow, and possibly
  execute arbitrary code, via a crafted compressed stream, a related issue to
  CVE-2006-1168 and CVE-2011-2895.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 11:43:21 UTC 
This issue was resolved and addressed in
 GLSA 201209-23 at http://security.gentoo.org/glsa/glsa-201209-23.xml
by GLSA coordinator Sean Amoss (ackle).