Summary: | <media-libs/gegl-0.2.0-r2: PPM Image Processing Integer Overflow Vulnerability (CVE-2012-4433) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | pacho, sping |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://www.openwall.com/lists/oss-security/2012/11/06/1 | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 481736 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2012-11-06 10:41:00 UTC
+*gegl-0.2.0-r1 (06 Nov 2012) + + 06 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.2.0-r1.ebuild, + +files/gegl-0.2.0-cve-2012-4433-1e92e523.patch, + +files/gegl-0.2.0-cve-2012-4433-4757cdf7.patch: + Integrate Redhat patches for CVE-2012-4433 (bug #442016) + 0.1.6 and 0.1.8 unchecked. Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is =media-libs/gegl-0.2.0-r1 ready for stabilization? (In reply to comment #2) > Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is > =media-libs/gegl-0.2.0-r1 ready for stabilization? One of the two patches needed minimal "porting"... +*gegl-0.1.8-r1 (17 Nov 2012) +*gegl-0.1.6-r1 (17 Nov 2012) + + 17 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.1.6-r1.ebuild, + +gegl-0.1.8-r1.ebuild, +files/gegl-0.1.8-cve-2012-4433-4757cdf7.patch: + Patch 0.1.6 and 0.1.8 for CVE-2012-4433, too (bug #442016) + CVE-2012-4433 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4433): Multiple integer overflows in operations/external/ppm-load.c in GEGL (Generic Graphics Library) 0.2.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a large (1) width or (2) height value in a Portable Pixel Map (ppm) image, which triggers a heap-based buffer overflow. (In reply to comment #3) > (In reply to comment #2) > > Thanks, Sebastian. 0.1.6 and 0.1.8 appear to also be affected. Is > > =media-libs/gegl-0.2.0-r1 ready for stabilization? > > One of the two patches needed minimal "porting"... > > > +*gegl-0.1.8-r1 (17 Nov 2012) > +*gegl-0.1.6-r1 (17 Nov 2012) > + > + 17 Nov 2012; Sebastian Pipping <sping@gentoo.org> +gegl-0.1.6-r1.ebuild, > + +gegl-0.1.8-r1.ebuild, +files/gegl-0.1.8-cve-2012-4433-4757cdf7.patch: > + Patch 0.1.6 and 0.1.8 for CVE-2012-4433, too (bug #442016) > + Thanks, Sebastian. Shall we stabilize 0.1.6-r1 then, or another version? Arches, please test and stabilize: =media-libs/gegl-0.1.6-r1 Target arches: alpha amd64 hppa ia64 ppc ppc64 sparc x86 GLSA drafted and ready for review. GLSA has been sent. Maintainers, please drop vulnerable versions so we can close this up. Thanks. (In reply to Sean Amoss from comment #8) > GLSA has been sent. > > Maintainers, please drop vulnerable versions so we can close this up. Thanks. + 27 Oct 2013; Sebastian Pipping <sping@gentoo.org> -gegl-0.2.0-r1.ebuild: + Removing 0.2.0-r1 for security (bug #442016) + I'm keeping gegl-0.1.6.ebuild gegl-0.1.6-r1.ebuild gegl-0.1.8-r1.ebuild to keep "<media-libs/gegl-0.2" from media-gfx/gimp-2.6.12-r5 satisfied. I'm open to suggestion on deleting more. (In reply to Sebastian Pipping from comment #9) > (In reply to Sean Amoss from comment #8) > > GLSA has been sent. > > > > Maintainers, please drop vulnerable versions so we can close this up. Thanks. > > + 27 Oct 2013; Sebastian Pipping <sping@gentoo.org> -gegl-0.2.0-r1.ebuild: > + Removing 0.2.0-r1 for security (bug #442016) > + > > I'm keeping > > gegl-0.1.6.ebuild > gegl-0.1.6-r1.ebuild > gegl-0.1.8-r1.ebuild > > to keep "<media-libs/gegl-0.2" from media-gfx/gimp-2.6.12-r5 satisfied. > I'm open to suggestion on deleting more. Two notes: 1) 0.1.6-r1 was not stabilized as requested. Should we proceed with it's stabilization? Or stabilizing 0.2.0-r2, which happened in bug #481736 is fine? 2) 0.1.6 is vulnerable, so it should be treecleaned. 0.1.6-r1 seems fine. 0.2.0-r2 was stabilized and older versions are only needed by old gimp, then, dropping old versions of gimp and gegl would be enough Maintainer(s), Thank you for cleanup! Added to existing GLSA This issue was resolved and addressed in GLSA 201310-05 at http://security.gentoo.org/glsa/glsa-201310-05.xml by GLSA coordinator Sean Amoss (ackle). |