| Summary: | <media-gfx/gimp-2.8.14-r4: crash with a specially crafted ICO file | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Coacher <itumaykin+gentoo> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | sping |
| Priority: | Normal | Flags: | stable-bot:
sanity-check+
|
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://nvd.nist.gov/vuln/detail/CVE-2007-3126 | ||
| Whiteboard: | B3 [noglsa cve] | ||
| Package list: |
media-gfx/gimp-2.8.22
|
Runtime testing required: | --- |
Hi! I have added 2.8.14-r4 if there is some reason not to go straight to 2.8.22 with stabilization. Any concern about going straight to 2.8.22? Upstream bug https://bugzilla.gnome.org/show_bug.cgi?id=773233 commit 8f2698872e8f845bb9fc8a658913a045e420ab88 Author: Sebastian Pipping <sping@g.o> Date: Fri May 12 22:24:16 2017 +0200 media-gfx/gimp: Fix CVE-2007-3126 (bug #618310) Package-Manager: Portage-2.3.5, Repoman-2.3.2 media-gfx/gimp/Manifest | 1 + .../gimp/files/gimp-2.9.4-CVE-2007-3126.patch | 291 +++++++++++++++++++++ media-gfx/gimp/gimp-2.8.14-r4.ebuild | 170 ++++++++++++ media-gfx/gimp/gimp-2.8.20-r1.ebuild | 169 ++++++++++++ media-gfx/gimp/gimp-2.8.22.ebuild | 168 ++++++++++++ media-gfx/gimp/gimp-2.9.4-r3.ebuild | 191 ++++++++++++++ 6 files changed, 990 insertions(+) https://github.com/gentoo/gentoo/commit/8f2698872e8f845bb9fc8a658913a045e420ab88 No(In reply to Sebastian Pipping from comment #1) > I have added 2.8.14-r4 if there is some reason not to go straight to 2.8.22 > with stabilization. Any concern about going straight to 2.8.22? No, let's start stabilization: @ Arches, please test and mark stable: =media-gfx/gimp-2.8.22 (In reply to Thomas Deutschmann from comment #2) > please test and mark stable: =media-gfx/gimp-2.8.22 We have media-gfx/gimp-2.8.22 stable request https://bugs.gentoo.org/show_bug.cgi?id=620412 for a few days now. Shalle we removed arches here and make #618310 depend on #620412? amd64 stable x86 stable sparc stable ia64 stable ppc64 stable Stable on alpha. ppc stable Arches, please finish stabilizing hppa Gentoo Security Padawan ChrisADR stable.... hppa stable @ Maintainer(s): Please clean the vulnerable version from tree. @ Security: Please vote on glsa. (In reply to Aleksandr Wagner (Kivak) from comment #14) > @ Maintainer(s): Please clean the vulnerable version from tree. commit 4871fb69fade069d7853b0106eb5b619f9a27dde Author: Sebastian Pipping <sping@g.o> Date: Thu Oct 26 00:54:12 2017 +0200 media-gfx/gimp: Remove old/vulnerable (bug 618310) 2.8.14-r2 was vulnerable to CVE-2007-3126, the others were removed for clean-up Package-Manager: Portage-2.3.10, Repoman-2.3.3 media-gfx/gimp/Manifest | 3 - media-gfx/gimp/gimp-2.8.14-r2.ebuild | 170 ------------------------------- media-gfx/gimp/gimp-2.8.14-r4.ebuild | 170 ------------------------------- media-gfx/gimp/gimp-2.8.20-r1.ebuild | 169 ------------------------------- media-gfx/gimp/gimp-2.9.4-r3.ebuild | 191 ----------------------------------- 5 files changed, 703 deletions(-) https://github.com/gentoo/gentoo/commit/4871fb69fade069d7853b0106eb5b619f9a27dde GLSA Vote: No |
Hello. Recently released gimp-2.8.22 fixes an old vulnerability that can lead to a crash. See ${URL} and also https://www.gimp.org/news/2017/05/11/gimp-2-8-22-released/ Please bump.