Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 379289 (CVE-2011-2896) - <media-gfx/gimp-2.6.11-r5 Buffer Overflow Vulnerability (CVE-2011-2896)
Summary: <media-gfx/gimp-2.6.11-r5 Buffer Overflow Vulnerability (CVE-2011-2896)
Alias: CVE-2011-2896
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa]
: 368967 (view as bug list)
Depends on:
Reported: 2011-08-15 16:35 UTC by Agostino Sarubbo
Modified: 2012-09-28 11:43 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2011-08-15 16:35:32 UTC
Patch at $URL
Comment 1 Sebastian Pipping gentoo-dev 2011-09-03 19:27:09 UTC
+*gimp-2.6.11-r5 (03 Sep 2011)
+  03 Sep 2011; Sebastian Pipping <> +gimp-2.6.11-r5.ebuild,
+  +files/gimp-2.6.11-cve-2011-2896.patch:
+  Integrate patch for security issue CVE-2011-2896 (bug #379289)

Do we need a dedicated bug for stabalizing 2.6.11-r5?
Comment 2 Agostino Sarubbo gentoo-dev 2011-09-04 00:50:27 UTC
Thanks Sebastian,

(In reply to comment #1)
> Do we need a dedicated bug for stabalizing 2.6.11-r5?

We usually stabilize in the same bug.

Arches, please test and mark stable:
target KEYWORDS : "alpha amd64 hppa ia64 ppc ppc64 sparc x86"
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-04 00:51:32 UTC
*** Bug 368967 has been marked as a duplicate of this bug. ***
Comment 4 Elijah "Armageddon" El Lazkani (amd64 AT) 2011-09-04 04:42:31 UTC
amd64: pass
Comment 5 Agostino Sarubbo gentoo-dev 2011-09-04 10:24:05 UTC
amd64 ok
Comment 6 Paweł Hajdan, Jr. (RETIRED) gentoo-dev 2011-09-04 19:30:29 UTC
x86 stable
Comment 7 Tony Vroon (RETIRED) gentoo-dev 2011-09-04 19:42:28 UTC
+  04 Sep 2011; Tony Vroon <> gimp-2.6.11-r5.ebuild:
+  Marked stable on AMD64 based on arch testing by Elijah "Armageddon" El
+  Lazkani & Agostino "ago" Sarubbo in security bug #379289.
Comment 8 Jeroen Roovers (RETIRED) gentoo-dev 2011-09-09 14:26:55 UTC
Stable for HPPA.
Comment 9 Raúl Porcel (RETIRED) gentoo-dev 2011-09-10 17:40:19 UTC
alpha/ia64/sparc stable
Comment 10 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-12 15:20:53 UTC
ppc/ppc64 stable, last arch done
Comment 11 Tim Sammut (RETIRED) gentoo-dev 2011-09-12 15:31:38 UTC
Thanks, everyone. Added to existing GLSA request.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2011-10-07 22:43:54 UTC
CVE-2011-2896 (
  The LZW decompressor in the LWZReadByte function in giftoppm.c in the David
  Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in
  filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in
  plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte
  function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and
  other products, does not properly handle code words that are absent from the
  decompression table when encountered, which allows remote attackers to
  trigger an infinite loop or a heap-based buffer overflow, and possibly
  execute arbitrary code, via a crafted compressed stream, a related issue to
  CVE-2006-1168 and CVE-2011-2895.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2012-09-28 11:43:21 UTC
This issue was resolved and addressed in
 GLSA 201209-23 at
by GLSA coordinator Sean Amoss (ackle).