Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 434582 - <media-gfx/gimp-2.8.0: scriptfu network server: Arbitrary code execution (CVE-2012-4245)
Summary: <media-gfx/gimp-2.8.0: scriptfu network server: Arbitrary code execution (CVE...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B1 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-09-10 13:01 UTC by GLSAMaker/CVETool Bot
Modified: 2016-03-06 19:57 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2012-09-10 13:01:28 UTC
CVE-2012-4245 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4245):
  The scriptfu network server in GIMP 2.6 does not require authentication,
  which allows remote attackers to execute arbitrary commands via the
  python-fu-eval command.
Comment 1 Sebastian Pipping gentoo-dev 2013-09-15 01:58:31 UTC
It looks like Gimp 2.8.6 is affected too.
I have just voiced that impression in a reply on the oss-security mailing list:

http://thread.gmane.org/gmane.comp.security.oss.general/8173/focus=11115


What I have in mind for further mitigation would be for upstream, not downstream to do.  For details, please check this upstream bug report:

https://bugzilla.gnome.org/show_bug.cgi?id=708098


If there is anything we should do downstream, please let me know.
Comment 2 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-02-21 06:47:53 UTC
CVE is resolved as of gimp-2.8.0:

https://bugzilla.gnome.org/show_bug.cgi?id=708098

Commit message:

https://git.gnome.org/browse/gimp/commit/?id=3b72ad8939c3a1463492d102dfe457e5fef68d04

All vulnerable ebuilds are cleared in the tree already.
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-02 11:15:56 UTC
GLSA Draft: 20c35ef34
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2016-03-06 19:57:07 UTC
This issue was resolved and addressed in
 GLSA 201603-01 at https://security.gentoo.org/glsa/201603-01
by GLSA coordinator Kristian Fiskerstrand (K_F).