Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 618310 (CVE-2007-3126) - <media-gfx/gimp-2.8.14-r4: crash with a specially crafted ICO file
Summary: <media-gfx/gimp-2.8.14-r4: crash with a specially crafted ICO file
Status: RESOLVED FIXED
Alias: CVE-2007-3126
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://nvd.nist.gov/vuln/detail/CVE-...
Whiteboard: B3 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2017-05-12 20:09 UTC by Coacher
Modified: 2017-10-26 00:19 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/gimp-2.8.22
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Coacher 2017-05-12 20:09:23 UTC
Hello.

Recently released gimp-2.8.22 fixes an old vulnerability that can lead to a crash.

See ${URL} and also https://www.gimp.org/news/2017/05/11/gimp-2-8-22-released/

Please bump.
Comment 1 Sebastian Pipping gentoo-dev 2017-05-12 21:04:46 UTC
Hi!

I have added 2.8.14-r4 if there is some reason not to go straight to 2.8.22 with stabilization.  Any concern about going straight to 2.8.22?


Upstream bug
https://bugzilla.gnome.org/show_bug.cgi?id=773233


commit 8f2698872e8f845bb9fc8a658913a045e420ab88
Author: Sebastian Pipping <sping@g.o>
Date:   Fri May 12 22:24:16 2017 +0200

    media-gfx/gimp: Fix CVE-2007-3126 (bug #618310)
    
    Package-Manager: Portage-2.3.5, Repoman-2.3.2

 media-gfx/gimp/Manifest                            |   1 +
 .../gimp/files/gimp-2.9.4-CVE-2007-3126.patch      | 291 +++++++++++++++++++++
 media-gfx/gimp/gimp-2.8.14-r4.ebuild               | 170 ++++++++++++
 media-gfx/gimp/gimp-2.8.20-r1.ebuild               | 169 ++++++++++++
 media-gfx/gimp/gimp-2.8.22.ebuild                  | 168 ++++++++++++
 media-gfx/gimp/gimp-2.9.4-r3.ebuild                | 191 ++++++++++++++
 6 files changed, 990 insertions(+)

https://github.com/gentoo/gentoo/commit/8f2698872e8f845bb9fc8a658913a045e420ab88
Comment 2 Thomas Deutschmann gentoo-dev Security 2017-06-06 12:06:07 UTC
No(In reply to Sebastian Pipping from comment #1)
> I have added 2.8.14-r4 if there is some reason not to go straight to 2.8.22
> with stabilization.  Any concern about going straight to 2.8.22?

No, let's start stabilization:


@ Arches,

please test and mark stable: =media-gfx/gimp-2.8.22
Comment 3 Sebastian Pipping gentoo-dev 2017-06-06 17:35:17 UTC
(In reply to Thomas Deutschmann from comment #2)
> please test and mark stable: =media-gfx/gimp-2.8.22

We have

  media-gfx/gimp-2.8.22 stable request
  https://bugs.gentoo.org/show_bug.cgi?id=620412

for a few days now.  Shalle we removed arches here and make #618310 depend on #620412?
Comment 4 Agostino Sarubbo gentoo-dev 2017-06-08 10:17:28 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2017-06-09 10:20:59 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2017-06-10 13:46:35 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2017-06-10 15:18:32 UTC
ia64 stable
Comment 8 Agostino Sarubbo gentoo-dev 2017-06-13 12:32:54 UTC
ppc64 stable
Comment 9 Tobias Klausmann gentoo-dev 2017-06-20 14:58:45 UTC
Stable on alpha.
Comment 10 Agostino Sarubbo gentoo-dev 2017-06-21 11:59:37 UTC
ppc stable
Comment 11 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-08-16 14:59:05 UTC
Arches, please finish stabilizing hppa

Gentoo Security Padawan
ChrisADR
Comment 12 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-20 02:31:09 UTC
stable....
Comment 13 Sergei Trofimovich (RETIRED) gentoo-dev 2017-10-25 21:42:24 UTC
hppa stable
Comment 14 Aleksandr Wagner (Kivak) 2017-10-25 22:07:24 UTC
@ Maintainer(s): Please clean the vulnerable version from tree.

@ Security: Please vote on glsa.
Comment 15 Sebastian Pipping gentoo-dev 2017-10-25 22:58:00 UTC
(In reply to Aleksandr Wagner (Kivak) from comment #14)
> @ Maintainer(s): Please clean the vulnerable version from tree.

commit 4871fb69fade069d7853b0106eb5b619f9a27dde
Author: Sebastian Pipping <sping@g.o>
Date:   Thu Oct 26 00:54:12 2017 +0200

    media-gfx/gimp: Remove old/vulnerable (bug 618310)

    2.8.14-r2 was vulnerable to CVE-2007-3126, the others were removed
    for clean-up

    Package-Manager: Portage-2.3.10, Repoman-2.3.3

 media-gfx/gimp/Manifest              |   3 -
 media-gfx/gimp/gimp-2.8.14-r2.ebuild | 170 -------------------------------
 media-gfx/gimp/gimp-2.8.14-r4.ebuild | 170 -------------------------------
 media-gfx/gimp/gimp-2.8.20-r1.ebuild | 169 -------------------------------
 media-gfx/gimp/gimp-2.9.4-r3.ebuild  | 191 -----------------------------------
 5 files changed, 703 deletions(-)

https://github.com/gentoo/gentoo/commit/4871fb69fade069d7853b0106eb5b619f9a27dde
Comment 16 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2017-10-26 00:19:59 UTC
GLSA Vote: No