Debian Bug report logs -
#884836
gimp: CVE-2017-17785 Heap overflow in FLI import
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ari Pollak <ari@debian.org>:
Bug#884836; Package gimp.
(Wed, 20 Dec 2017 09:24:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Raphael Hertzog <hertzog@debian.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ari Pollak <ari@debian.org>.
(Wed, 20 Dec 2017 09:24:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gimp
X-Debbugs-CC: team@security.debian.org secure-testing-team@lists.alioth.debian.org
Severity: important
Tags: security patch
Version: 2.8.2-2
Control: forwarded -1 https://bugzilla.gnome.org/show_bug.cgi?id=739133
Hi,
the following vulnerability was published for gimp.
CVE-2017-17785[0]:
gimp: Heap overflow in FLI import
There seems to be a patch in the upstream ticket:
https://bugzilla.gnome.org/show_bug.cgi?id=739133
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-17785
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785
Please adjust the affected versions in the BTS as needed.
--
Raphaël Hertzog ◈ Debian Developer
Support Debian LTS: https://www.freexian.com/services/debian-lts.html
Learn to master Debian: https://debian-handbook.info/get/
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 20 Dec 2017 16:15:10 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Mon, 25 Dec 2017 17:15:10 GMT) (full text, mbox, link).
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 860766-submit@bugs.debian.org.
(Tue, 26 Dec 2017 21:39:04 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#884836; Package gimp.
(Tue, 26 Dec 2017 21:39:09 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <ari@debian.org>.
(Tue, 26 Dec 2017 21:39:09 GMT) (full text, mbox, link).
Message #18 received at 884836@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 860766 + patch
Control: tags 860766 + pending
Control: tags 884836 + pending
Control: tags 884837 + patch
Control: tags 884837 + pending
Control: tags 884862 + patch
Control: tags 884862 + pending
Control: tags 884925 + pending
Control: tags 884927 + pending
Control: tags 885347 + pending
Hi Ari,
I've prepared an NMU for gimp (versioned as 2.8.20-1.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I
should delay it longer.
Regards,
Salvatore
[gimp-2.8.20-1.1-nmu.diff (text/x-diff, attachment)]
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 31 Dec 2017 22:09:04 GMT) (full text, mbox, link).
Notification sent
to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer.
(Sun, 31 Dec 2017 22:09:04 GMT) (full text, mbox, link).
Message #23 received at 884836-close@bugs.debian.org (full text, mbox, reply):
Source: gimp
Source-Version: 2.8.20-1.1
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884836@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 Dec 2017 22:11:46 +0100
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: source
Version: 2.8.20-1.1
Distribution: unstable
Urgency: medium
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 860766 884836 884837 884862 884925 884927 885347
Description:
gimp - GNU Image Manipulation Program
gimp-data - Data files for GIMP
gimp-dbg - Debugging symbols for GIMP
libgimp2.0 - Libraries for the GNU Image Manipulation Program
libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
libgimp2.0-doc - Developers' Documentation for the GIMP library
Changes:
gimp (2.8.20-1.1) unstable; urgency=medium
.
* Non-maintainer upload.
.
[ Ari Pollak ]
* Move gimp to Enhances on gimp-data instead of Recommends (Closes: #860766)
.
[ Salvatore Bonaccorso ]
* Out of bounds read / heap overflow in TGA importer (CVE-2017-17786)
(Closes: #884862)
* plug-ins: TGA 16-bit RGB (without alpha bit) is also valid
* Heap buffer overflow in PSP importer (CVE-2017-17789) (Closes: #884837)
* heap overread in gbr parser / load_image (CVE-2017-17784)
(Closes: #884925)
* heap overread in psp importer (CVE-2017-17787) (Closes: #884927)
* Heap overflow while parsing FLI files (CVE-2017-17785) (Closes: #884836)
* buffer overread in XCF parser if version field has no null terminator
(CVE-2017-17788) (Closes: #885347)
Checksums-Sha1:
fb9dc7b4fe379899af2a76659aeeb26165e96c55 3290 gimp_2.8.20-1.1.dsc
d30b2cb3910f33882da0d3c23306ff826a824b26 45196 gimp_2.8.20-1.1.debian.tar.xz
Checksums-Sha256:
d14a68dbeeea7baa3167d12eca66590214c0893639a2291c0756cc482d9c8a09 3290 gimp_2.8.20-1.1.dsc
eb28be08d4b8f25d8f6c1532aedc8ccad2ba21620ee35ddd31674d7f0f8ec8b0 45196 gimp_2.8.20-1.1.debian.tar.xz
Files:
9a3f297cc9ccdb1f3a834394e3ba4874 3290 graphics optional gimp_2.8.20-1.1.dsc
0843fcdc38025a0d7ee6754d75311229 45196 graphics optional gimp_2.8.20-1.1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpCv2RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EWwcP/iJnTmE2fygK5BoYMUiZ7TQNhSxkQOGh
uMhbdy90uGXtlUWIWUuQ5hdsh0a1aSQClX7uXf6VF1TfMcxgO0jKMrHPHraiM/KF
rqh/jJsREAx4PDkYqLj5vtif2TbBeDZbu8Do4TgrJWLkDfVpExFHfuDwapUbWNg7
BZcAKtGKuIbFjCuh42WQZ6gbpVZgDzGt/tksI0i3jBvD9xM1xzgbXqZLg38wacZH
KOWxsMsBKG1tVx/mcU/x7ltrqBqpiVZeWaVvHpBARKCL0KqSp/CW/yHFBuYYXH7J
0DO5MbxFL7YODY/ZAp0sRq/teijjt5p+fhL4YLVnbjE8vPpuG4XZRAu4iS12xlJU
nqKIKnpVvsuv5+VaIIRnxFY2tEQv7fjNu7lm1Ta/qOwgJNTxhM4LjJRHVpEltoxS
9pJ9F9OYODEiHAtn/G34R92gqbj+K4OlqOO1vxLmyuG7JGCebtO6bGxGeUvaVPY1
qYAuz1A/Mib5K17jmRxzl9+xudwhZ7haDuMFJiYVDJucvh+uuxs9hoUDji1Jxz3d
g9KkqUAGY08uKL/MGski00dttaiKNfJN4RnJju/rgHixLx8HGKJXTfbLV5v8sr0A
CVnEuhWqJMFpjluGbwaFbujhhadNEQLr8Jej283oGnBbIA4Nt1xGxRl8a8HqhAwS
7BQdNDZtEiA9
=UI5/
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Thu, 08 Feb 2018 21:24:12 GMT) (full text, mbox, link).
Notification sent
to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer.
(Thu, 08 Feb 2018 21:24:12 GMT) (full text, mbox, link).
Message #28 received at 884836-close@bugs.debian.org (full text, mbox, reply):
Source: gimp
Source-Version: 2.8.18-1+deb9u1
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884836@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 Dec 2017 22:39:04 +0100
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: source
Version: 2.8.18-1+deb9u1
Distribution: stretch-security
Urgency: high
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 884836 884837 884862 884925 884927 885347
Description:
gimp - GNU Image Manipulation Program
gimp-data - Data files for GIMP
gimp-dbg - Debugging symbols for GIMP
libgimp2.0 - Libraries for the GNU Image Manipulation Program
libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
libgimp2.0-doc - Developers' Documentation for the GIMP library
Changes:
gimp (2.8.18-1+deb9u1) stretch-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Out of bounds read / heap overflow in TGA importer (CVE-2017-17786)
(Closes: #884862)
* plug-ins: TGA 16-bit RGB (without alpha bit) is also valid
* Heap buffer overflow in PSP importer (CVE-2017-17789) (Closes: #884837)
* heap overread in gbr parser / load_image (CVE-2017-17784)
(Closes: #884925)
* heap overread in psp importer (CVE-2017-17787) (Closes: #884927)
* Heap overflow while parsing FLI files (CVE-2017-17785) (Closes: #884836)
* buffer overread in XCF parser if version field has no null terminator
(CVE-2017-17788) (Closes: #885347)
Checksums-Sha1:
b891cdf11b3e82778c09878a466629cdee781311 3310 gimp_2.8.18-1+deb9u1.dsc
42434a0782c37803fbd184dbb9b648be887f4f40 20824198 gimp_2.8.18.orig.tar.bz2
5867d94825695aa5c47fd3bd92dc233029d34102 45212 gimp_2.8.18-1+deb9u1.debian.tar.xz
Checksums-Sha256:
19e837214c93d16b2c32c9d3c7760ed2a0e598c56ee3044bcc5af3e908a2f896 3310 gimp_2.8.18-1+deb9u1.dsc
39dd2247c678deaf5cc664397d3c6bd4fb910d3472290fd54b52b441b5815441 20824198 gimp_2.8.18.orig.tar.bz2
8bbf100f772506de22e5ce66a8d520f326065ad0690d818723ff75efe58d3972 45212 gimp_2.8.18-1+deb9u1.debian.tar.xz
Files:
2fcb5534d2ddb552693af1f4a5af325a 3310 graphics optional gimp_2.8.18-1+deb9u1.dsc
5adaa11a68bc8a42bb2c778fee4d389c 20824198 graphics optional gimp_2.8.18.orig.tar.bz2
34c459aea0fe89203cff012c1a23e459 45212 graphics optional gimp_2.8.18-1+deb9u1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpCxFpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EQKcP+QG/AbRikyqixFENdnx0pNd2gxjAfsI6
uLImORJKpfm41NKG6TWO/H0jC1Dc8dn80wdAzhrdHwOqEv5/NyU3SafhZbgkxGum
DzvJR8YykgbJpXyZoo1y4i64bRhz4NegMf3mm+3wspWWI4Qqgme+aGbnb9bS0EUt
o3PBgG3sBQm9o6EOxCbTAGyOuFPfJDAF1vQ/+gtWnqqu0FjiUQ512swKBNmnV+VX
ah4z9504X0MQm97ufYRzs/fVdf53Dx6OmPZpuOLLqVHm0SUvBA+4XFVtDu2EBGVx
GS6u598GawuZ19D9vwBn0LSNjnv5zlo+29t9zZ7Z9lj0AVgMC0zSoqWWWSNEELyA
fSlUAGhVBErnKEZXMHGnVxMrjknMM0V1aewq3LME5tJ1XV04JHLtnmHH1ELVmbPj
DKEsb52RDQhzB62PlXUdNL0kkYjc/dUbVcGX6wQMd3NuADv9yIM08DDdbb4pVoUe
HeNYIGjQBApXLM3qH9ySxWGmp7LbEyF6KO7UVdnhcDMBmdT1bbggpMo+ztyIBWbF
wU2Og8XHRNVEXQEYRNuX6p6XnE+XLj3+1wM/4drExu+ZV0xiCFwp20x0623XpgL/
di9xyyuZnm0p48x3v0YOGYtd00QpHBGMV4A0tq0GxYS34LiUVD6JQ5R45Qm7RSR1
Gjr4FdXhIMyD
=awku
-----END PGP SIGNATURE-----
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sat, 10 Feb 2018 21:09:04 GMT) (full text, mbox, link).
Notification sent
to Raphael Hertzog <hertzog@debian.org>:
Bug acknowledged by developer.
(Sat, 10 Feb 2018 21:09:04 GMT) (full text, mbox, link).
Message #33 received at 884836-close@bugs.debian.org (full text, mbox, reply):
Source: gimp
Source-Version: 2.8.14-1+deb8u2
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 884836@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 26 Dec 2017 22:55:07 +0100
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: all source
Version: 2.8.14-1+deb8u2
Distribution: jessie-security
Urgency: high
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 884836 884837 884862 884925 884927 885347
Description:
gimp - The GNU Image Manipulation Program
gimp-data - Data files for GIMP
gimp-dbg - Debugging symbols for GIMP
libgimp2.0 - Libraries for the GNU Image Manipulation Program
libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
libgimp2.0-doc - Developers' Documentation for the GIMP library
Changes:
gimp (2.8.14-1+deb8u2) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* Out of bounds read / heap overflow in TGA importer (CVE-2017-17786)
(Closes: #884862)
* plug-ins: TGA 16-bit RGB (without alpha bit) is also valid
* Heap buffer overflow in PSP importer (CVE-2017-17789) (Closes: #884837)
* heap overread in gbr parser / load_image (CVE-2017-17784)
(Closes: #884925)
* heap overread in psp importer (CVE-2017-17787) (Closes: #884927)
* Heap overflow while parsing FLI files (CVE-2017-17785) (Closes: #884836)
* buffer overread in XCF parser if version field has no null terminator
(CVE-2017-17788) (Closes: #885347)
Checksums-Sha1:
4ebd7840ead24563d1846877628e7d7bf8740d4a 3325 gimp_2.8.14-1+deb8u2.dsc
413f17b30783bb9ea1e0c4b56828de6f0400085b 45280 gimp_2.8.14-1+deb8u2.debian.tar.xz
5a73365c9f74629c03b8a204f288df936f27286e 8411802 gimp-data_2.8.14-1+deb8u2_all.deb
8e4432917163840abf78a54c15e6cef5229b1d75 1263776 libgimp2.0-doc_2.8.14-1+deb8u2_all.deb
Checksums-Sha256:
a564e0a0580b79645778a4b0695772caf4cac2b296c85126779eab0af768e1a1 3325 gimp_2.8.14-1+deb8u2.dsc
beb807c2d71e485b9cc36e91aaa28d0c7b3d60ab853cdb5a3a1a8ca3967a5f7b 45280 gimp_2.8.14-1+deb8u2.debian.tar.xz
5497b1a2b2feb04f5852fadfb3f842f5fcfbff10d9939d73cf6523e0a82d9d27 8411802 gimp-data_2.8.14-1+deb8u2_all.deb
434579c7d48528b693057d2445d1c824812ae0b74596164d8e7c21b85917a357 1263776 libgimp2.0-doc_2.8.14-1+deb8u2_all.deb
Files:
45afa8a618dc8bde3c45a0703a89758b 3325 graphics optional gimp_2.8.14-1+deb8u2.dsc
b3ec4b0d7a7c1d73cf3f560d10145577 45280 graphics optional gimp_2.8.14-1+deb8u2.debian.tar.xz
8dfba5dab0318176f4440d56ad1f1a9a 8411802 graphics optional gimp-data_2.8.14-1+deb8u2_all.deb
cf3c5478600b364b7cad5532de2f8f9a 1263776 doc optional libgimp2.0-doc_2.8.14-1+deb8u2_all.deb
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAlpCyRhfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89EW0sP/3Rk+UGkhMvbUTSyNEyBbAtSK1zQ0VFV
x8VdXvep/PlQdr0qbZWCWNbIuTl6VZjDxVA8F7jopQ0/1C4VveVFDsaj1rbO8Up1
cTQy/aBjCwow7A/dtlWPllWWwTg6ARup89GH2A9TTFKMap3mK1bAy+/UdqExdRDG
1VFEEbZH/IW9jPyqwCn0jYVrIEEqP7c+hv0rN9GafUu33jibLJRrzbGCyWQSCdWi
DyLYbF3oEor0zF4tYUEnfwB8Ds2VK3k3k+khFTTkoQ8Z4JT0xp3VBCz3j2eq+5D1
O5fi2C1kb3Gd7zSXYCUk3ztXIUkiQ4y75W1F4WLEYhD5u+j+V18OCmqsSzNZT5tY
vc4yzBjt9/W99hT+lOAWtJpzhcgZfitpUQP1QhUWA7n/rTibiw/El2vOHLkCW4Ru
WIlOusgOejhdUzxinfNNS6Pp5f+ezmZN3bEtnGgq2/If5Wdf8mo2oD3Bdsuwttea
7s7dWY7rOXf8U3fUsHFks3IFEH64hsSq7PFGY2uC0hLxM+jiYb3fBGwdNlEvcqzL
6dT0dOG+LgEPj7TYA1MO3F1BksusM5PGItOiAMllDrIftPye47utSeIO0WIVjpVi
F9BXrJ2p7hbK22eqTsIbGqfPPGu1Ad12cU6vhLGsDVq/w2I0irN53yLn/R3zZqeM
iZx9Hv0khJ+x
=3Qao
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Wed, 05 Jun 2019 07:54:47 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 12:59:00 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon