gimp: CVE-2012-5576: memory corruption vulnerability affecting 2.8.2

Debian Bug report logs - #693977
gimp: CVE-2012-5576: memory corruption vulnerability affecting 2.8.2

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Henri Salo <henri@nerv.fi>

To: submit@bugs.debian.org

Subject: gimp: memory corruption vulnerability affecting 2.8.2

Date: Thu, 22 Nov 2012 16:06:05 +0200

Package: gimp
Version: 2.8.2-1
Severity: important
Tags: security, fixed-upstream

GIMP 2.8.2 is vulnerable to memory corruption when reading XWD files, which could lead even to arbitrary code execution.

Upstream fix: http://git.gnome.org/browse/gimp/commit/?id=2873262fccba12af144ed96ed91be144d92ff2e1 (fixed in master and gimp-2-8)
References: https://bugzilla.gnome.org/show_bug.cgi?id=687392
Details from CVE request: http://www.openwall.com/lists/oss-security/2012/11/21/2

Please note that other versions might be vulnerable as well.

- Henri Salo

Message #10 received at 693977-close@bugs.debian.org (full text, mbox, reply):

From: Ari Pollak <ari@debian.org>

To: 693977-close@bugs.debian.org

Subject: Bug#693977: fixed in gimp 2.8.2-2

Date: Fri, 23 Nov 2012 20:48:10 +0000

Source: gimp
Source-Version: 2.8.2-2

We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 693977@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated gimp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Fri, 23 Nov 2012 14:33:20 -0500
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: source all amd64
Version: 2.8.2-2
Distribution: unstable
Urgency: high
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description: 
 gimp       - The GNU Image Manipulation Program
 gimp-data  - Data files for GIMP
 gimp-dbg   - Debugging symbols for GIMP
 libgimp2.0 - Libraries for the GNU Image Manipulation Program
 libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
 libgimp2.0-doc - Developers' Documentation for the GIMP library
Closes: 693977
Changes: 
 gimp (2.8.2-2) unstable; urgency=high
 .
   * xwd-corruption.patch:
     - Fix memory corruption bug when reading XWD files (Closes: #693977)
Checksums-Sha1: 
 881a0a926945c016100c07a17913cb5a6c52f289 3116 gimp_2.8.2-2.dsc
 c84dcd276cc316874f62993db4be69d2a962a188 47542 gimp_2.8.2-2.debian.tar.gz
 25066b45f540f983576d70302b0c7d732e8225df 8265108 gimp-data_2.8.2-2_all.deb
 80cd8409529adbed1f2c5140f21d3454d39293fd 1145240 libgimp2.0-doc_2.8.2-2_all.deb
 4e895aa2fb8b9852dcd24922548eeca740baf6c2 1554498 libgimp2.0_2.8.2-2_amd64.deb
 546ca32d0352fa7b4c3ed1e7fe72807a96557edd 4242356 gimp_2.8.2-2_amd64.deb
 a730506e8796a1a52952fc308bf8499dfc414505 886468 libgimp2.0-dev_2.8.2-2_amd64.deb
 1cb737fb70cd6508c0ce1d3a2c115cac65077307 13379052 gimp-dbg_2.8.2-2_amd64.deb
Checksums-Sha256: 
 822e7761a828a4fb9540de7def70ccc801cc673ce34965c1bc068c7759444a7d 3116 gimp_2.8.2-2.dsc
 7b28c0844dbd3bc6d532d816dc53f5e4b5713f3d1c6201d08ff25c393c1b8ef7 47542 gimp_2.8.2-2.debian.tar.gz
 ddfe369a854ee2e9f76443dfb0ef2cc759991c23cfa06c750a8b3321d094f25a 8265108 gimp-data_2.8.2-2_all.deb
 ac65d7ee9f523269e37033b0b150a76fece8b8a97b843f29c21dd400e05c9e2a 1145240 libgimp2.0-doc_2.8.2-2_all.deb
 772553b59981ac2c87fa195520df2bb38ab86b96b0a43add68a32fc7bc71da59 1554498 libgimp2.0_2.8.2-2_amd64.deb
 0247d0a11466596b91b90094c6f7f6c0058997b2dbc1d3f0ea06ff153fdd0410 4242356 gimp_2.8.2-2_amd64.deb
 bfa445233b7fbdfbcc090829107c83711602be02ecab9287114a7d7415a6e154 886468 libgimp2.0-dev_2.8.2-2_amd64.deb
 a080ef3d67ff286a3ad8c0b6256bfc4f44a5afaf31e7e73fdc45d4d48b31c237 13379052 gimp-dbg_2.8.2-2_amd64.deb
Files: 
 64443b650f1c8b3948be6bb751558b89 3116 graphics optional gimp_2.8.2-2.dsc
 1680569b7ef6052b6a705e05e1b863f4 47542 graphics optional gimp_2.8.2-2.debian.tar.gz
 97cce14d76b6ffd4506bb4882120b5f3 8265108 graphics optional gimp-data_2.8.2-2_all.deb
 49b1fb2535e04838f408acb56fcc2673 1145240 doc optional libgimp2.0-doc_2.8.2-2_all.deb
 a17c830274c51219d02d9307f8972ac8 1554498 libs optional libgimp2.0_2.8.2-2_amd64.deb
 16caa1e303d1f5dcd4225a210b1e5fc7 4242356 graphics optional gimp_2.8.2-2_amd64.deb
 7559ef0d8237dfbcd4eaa1cb201b73dd 886468 libdevel optional libgimp2.0-dev_2.8.2-2_amd64.deb
 42ab36450ee8c6298cf5aad4da06530b 13379052 debug extra gimp-dbg_2.8.2-2_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQr9m7AAoJEIiCILh+eYmJv1wP/iRjGHD+CffIKosQ/W00Sj1d
E9+ZHOY64YKJDbORXA88SqouAiwawhM1OB2VKXq2SN0mYJXDiS6ga2dpTyEpzMzO
XyRd4hXJt8UiogZck4hmrHSim/YQT98H6mlvCH8HBcsM4BtHz0NhEJgezwA59S9K
b7TrSh0kXMse46l670HAq6iP7+RUKvG0Emr1wehMIU3BQ1FHTj1h7uXj2fu185ql
NvZ6HNIp7CtPoIHamkrNNCyd0j2mWAyBi7liXgiSg9EHpYBDdqypuRvA/pTwTu7c
3jg5OLOQQqM/p9bDENq6cUQDSFUAM6Y2aORPaFjyFGLuzGgqFLYo91CJgJ85bDdb
kq+GisrSTMw6CK4yt0WnODprSjpWYHlhp1E3F4WLmHfKfzfBodSrUSSofnNFoFl1
5sW973HnsyoVduiQ+ktZyif/clGf8DoaACjJafwcGRDMG7mkYV6VhNhbDu9NtWOw
7DVnl1J+Xd2R5tgfrDYaH1gVU9xlhSGuW+FgChoVAgUzDV8TS0ZrmUuPROOhcH77
jKaeZGc5x6+0CVgensps+TFFjNxGVHEmweddqKfx1OpBsB7VszORwnLswl6FMw8w
T4elkeWudPj9u8wpRAbWXh7kmuqmVr60GqOKN2yEWxZmxnY7uEtr5MKXgwZeKYLj
XsxgFGgtquzTR9i4a8WU
=ViIp
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.