Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gimp: CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444

Related Vulnerabilities: CVE-2023-44441   CVE-2023-44442   CVE-2023-44443   CVE-2023-44444  

Source

Debian Bug report logs - #1055984
gimp: CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444

version graph

Package: src:gimp; Maintainer for src:gimp is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Wed, 15 Nov 2023 12:21:02 UTC

Severity: grave

Tags: security, upstream

Found in version gimp/2.10.34-1

Fixed in version gimp/2.10.36-1

Done: Jeremy Bícha <jbicha@ubuntu.com>

Reply or subscribe to this bug.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#1055984; Package src:gimp. (Wed, 15 Nov 2023 12:21:03 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Wed, 15 Nov 2023 12:21:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gimp: CVE-2023-44441 CVE-2023-44442 CVE-2023-44443 CVE-2023-44444
Date: Wed, 15 Nov 2023 13:17:55 +0100
Source: gimp
Version: 2.10.34-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerabilities were published for gimp.

CVE-2023-44441[0]:
| GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution
| Vulnerability


CVE-2023-44442[1]:
| GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution
| Vulnerability


CVE-2023-44443[2]:
| GIMP PSP File Parsing Integer Overflow Remote Code Execution
| Vulnerability


CVE-2023-44444[3]:
| GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerability


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-44441
    https://www.cve.org/CVERecord?id=CVE-2023-44441
[1] https://security-tracker.debian.org/tracker/CVE-2023-44442
    https://www.cve.org/CVERecord?id=CVE-2023-44442
[2] https://security-tracker.debian.org/tracker/CVE-2023-44443
    https://www.cve.org/CVERecord?id=CVE-2023-44443
[3] https://security-tracker.debian.org/tracker/CVE-2023-44444
    https://www.cve.org/CVERecord?id=CVE-2023-44444

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Reply sent to Jeremy Bícha <jbicha@ubuntu.com>:
You have taken responsibility. (Wed, 15 Nov 2023 14:39:03 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Wed, 15 Nov 2023 14:39:03 GMT) (full text, mbox, link).

Message #10 received at 1055984-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1055984-close@bugs.debian.org
Subject: Bug#1055984: fixed in gimp 2.10.36-1
Date: Wed, 15 Nov 2023 14:35:34 +0000
Source: gimp
Source-Version: 2.10.36-1
Done: Jeremy Bícha <jbicha@ubuntu.com>

We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1055984@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Jeremy Bícha <jbicha@ubuntu.com> (supplier of updated gimp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Wed, 15 Nov 2023 07:31:56 -0500
Source: gimp
Built-For-Profiles: noudeb
Architecture: source
Version: 2.10.36-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbicha@ubuntu.com>
Closes: 1055984
Changes:
 gimp (2.10.36-1) unstable; urgency=medium
 .
   * New upstream release
     - Fixed vulnerabilities (Closes: #1055984):
       + CVE-2023-44441, ZDI-23-1592, ZDI-CAN-22093
       + CVE-2023-44442, ZDI-23-1594, ZDI-CAN-22094
       + CVE-2023-44443, ZDI-23-1593, ZDI-CAN-22096
       + CVE-2023-44444, ZDI-23-1591, ZDI-CAN-22097
Checksums-Sha1:
 bad08d4e780f11f8df9c09a2f44ec4ec9a78eded 3502 gimp_2.10.36-1.dsc
 0311a880373ad36056d3a9220ebe201c5d9d4699 31532334 gimp_2.10.36.orig.tar.bz2
 adcb1f685f1dc3769def36e1392e83d84b88dd9c 58028 gimp_2.10.36-1.debian.tar.xz
 7ee8ac47303b2f80ed01eabbb627a24edbc68d31 15658 gimp_2.10.36-1_source.buildinfo
Checksums-Sha256:
 4b0b3ce7488b99ff2d893cda6c0cd8ac3ed271b8588f4ac5eec1d2a9120f0432 3502 gimp_2.10.36-1.dsc
 3d3bc3c69a4bdb3aea9ba2d5385ed98ea03953f3857aafd1d6976011ed7cdbb2 31532334 gimp_2.10.36.orig.tar.bz2
 aacb708ddfd0c9902bd2e41ed8fb359c7bb528fc1f39dd88b942cd688338c187 58028 gimp_2.10.36-1.debian.tar.xz
 a8447d6ce545a62a2335a5a22548ddcb9de277317f3168f487a18c0c963f7c50 15658 gimp_2.10.36-1_source.buildinfo
Files:
 0a986839f23a25b9d44669b264b3a860 3502 graphics optional gimp_2.10.36-1.dsc
 e44e1c91b09db8fcdc9ef5797ce11b77 31532334 graphics optional gimp_2.10.36.orig.tar.bz2
 0f629c2517ede154613d6135e541dc43 58028 graphics optional gimp_2.10.36-1.debian.tar.xz
 755eb3176ac9ed3e3e587462ec70a7f0 15658 graphics optional gimp_2.10.36-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmVU0gYACgkQ5mx3Wuv+
bH3HEQ/8DAU3rzxoGwF4PRfChTgxuHxDc0VpGRV38UmmtHcTWVKFjVp2U2h9qKgI
pW0umMa5xMh9tFfo1BRV5CsmeNkSh9ygwPVNAleQ36GNdBfwRL0Li3XWe0ZXu++r
5HQgUAv166e4HHGCtpsmTvdN4n5SJK/WDostwfwwHHB8RgHjJHfm2RRElTTdlerF
oQnCAcmfOPYYiVasaWnS+noStkeEmunpaV4fhp7Jkb8tpomplC33HokLucD+g1zK
4sSVQY+ZVwV96z3umUcvlv2psavmwQC7QmbcK5yJOOhyzdVwOgAtXHPwHXNj4jlC
wBEV+9JN7lic4or8BiFeeJyQHFDVwii8I1cGDgIupnW8QL8Nd9/835gSHmRwbzBV
s1kPFAsI/UTBWCjkFLffvW7vCJ46qU4lzjyPOLzMqR/cjA7ASJrwVc6AjZkqR3Ku
RsVdpKkhJEV0NjDktEi68E03jKUb+gMbKIM8c2+R9DuZbjxte2wWtFaySeR2Es34
boCEvDVsDLMl9ASz6vJWGaycBEQXPTBnFVmJs3rPYZyvfpPq02QeL7fB8OLdNQKp
VmzC9B+69J3UPpOujMmgbpUGod+frZoi4pTeQjNOEgmt8+RyKkchtY4T3xMZMoWC
yT5no1rE6r1uaUOdyGr7tDcugs8aW/UGBW+anEqK/mtL8ktvYdQ=
=fws2
-----END PGP SIGNATURE-----

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Nov 15 17:55:26 2023; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started