Debian Bug report logs -
#828179
gimp: CVE-2016-4994: Use-after-free vulnerabilities in the channel and layer properties parsing process
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ari Pollak <ari@debian.org>:
Bug#828179; Package src:gimp.
(Sat, 25 Jun 2016 20:15:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ari Pollak <ari@debian.org>.
(Sat, 25 Jun 2016 20:15:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gimp
Version: 2.8.14-1
Severity: important
Tags: security upstream patch
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=767873
Hi,
the following vulnerability was published for gimp.
CVE-2016-4994[0]:
Use-after-free vulnerabilities in the channel and layer properties parsing process
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2016-4994
[1] https://bugzilla.gnome.org/show_bug.cgi?id=767873
Regards,
Salvatore
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 30 Jun 2016 17:37:00 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 03 Jul 2016 16:51:20 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 03 Jul 2016 16:51:20 GMT) (full text, mbox, link).
Message #12 received at 828179-close@bugs.debian.org (full text, mbox, reply):
Source: gimp
Source-Version: 2.8.14-1+deb8u1
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 828179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 01 Jul 2016 15:19:59 +0200
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: all source
Version: 2.8.14-1+deb8u1
Distribution: jessie-security
Urgency: high
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 828179
Description:
gimp - The GNU Image Manipulation Program
gimp-data - Data files for GIMP
gimp-dbg - Debugging symbols for GIMP
libgimp2.0 - Libraries for the GNU Image Manipulation Program
libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
libgimp2.0-doc - Developers' Documentation for the GIMP library
Changes:
gimp (2.8.14-1+deb8u1) jessie-security; urgency=high
.
* Non-maintainer upload by the Security Team.
* CVE-2016-4994: Use-after-free vulnerabilities in the channel and layer
properties parsing process (Closes: #828179)
Checksums-Sha1:
688fac61f7551d4558f1445c3bee888cc2b4a258 3156 gimp_2.8.14-1+deb8u1.dsc
380a8e2887e1a161056444921807e338c3d31653 20440077 gimp_2.8.14.orig.tar.bz2
78ed03f8af21d0b260cfc4657121b8bfdfacff51 41424 gimp_2.8.14-1+deb8u1.debian.tar.xz
d322e5ae40f7f75b226f99e4d8cc8153f057dab1 8412622 gimp-data_2.8.14-1+deb8u1_all.deb
2874361a8d4e05d00a2a2585079674dbffea67f1 1263576 libgimp2.0-doc_2.8.14-1+deb8u1_all.deb
Checksums-Sha256:
67bbac01f22f81691e3eb0c25a131d03021de95e00e2bd2d19821602950bc4b6 3156 gimp_2.8.14-1+deb8u1.dsc
d82a958641c9c752d68e35f65840925c08e314cea90222ad845892a40e05b22d 20440077 gimp_2.8.14.orig.tar.bz2
bf0bbd1ee93079cc105227ac4114d7f00b18e48ccf732532a08818fc5e8a42a7 41424 gimp_2.8.14-1+deb8u1.debian.tar.xz
ce2dbd62f3659592e7c506ad58ff98f94ca0323d9099ec43ad7b5ed81908496c 8412622 gimp-data_2.8.14-1+deb8u1_all.deb
181dd9bd805835897a22fae19e28e417d2e31c30efbc073c50e9292c10edf4b9 1263576 libgimp2.0-doc_2.8.14-1+deb8u1_all.deb
Files:
cf86018c6c3fe617ea2e359ca2efbc51 3156 graphics optional gimp_2.8.14-1+deb8u1.dsc
233c948203383fa078434cc3f8f925cb 20440077 graphics optional gimp_2.8.14.orig.tar.bz2
de86a830f75709553302b757fc6b7645 41424 graphics optional gimp_2.8.14-1+deb8u1.debian.tar.xz
79f1ed614c38fc741fc1a6ae01b9d72d 8412622 graphics optional gimp-data_2.8.14-1+deb8u1_all.deb
7073ad6806f803fe1442cdf800951677 1263576 doc optional libgimp2.0-doc_2.8.14-1+deb8u1_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXdnLSAAoJEAVMuPMTQ89EDpMP/2BF9t0l/ED8rTsmHalnOBp2
LTvdf+QAL0Ib1dyJziBJ9l6AUDicDKbRlqEI/qaRLVo/m3lD/YxQGEHotPpouiGd
1v0HKwMu2Vyb7UppHeWi7+NGUX1hT+fYAJRKTH1+F5UurCJn81QADJhapSfM91hP
ujpmPUW5J07JOPJeC4Dh67LGffa2/wtq6HvsPJ4hMELRGLdN8/xUO5UFkpu+Z6lt
/KJ3To7OqFOq+9zj8sBt53n3lFfPs4EY4YUUkakC11pbDb8WKjLilkU45r099vzi
qSq4m7PVWyHOQrfO7j9ednI5ro0rd5KKM8PcePezBSgi4OZFWmniPrYahyWrftbF
lXyy5ZBozWrpyF8oJAcuhZzhu/DYZySJ12yeuNfwD3cGZd5d1hifQelXgqcGFzCN
7qSqMgdGZjxjK6AzbXOK3g0u/Lxzwk15OFRAR8fhw/V3Juo01m5/iIDoe9sSjQs/
NklIDq6Cl995uYF/yDjbOoOYbm3AQKOFrwAA3nJPuWu7uLUqhpvyPmQFrIjWgal1
sL9hvtwQlLP8lCL3wt1icHnZy7aSSYlvQPtwL78WUH0Dm5qlobuoe5qbHa1N6Fmp
ZqD35htHYV2X4pDdGb0czFk78Tf4rxRxh6wF7ugEyoa/D+GOBkQUyUlOIjKTRJOw
xwAuq5trUIZmpXD75mB+
=223F
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#828179; Package src:gimp.
(Tue, 05 Jul 2016 12:09:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <ari@debian.org>.
(Tue, 05 Jul 2016 12:09:04 GMT) (full text, mbox, link).
Message #17 received at 828179@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: tags 828179 + pending
Dear maintainer,
I've prepared an NMU for gimp (versioned as 2.8.16-2.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer or cancel at all if you want to do the upload
including some other changes as well.
Thanks for all you work!
Regards,
Salvatore
[gimp-2.8.16-2.2-nmu.diff (text/x-diff, attachment)]
Added tag(s) pending.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 828179-submit@bugs.debian.org.
(Tue, 05 Jul 2016 12:09:04 GMT) (full text, mbox, link).
Reply sent
to Salvatore Bonaccorso <carnil@debian.org>:
You have taken responsibility.
(Sun, 10 Jul 2016 12:36:09 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 10 Jul 2016 12:36:09 GMT) (full text, mbox, link).
Message #24 received at 828179-close@bugs.debian.org (full text, mbox, reply):
Source: gimp
Source-Version: 2.8.16-2.2
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 828179@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <carnil@debian.org> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Tue, 05 Jul 2016 09:39:12 +0200
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: all source
Version: 2.8.16-2.2
Distribution: unstable
Urgency: medium
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Salvatore Bonaccorso <carnil@debian.org>
Closes: 828179
Description:
gimp - The GNU Image Manipulation Program
gimp-data - Data files for GIMP
gimp-dbg - Debugging symbols for GIMP
libgimp2.0 - Libraries for the GNU Image Manipulation Program
libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
libgimp2.0-doc - Developers' Documentation for the GIMP library
Changes:
gimp (2.8.16-2.2) unstable; urgency=medium
.
* Non-maintainer upload.
* CVE-2016-4994: Use-after-free vulnerabilities in the channel and layer
properties parsing process (Closes: #828179)
Checksums-Sha1:
e8584c88ea41763d85d7119e823e6557a0b772e5 3121 gimp_2.8.16-2.2.dsc
4a7ba814909cbee0755f7234a8f270f957216e62 42312 gimp_2.8.16-2.2.debian.tar.xz
ffe85d5a736394a383dc388bc87976ab5074716d 8578328 gimp-data_2.8.16-2.2_all.deb
d281cae27b1ef14fe65e99230ecc969145639ec0 1274826 libgimp2.0-doc_2.8.16-2.2_all.deb
Checksums-Sha256:
2ef1cd3a6ed2fe67710e7a9c67c751a4f567b3cb1e7db2d5e3f8cf57eff48414 3121 gimp_2.8.16-2.2.dsc
07bf04143b1f39ad890598c94fd3a80704146afe777df4dbc4073136670a1dbb 42312 gimp_2.8.16-2.2.debian.tar.xz
87d553c1c7a75e6493bda4f25e01931fb46934c9b8acb6498a85603b52e46b40 8578328 gimp-data_2.8.16-2.2_all.deb
19db2bdbb6602234c0a866c15ba7017b9dd8fb9c686d00cc22e18a682dea73a6 1274826 libgimp2.0-doc_2.8.16-2.2_all.deb
Files:
405bbf9cd2ad1f1bbc3714935f843a8e 3121 graphics optional gimp_2.8.16-2.2.dsc
a8d3f7a3d8df53c59b9a8a82b160acda 42312 graphics optional gimp_2.8.16-2.2.debian.tar.xz
86ec4622c1dbc6d9e2d7ddfb26e0c92c 8578328 graphics optional gimp-data_2.8.16-2.2_all.deb
970618fd87704f4fdae8cb18c33e2fd3 1274826 doc optional libgimp2.0-doc_2.8.16-2.2_all.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iQIcBAEBCgAGBQJXe3+jAAoJEAVMuPMTQ89EFtIP/2/CYQxmXykwbPM/WdHdjmOG
akH+prFt4Lktqr7h8CNQNNFbL/VqFQVviSjIIA7ujHJ48KNuxBU2VEEHsd4IEf2G
8R8ErGsCzcOBhAiqnDkyctIrCvMg9ehE3VOB+NOKxczgAQbcYGHQybTcNon8HhSy
6KJ1rq+mm7L4Y3kBkX4AeUAKPp83Etx7hYLSy+af2ufP74ROTQhaW7/WxBG3Zq0T
+AqVZq2zFLt7mcw77BiCz1uZbyAGciIrkITgwGP2UUIMJi6V3ls0z88XE/zK8PJ3
N1hgeVpW0Q6EGGyLpMgsBgbJN5qqV+gtvihJhtNsJ1+8CDu1Q/ogyiT6K94BU19a
U8yHR9lonfJ5yKxq+8TEG1T2++A2o25NzTvyjB+xRO4XO/fpNkkrAjX8oEzD9Hm/
r4jYPWgI6g5m44GMFdq7gUugYpsHcZ4ufwuofCqW/y/EQ7M+2IjnL9JX0wLqHOzo
v5CCRqm9kjM0/F4z7CZ7mqXJz7Rv98X7SrXBt/9fQ2OwouIcDmx+ON2K1HfGdicU
XCpq8I5pHAwNyBDw1eFQUmAszLCUInqQmhRPPkSJ/AwmgYz4lgfqL2RlhbCSYEkY
BrQ+IDVtNdZQg6DAtmd7s2kHn1vEaOrRzcJ1Ra+rpekeeiwJ9mNmplT7l+NhJ+Sb
8HJxOArZkBmo5izCB3aC
=8jLN
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 14 Aug 2016 07:54:19 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:37:43 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon