Debian Bug report logs -
#685397
gimp: CVE-2012-3403
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Mon, 20 Aug 2012 13:09:05 UTC
Severity: grave
Tags: security
Fixed in version gimp/2.8.2-1
Done: Ari Pollak <ari@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ari Pollak <ari@debian.org>:
Bug#685397; Package gimp.
(Mon, 20 Aug 2012 13:09:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Ari Pollak <ari@debian.org>.
(Mon, 20 Aug 2012 13:09:07 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gimp
Severity: grave
Tags: security
Justification: user security hole
Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3403 for details
and patches.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#685397; Package gimp.
(Mon, 20 Aug 2012 13:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <ari@debian.org>.
(Mon, 20 Aug 2012 13:21:04 GMT) (full text, mbox, link).
Message #10 received at 685397@bugs.debian.org (full text, mbox, reply):
On Mon, Aug 20, 2012 at 03:04:13PM +0200, Moritz Muehlenhoff wrote:
> Package: gimp
> Severity: grave
> Tags: security
> Justification: user security hole
>
> Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3403 for details
> and patches.
And another issue:
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3481
Cheers,
Moritz
Reply sent
to Ari Pollak <ari@debian.org>:
You have taken responsibility.
(Mon, 10 Sep 2012 03:36:13 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Mon, 10 Sep 2012 03:36:13 GMT) (full text, mbox, link).
Message #15 received at 685397-close@bugs.debian.org (full text, mbox, reply):
Source: gimp
Source-Version: 2.8.2-1
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 685397@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ari Pollak <ari@debian.org> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Sun, 09 Sep 2012 22:59:27 -0400
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: source all amd64
Version: 2.8.2-1
Distribution: unstable
Urgency: high
Maintainer: Ari Pollak <ari@debian.org>
Changed-By: Ari Pollak <ari@debian.org>
Description:
gimp - The GNU Image Manipulation Program
gimp-data - Data files for GIMP
gimp-dbg - Debugging symbols for GIMP
libgimp2.0 - Libraries for the GNU Image Manipulation Program
libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
libgimp2.0-doc - Developers' Documentation for the GIMP library
Closes: 673898 677342 685397
Changes:
gimp (2.8.2-1) unstable; urgency=high
.
* Imported Upstream version 2.8.2
- Fixes a security hole in the CEL plugin (Closes: #685397) (CVE-2012-3403)
- Fixes a security hole in the GIF plugin (CVE-2012-3481)
- Fixes link failures on on hurd-i386 (Closes: #677342)
- Fixes incorrect window title after exporting (Closes: #673898)
* Don't overwrite LDFLAGS from dpkg-buildflags
Checksums-Sha1:
9adbf82274c9daa7c8efe0f3830ccc6afcef1064 2478 gimp_2.8.2-1.dsc
64ad90cedc5e8e348310b6eb6b7821ec110c0886 20161424 gimp_2.8.2.orig.tar.bz2
d49da9c2333fc4a5f17d1e5c33252d6372294bb8 45695 gimp_2.8.2-1.debian.tar.gz
311e1d0c995af418bfc82f80bf6cd0000b697390 8262894 gimp-data_2.8.2-1_all.deb
85ed989690dc9097b7101df6cce66ae0830316ca 1145230 libgimp2.0-doc_2.8.2-1_all.deb
d9c54202484d28cce2c0cd8f940f34d500038d35 1554042 libgimp2.0_2.8.2-1_amd64.deb
0acd7e6d6a71f45f1df382f445f0bf0d3bc627a8 4241660 gimp_2.8.2-1_amd64.deb
059a4a8f57f0a185a2c7dfca717aac4de12c77c1 886438 libgimp2.0-dev_2.8.2-1_amd64.deb
0db4a3eb11af2deea0f9dc58d545ab127028e051 13380102 gimp-dbg_2.8.2-1_amd64.deb
Checksums-Sha256:
d5849fdf4692215fbab5c7ef28e34956f203eef84d919cf10c8079725b5389ed 2478 gimp_2.8.2-1.dsc
0cd1a7e67e132ead810e16e31ff929394c83fcf841e4a295c45d6f3829601ad9 20161424 gimp_2.8.2.orig.tar.bz2
5226d2851c0fb34c2a76622abf35001d0b9db08bd53403d00c5c147d11320ca0 45695 gimp_2.8.2-1.debian.tar.gz
d3d62999b650f373a03b5b0f3694d060b2ce7b05c23eb79225f7c164e707016d 8262894 gimp-data_2.8.2-1_all.deb
7809f02ff7ca95142c46b4df1bc9b551ef534683645b73fb9cad0edbf7a0416f 1145230 libgimp2.0-doc_2.8.2-1_all.deb
046e92146179146131499c6687cff25612563c52860766b7447a9a81245302c4 1554042 libgimp2.0_2.8.2-1_amd64.deb
c8990bf60b2c23bb263299fdc8bb8bd815984b7698aa540cf0e9207f66d45da0 4241660 gimp_2.8.2-1_amd64.deb
35b7d9880e8310e8fee226b1619eb596367d3845c7b6506d43babff253bc04a5 886438 libgimp2.0-dev_2.8.2-1_amd64.deb
c20a834a5b82f0016cd0ed234f876ff588445d6c4171b562e5a012cd07b5500a 13380102 gimp-dbg_2.8.2-1_amd64.deb
Files:
459210d4e6fe64204a22e854d1b78c22 2478 graphics optional gimp_2.8.2-1.dsc
b542138820ca3a41cbd63fc331907955 20161424 graphics optional gimp_2.8.2.orig.tar.bz2
71ef3104b61a4ecd26fbad66b1b7f93a 45695 graphics optional gimp_2.8.2-1.debian.tar.gz
20cd2fa5e127f6f9b5c7febc047c48b8 8262894 graphics optional gimp-data_2.8.2-1_all.deb
56249beb36044c54d67ec46dbd83a321 1145230 doc optional libgimp2.0-doc_2.8.2-1_all.deb
05bbabff9718d07330d86f19db882cff 1554042 libs optional libgimp2.0_2.8.2-1_amd64.deb
2dc0ead53524cdfe67cf03f6290db959 4241660 graphics optional gimp_2.8.2-1_amd64.deb
71031701346118234f7d10bab006573d 886438 libdevel optional libgimp2.0-dev_2.8.2-1_amd64.deb
df77749707721c558fa04f2c6b1f0673 13380102 debug extra gimp-dbg_2.8.2-1_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
iEYEARECAAYFAlBNWy4ACgkQwO+u47cOQDsFpgCeIs97fJ4mP9pqAm937Gx9vWyD
KlQAn2FuTieu+7GdefcxeK6ieuHatioL
=RBVt
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#685397; Package gimp.
(Fri, 14 Sep 2012 15:30:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <ari@debian.org>.
(Fri, 14 Sep 2012 15:30:03 GMT) (full text, mbox, link).
Message #20 received at 685397@bugs.debian.org (full text, mbox, reply):
Hi Ari,
On Mon, Aug 20, 2012 at 03:16:50PM +0200, Moritz Muehlenhoff wrote:
> On Mon, Aug 20, 2012 at 03:04:13PM +0200, Moritz Muehlenhoff wrote:
> > Package: gimp
> > Severity: grave
> > Tags: security
> > Justification: user security hole
> >
> > Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3403 for details
> > and patches.
>
> And another issue:
> https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3481
While this is fixed sid, it's still open in Wheezy, since testing is frozen.
You need to either ask for an unblock (likely not welcome at this point of
the freeze) or prepare an upload for testing-proposed-updates with the
security fixes only.
Cheers,
Moritz
Information forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#685397; Package gimp.
(Wed, 19 Sep 2012 15:36:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <ari@debian.org>.
(Wed, 19 Sep 2012 15:36:03 GMT) (full text, mbox, link).
Message #25 received at 685397@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Fri, Sep 14, 2012 at 05:23:42PM +0200, Moritz Muehlenhoff wrote:
> Hi Ari,
>
> On Mon, Aug 20, 2012 at 03:16:50PM +0200, Moritz Muehlenhoff wrote:
> > On Mon, Aug 20, 2012 at 03:04:13PM +0200, Moritz Muehlenhoff wrote:
> > > Package: gimp
> > > Severity: grave
> > > Tags: security
> > > Justification: user security hole
> > >
> > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3403 for details
> > > and patches.
> >
> > And another issue:
> > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3481
>
> While this is fixed sid, it's still open in Wheezy, since testing is frozen.
>
> You need to either ask for an unblock (likely not welcome at this point of
> the freeze) or prepare an upload for testing-proposed-updates with the
> security fixes only.
The interdiff between 2.8.0 and 2.8.2 is too big and introduces an ABI change.
Proposed patch for tpu attached.
Cheers,
Moritz
[gimp-tpu.patch (text/x-diff, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Ari Pollak <ari@debian.org>:
Bug#685397; Package gimp.
(Wed, 19 Sep 2012 16:21:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Julien Cristau <jcristau@debian.org>:
Extra info received and forwarded to list. Copy sent to Ari Pollak <ari@debian.org>.
(Wed, 19 Sep 2012 16:21:03 GMT) (full text, mbox, link).
Message #30 received at 685397@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, Sep 19, 2012 at 17:30:53 +0200, Moritz Muehlenhoff wrote:
> On Fri, Sep 14, 2012 at 05:23:42PM +0200, Moritz Muehlenhoff wrote:
> > Hi Ari,
> >
> > On Mon, Aug 20, 2012 at 03:16:50PM +0200, Moritz Muehlenhoff wrote:
> > > On Mon, Aug 20, 2012 at 03:04:13PM +0200, Moritz Muehlenhoff wrote:
> > > > Package: gimp
> > > > Severity: grave
> > > > Tags: security
> > > > Justification: user security hole
> > > >
> > > > Please see https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3403 for details
> > > > and patches.
> > >
> > > And another issue:
> > > https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-3481
> >
> > While this is fixed sid, it's still open in Wheezy, since testing is frozen.
> >
> > You need to either ask for an unblock (likely not welcome at this point of
> > the freeze) or prepare an upload for testing-proposed-updates with the
> > security fixes only.
>
> The interdiff between 2.8.0 and 2.8.2 is too big and introduces an ABI change.
>
> Proposed patch for tpu attached.
>
Actually I unblocked it, the ABI change involves functions that are new
in 2.8.0, so should hopefully not break anything, and the diff looked
sane other than that bit. Sorry for the extra work.
Cheers,
Julien
[signature.asc (application/pgp-signature, inline)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Thu, 18 Oct 2012 07:27:38 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:57:03 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon