Bug 18804

Summary: gimp new security issue CVE-2016-4994
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: davidwhodgins, lewyssmith, linux, sysadmin-bugs
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/692855/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK advisory
Source RPM: gimp-2.8.16-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-06-28 00:41:45 CEST 
Debian-LTS has issued an advisory on June 25:
http://lwn.net/Alerts/692816/

Upstream has made a commit to the 2.8 branch to fix the issue, as mentioned on the upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=767873

Mageia 5 is also affected.
David Walser 2016-06-28 00:42:01 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Shlomi Fish 2016-06-29 16:09:56 CEST 
I submitted gimp-2.8.16-rel2 to Cauldron for fixing that - http://pkgsubmit.mageia.org/ . It includes the patch from the repository. After some testing , I will also build an mga v5 package.
Comment 2 David Walser 2016-06-30 03:31:21 CEST 
Packages built:
gimp-2.8.14-4.1.mga5
libgimp2.0-devel-2.8.14-4.1.mga5
libgimp2.0_0-2.8.14-4.1.mga5
gimp-python-2.8.14-4.1.mga5

from gimp-2.8.14-4.1.mga5.src.rpm

Please assign to QA when it's ready for testing.

Version: Cauldron => 5
Whiteboard: MGA5TOO => (none)

Comment 3 Shlomi Fish 2016-06-30 15:21:34 CEST 
Assigning to QA as it's ready for testing. I don't know if there's a test procedure anywhere.

Status: NEW => ASSIGNED
Assignee: shlomif => qa-bugs

Comment 4 David Walser 2016-06-30 16:15:16 CEST 
PoC file is attached to the GNOME bug.

Advisory:
========================

Updated gimp packages fix security vulnerability:

It was discovered that there was a use-after-free vulnerability in the channel
and layer properties parsing process in GIMP (CVE-2016-4994).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
https://bugzilla.gnome.org/show_bug.cgi?id=767873
http://lwn.net/Alerts/692816/
========================

Updated packages in core/updates_testing:
========================
gimp-2.8.14-4.1.mga5
libgimp2.0-devel-2.8.14-4.1.mga5
libgimp2.0_0-2.8.14-4.1.mga5
gimp-python-2.8.14-4.1.mga5

from gimp-2.8.14-4.1.mga5.src.rpm

Whiteboard: (none) => has_procedure

Comment 5 David Walser 2016-07-01 19:32:19 CEST 
Mageia 5 i586, GIMP opens the PoC file just fine.

Whiteboard: has_procedure => has_procedure MGA5-32-OK

Comment 6 Lewis Smith 2016-07-02 07:56:57 CEST 
Thanks David for the 32-bit test.

Testing M5 x64
Using the test file https://bugzilla.gnome.org/attachment.cgi?id=330079
and command to try it in https://bugzilla.gnome.org/show_bug.cgi?id=767873

BEFORE the update:
 gimp-2.8.14-4.mga5
 lib64gimp2.0_0-2.8.14-4.mga5

 $ gimp Gimp_UaF.xcf

(gimp:20510): Gimp-Core-CRITICAL **: gimp_image_set_active_layer: assertion 'layer == NULL || GIMP_IS_LAYER (layer)' failed

AFTER the update:
 gimp-2.8.14-4.1.mga5
 lib64gimp2.0_0-2.8.14-4.1.mga5

$ gimp Gimp_UaF.xcf
 [NO failure message]

OK'ing & validating the update.

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA5-32-OK => has_procedure MGA5-32-OK MGA5-64-OK
CC: (none) => lewyssmith, sysadmin-bugs

Dave Hodgins 2016-07-04 08:46:11 CEST

CC: (none) => davidwhodgins
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK => has_procedure MGA5-32-OK MGA5-64-OK advisory

Comment 7 Mageia Robot 2016-07-05 17:48:17 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0241.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2016-07-14 23:40:27 CEST 
*** Bug 18945 has been marked as a duplicate of this bug. ***

CC: (none) => linux