Bug 32548

Thanks to Stig, we already have v2.10.36 in Cauldron.
Is it OK to ask you to do the Mageia 8 & 9 bits? Transfer it if not.
Advisory will be required.

Assignee: bugsquad => smelror

I've pushed GIMP 2.10.36 and gegl 0.4.38 to MGA8. Just haven't gotten around to creating the advisory yet.
Will do it now.

Hi,

It seems that you did not update gimp to 2.10.36 for Mageia 9, only for Mageia 8.

Best regards,

Nico.

(In reply to Nicolas Salguero from comment #4)
> Hi,
> 
> It seems that you did not update gimp to 2.10.36 for Mageia 9, only for
> Mageia 8.
> 
> Best regards,
> 
> Nico.

@stig did you forget to upload mageia 9 packages ?

Tested on VM Mageia 8 i586

Packages updates from current version without isssue
Not have anything that need lib64gegl-gir0.4-0.4.38-1.mga8, I install by hand without issue
Open the program, take a screenshot, very basic use without issues

Not sure if I can test mypaint that requires lib64gegl-gir0.4-0.4.38-1.mga8 because
"MyPaint is a pressure- and tilt-sensitive painting program which works
well with Wacom graphics tablets and other similar devices." and I don't have such devices

(In reply to katnatek from comment #6)
> Tested on VM Mageia 8 i586
> 
> Packages updates from current version without isssue
> Not have anything that need lib64gegl-gir0.4-0.4.38-1.mga8, I install by
> hand without issue
> Open the program, take a screenshot, very basic use without issues
> 
> Not sure if I can test mypaint that requires lib64gegl-gir0.4-0.4.38-1.mga8
> because
> "MyPaint is a pressure- and tilt-sensitive painting program which works
> well with Wacom graphics tablets and other similar devices." and I don't
> have such devices

lib64gegl -> libgegl

Installed and tested without issues.

Used GIMP to test GEGL. My normal (basic) GIMP usage did not show any issues. Checked the various GEGL operations and played with the fractal generator for a bit. No issues that I have noticed. This update gets an OK from me.


System: Mageia 8, x86_64, Plasma DE, AMD Ryzen 5 5600G with Radeon Graphics using amdgpu driver.


# uname -a
Linux jupiter 6.1.45-desktop-1.mga8 #1 SMP PREEMPT_DYNAMIC Fri Aug 11 22:01:56 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
# rpm -qa | grep -E gegl.*0.4.38 | sort
gegl-0.4.38-1.mga8
lib64gegl0.4_0-0.4.38-1.mga8
lib64gegl-devel-0.4.38-1.mga8
lib64gegl-gir0.4-0.4.38-1.mga8
# lspci | grep VGA
03:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Navi 24 [Radeon RX 6400 / 6500 XT] (rev c1)
0c:00.0 VGA compatible controller: Advanced Micro Devices, Inc. [AMD/ATI] Cezanne (rev c9)

CC: (none) => mageia

(In reply to katnatek from comment #5)
> (In reply to Nicolas Salguero from comment #4)
> > Hi,
> > 
> > It seems that you did not update gimp to 2.10.36 for Mageia 9, only for
> > Mageia 8.
> > 
> > Best regards,
> > 
> > Nico.
> 
> @stig did you forget to upload mageia 9 packages ?

No, I didn't forget.

However, if you want to do the update and the advisory, I will push the package to the build system. This is a great exercise for you :-)

MGA8-64 Plasma on an HP Pavilion 15. No installation issues.

It was obvious from the start that I had never run The Gimp from this install before. The first thing I had to do was change the interface from the ugly default to one more to my liking - maximized, system theme, color icons. I suppose just doing that made for a good first test.

I haven't used Gimp for this kind of photo manipulation for quite a while, so I decided to have some fun. I loaded an old photo of a hot air balloon I once crewed for, and did some playing with the special effects. All the ones I tried seemed to work, and just as importantly, could be undone easily.

This one looks good to me. Waiting for the MGA9 version before going further...

CC: (none) => andrewsfarm

Created attachment 14213 [details]
Diff from current mageia 9 spec

(In reply to Stig-Ørjan Smelror from comment #9)
> No, I didn't forget.
> 
> However, if you want to do the update and the advisory, I will push the
> package to the build system. This is a great exercise for you :-)

I can't upload packages yet, here are the changes from the current spec in mageia 9
the gegl components in mageia 9 are more recent than mageia 8 so is not necessary update

I build in copr, the build works and the packages works

(In reply to katnatek from comment #11)
> Created attachment 14213 [details]
> Diff from current mageia 9 spec
> 
> (In reply to Stig-Ørjan Smelror from comment #9)
> > No, I didn't forget.
> > 
> > However, if you want to do the update and the advisory, I will push the
> > package to the build system. This is a great exercise for you :-)
> 
> I can't upload packages yet, here are the changes from the current spec in
> mageia 9
> the gegl components in mageia 9 are more recent than mageia 8 so is not
> necessary update
> 
> I build in copr, the build works and the packages works

When the build has completed, please create an advisory. You can base it on the one I created earlier in this report.

Advisory
========
GIMP has been updated to version 2.10.36 to fix several security issues.

CVE-2023-44441: GIMP DDS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2023-44442: GIMP PSD File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability
CVE-2023-44443: GIMP PSP File Parsing Integer Overflow Remote Code Execution Vulnerability
CVE-2023-44444: GIMP PSP File Parsing Off-By-One Remote Code Execution Vulnerability

References
==========
https://www.openwall.com/lists/oss-security/2023/11/20/3

Files
=====

Uploaded to 8/core/updates_testing

gegl-0.4.38-1.mga8
lib(64)gegl0.4_0-0.4.38-1.mga8
lib(64)gegl-devel-0.4.38-1.mga8
lib(64)gegl-gir0.4-0.4.38-1.mga8

from gegl-0.4.38-1.mga8.src.rpm

gimp-2.10.36-1.mga8
lib64gimp2.0_0-2.10.36-1.mga8
lib64gimp2.0-devel-2.10.36-1.mga8

from gimp-2.10.36-1.mga8.src.rpm

Uploaded to 9/core/updates_testing

gimp-2.10.36-1.mga9
lib(64)gimp2.0-devel-2.10.36-1.mga9
lib(64)gimp2.0_0-2.10.36-1.mga9

from gimp-2.10.36-1.mga9.src.rpm

MGA9-64 MATE on HP-Pavillion
No installation issues.
Ref bug 3046 for test file.
gimp rejects this file without crashing: OK
Used one of my tif files to exercise selecting, pasting as ne file, color saturation, using different transformation tools, all work OK.

CC: (none) => herman.viaene
Whiteboard: MGA8TOO => MGA8TOO MGA9-64-OK

Advisory from comment 14 added to SVN. Please remove the "advisory" keyword if it needs to be changed. It also helps when obsolete advisories are tagged as "obsolete"

Keywords: (none) => advisory

Adding the MGA8 OK because of comment 8 and comment 10. Validating.

Whiteboard: MGA8TOO MGA9-64-OK => MGA8TOO, MGA9-64-OK MGA8-64-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0346.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Gimp now stopped working on mga8 because of missed move of
gegl-0.4.38-1.mga8.x86_64.rpm

Status comment: Updated advisory & packages in comment#14 => One package left to move!
Resolution: FIXED => (none)
Priority: Normal => High
Assignee: qa-bugs => sysadmin-bugs
Status: RESOLVED => REOPENED
CC: (none) => fri
Severity: normal => major

*** Bug 32630 has been marked as a duplicate of this bug. ***

CC: (none) => cptnrhd

(In reply to Morgan Leijström from comment #19)
> Gimp now stopped working on mga8 because of missed move of
> gegl-0.4.38-1.mga8.x86_64.rpm

Sorry, my bad, I had missed that there were two SRPMs for Mageia 8.

The advisory has now been corrected.

It looks like the MGA8 gegl rpms have not been moved from the testing repos yet.

A Usenet poster has a project that has now stalled because he can't run Gimp after the update.

Perhaps this needs more than an advisory revision to get this fixed. This is uncharted territory for me, and I don't know the best way to get this taken care of quickly.

I asked neoclust again, but there are now maybe more people who can do this.
I should maybe have asked on dev ml, too

(In reply to Marja Van Waes from comment #23)
> I asked neoclust again, but there are now maybe more people who can do this.
> I should maybe have asked on dev ml, too

On sysadmin ml, of course.

Done so, now.

(In reply to Marja Van Waes from comment #24)
> (In reply to Marja Van Waes from comment #23)
> > I asked neoclust again, but there are now maybe more people who can do this.
> > I should maybe have asked on dev ml, too
> 
> On sysadmin ml, of course.
> 
> Done so, now.

I'm wonder if in these cases is not more fast to open a bug with advisory, validation and oks just for the missing package(s)

That's not the right way to do it.  Whoever pushes the updates needs to pay attention to madb because the script is obviously not working right.

In this case there was a mistake in the advisory. Comment 21.

(In reply to Morgan Leijström from comment #27)
> In this case there was a mistake in the advisory. Comment 21.

Yes, but that was fixed in SVN according to Comment 21, so the missing package should be getting pushed.

It did finally get pushed. Thanks to neoclust.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

BTW we should tighten gimp deps on gegl & babel in order to prevent that to happen

CC: (none) => thierry.vignaud

(In reply to Thierry Vignaud from comment #30)
> BTW we should tighten gimp deps on gegl & babel in order to prevent that to
> happen

Make a bug for that, to remember?

Status comment: One package left to move! => (none)