Bug 7128

Summary:	gimp new security issues CVE-2012-3403 and CVE-2012-3481
Product:	Mageia	Reporter:	David Walser <luigiwalser>
Component:	Security	Assignee:	QA Team <qa-bugs>
Status:	RESOLVED FIXED	QA Contact:
Severity:	major
Priority:	Normal	CC:	davidwhodgins, ed_rus099, sysadmin-bugs, tmb
Version:	2	Keywords:	validated_update
Target Milestone:	---
Hardware:	i586
OS:	Linux
URL:	http://lwn.net/Vulnerabilities/512443/
Whiteboard:	MGA1TOO MGA2-32-OK MGA2-64-OK MGA1-64-OK MGA1-32-OK
Source RPM:	gimp-2.8.0-1.mga2.src.rpm	CVE:
Status comment:

Description David Walser 2012-08-20 22:53:35 CEST

RedHat has issued an advisory today (August 20):
https://rhn.redhat.com/errata/RHSA-2012-1180.html

Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

CVE-2011-2896 was previously fixed in Bug 3096.

Advisory:
========================

Updated gimp packages fix security vulnerabilities:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the GIMP's GIF image format plug-in. An attacker could create a
specially-crafted GIF image file that, when opened, could cause the GIF
plug-in to crash or, potentially, execute arbitrary code with the
privileges of the user running the GIMP (CVE-2012-3481).

A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file
format plug-in. An attacker could create a specially-crafted KiSS palette
file that, when opened, could cause the CEL plug-in to crash or,
potentially, execute arbitrary code with the privileges of the user running
the GIMP (CVE-2012-3403).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3481
https://rhn.redhat.com/errata/RHSA-2012-1180.html
========================

Updated packages in core/updates_testing:
========================
gimp-2.6.11-7.2.mga1
libgimp2.0-devel-2.6.11-7.2.mga1
libgimp2.0_0-2.6.11-7.2.mga1
gimp-python-2.6.11-7.2.mga1
gimp-2.8.0-1.1.mga2.
libgimp2.0-devel-2.8.0-1.1.mga2
libgimp2.0_0-2.8.0-1.1.mga2
gimp-python-2.8.0-1.1.mga2

from SRPMS:
gimp-2.6.11-7.2.mga1.src.rpm
gimp-2.8.0-1.1.mga2.src.rpm

David Walser 2012-08-20 22:54:12 CEST

Whiteboard: (none) => MGA1TOO
Severity: normal => major

Comment 1 Eduard Beliaev 2012-08-20 23:34:13 CEST

Works ok on Mageia 2 i568.

CC: (none) => ed_rus099
Whiteboard: MGA1TOO => MGA1TOO MGA2-32-OK

Comment 2 Eduard Beliaev 2012-08-21 01:47:19 CEST

Tested on Mageia 2 x86_64. No problems.

Whiteboard: MGA1TOO MGA2-32-OK => MGA1TOO MGA2-32-OK MGA2-64-OK

Comment 3 claire robinson 2012-08-21 19:44:29 CEST

PoC gif for CVE-2012-3481 here:
https://bugzilla.novell.com/attachment.cgi?id=502827

I've not managed to get a kiss cel file to work with gimp so far. lzh files from here won't open directly but renaming to .cel did open a blank window using 8.9Gb of memory.

Comment 4 claire robinson 2012-08-21 19:45:15 CEST

from here: http://otakuworld.com/kiss/

Comment 5 Dave Hodgins 2012-08-21 23:12:50 CEST

Testing Mageia 1 shortly.

CC: (none) => davidwhodgins

Comment 6 Dave Hodgins 2012-08-21 23:41:44 CEST

Testing complete on Mageia 1 i586 and x86-64.

Testing using the attachment from
https://bugzilla.redhat.com/show_bug.cgi?id=727800

Could someone from the sysadmin team push the srpm
gimp-2.8.0-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
gimp-2.6.11-7.2.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated gimp packages fix security vulnerabilities:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the GIMP's GIF image format plug-in. An attacker could create a
specially-crafted GIF image file that, when opened, could cause the GIF
plug-in to crash or, potentially, execute arbitrary code with the
privileges of the user running the GIMP (CVE-2012-3481).

A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file
format plug-in. An attacker could create a specially-crafted KiSS palette
file that, when opened, could cause the CEL plug-in to crash or,
potentially, execute arbitrary code with the privileges of the user running
the GIMP (CVE-2012-3403).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3481
https://rhn.redhat.com/errata/RHSA-2012-1180.html

https://bugs.mageia.org/show_bug.cgi?id=7128

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA1TOO MGA2-32-OK MGA2-64-OK => MGA1TOO MGA2-32-OK MGA2-64-OK MGA1-64-OK MGA1-32-OK

Comment 7 Thomas Backlund 2012-08-23 10:31:23 CEST

Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0236

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED