| Summary: | gimp new security issues CVE-2012-2763 and CVE-2012-3236 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | |
| Severity: | minor | ||
| Priority: | Low | CC: | davidwhodgins, marc.lattemann, sysadmin-bugs, tmb |
| Version: | 1 | Keywords: | validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://lwn.net/Vulnerabilities/514813/ | ||
| Whiteboard: | MGA1-64-OK MGA1-32-OK | ||
| Source RPM: | gimp-2.8.0-1.1.mga2.src.rpm | CVE: | |
| Status comment: | |||
| Bug Depends on: | 6403 | ||
| Bug Blocks: | |||
|
Description
David Walser
2012-09-04 20:30:40 CEST
David Walser
2012-09-04 20:31:05 CEST
Priority:
Normal =>
Low
Frédéric "LpSolit" Buclin
2012-09-30 19:10:34 CEST
Depends on:
(none) =>
6403 Mga2 updated to gimp-2.8.2-1.1.mga2.src.rpm which addresses CVE-2012-3236 bug 6403 Hardware:
i586 =>
All This message is a reminder that Mageia 1 is nearing its end of life. In approximately 25 days from now, Mageia will stop maintaining and issuing updates for Mageia 1. At that time this bug will be closed as WONTFIX (EOL) if it remains open with a Mageia 'version' of '1'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Mageia version prior to Mageia 1's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Mageia 1 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Mageia, you are encouraged to click on "Version" and change it against that version of Mageia. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Mageia release includes newer upstream software that fixes bugs or makes them obsolete. -- Mageia Bugsquad Pushed to updates_testing. Advisory: ======================== Updated gimp packages fix security vulnerabilities: Buffer overflow in the readstr_upto function in plug-ins/script-fu/tinyscheme/scheme.c in GIMP 2.6.12 and earlier, and possibly 2.6.13, allows remote attackers to execute arbitrary code via a long string in a command to the script-fu server (CVE-2012-2763). fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed XTENSION header of a .fit file, as demonstrated using a long string (CVE-2012-3236). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3236 http://lists.opensuse.org/opensuse-updates/2012-09/msg00001.html ======================== Updated packages in core/updates_testing: ======================== gimp-2.6.11-7.3.mga1 libgimp2.0-devel-2.6.11-7.3.mga1 libgimp2.0_0-2.6.11-7.3.mga1 gimp-python-2.6.11-7.3.mga1 from gimp-2.6.11-7.3.mga1.src.rpm Assignee:
bugsquad =>
qa-bugs Trying to compile the poc, I've installed wine-devel, and run ln -s /usr/include/wine/windows/* /usr/include/ $ gcc scriptfubof.c /tmp/cc4OA6Dm.o: In function `main': scriptfubof.c:(.text+0x8c): undefined reference to `WSAStartup' scriptfubof.c:(.text+0xb9): undefined reference to `WSACleanup' scriptfubof.c:(.text+0x157): undefined reference to `WSAGetLastError' scriptfubof.c:(.text+0x17a): undefined reference to `WSACleanup' scriptfubof.c:(.text+0x1a4): undefined reference to `closesocket' scriptfubof.c:(.text+0x1a9): undefined reference to `WSACleanup' /tmp/cc4OA6Dm.o: In function `senddata': scriptfubof.c:(.text+0x24d): undefined reference to `WSAGetLastError' scriptfubof.c:(.text+0x270): undefined reference to `WSACleanup' /tmp/cc4OA6Dm.o: In function `recvdata': scriptfubof.c:(.text+0x326): undefined reference to `WSAGetLastError' scriptfubof.c:(.text+0x353): undefined reference to `closesocket' scriptfubof.c:(.text+0x358): undefined reference to `WSACleanup' collect2: ld returned 1 exit status I'm guessing I need some linker option, but have no idea how to figure out what's needed. CC:
(none) =>
davidwhodgins winegcc scriptfubof.c -L/usr/lib/wine/ -lwsock32 that works for me on i586. On x86-64 winegcc -v scriptfubof.c -L/usr/lib/wine/ -lwsock32 -m32 Bug confirmed on both i586 and x86-64. On i586, used Filters/Script-Fu/Start server, then ran ... [dave@i1v ~]$ ./a.out 127.0.0.1 10008 /usr/lib/gimp/2.0/plug-ins/script-fu: fatal error: Segmentation fault On x86-64, ... [dave@x1v ~]$ ./a.out 127.0.0.1 10008 /usr/lib64/gimp/2.0/plug-ins/script-fu: fatal error: Segmentation fault I'll install and test the updates now. Testing complete on Mageia 1 i586 and x86-64. After the update, running the program causes the server to show "Error: eval: unbound variable". It no longer crashes. Could someone from the sysadmin team push the srpm gimp-2.6.11-7.3.mga1.src.rpm from Mageia 1 Core Updates Testing to Core Updates. Advisory: Updated gimp packages fix security vulnerabilities: Buffer overflow in the readstr_upto function in plug-ins/script-fu/tinyscheme/scheme.c in GIMP 2.6.12 and earlier, and possibly 2.6.13, allows remote attackers to execute arbitrary code via a long string in a command to the script-fu server (CVE-2012-2763). fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed XTENSION header of a .fit file, as demonstrated using a long string (CVE-2012-3236). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2763 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3236 http://lists.opensuse.org/opensuse-updates/2012-09/msg00001.html https://bugs.mageia.org/show_bug.cgi?id=7351 Keywords:
(none) =>
validated_update Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0327 Status:
NEW =>
RESOLVED |