Bug 8326

Summary: gimp new security issue CVE-2012-5576
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: davidwhodgins, sysadmin-bugs, tmb
Version: 2Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/528436/
Whiteboard: MGA2-64-OK MGA2-32-OK
Source RPM: gimp-2.8.2-1.1.mga2.src.rpm CVE:
Status comment:

Description David Walser 2012-12-07 17:30:48 CET 
OpenSuSE has issued an advisory today (December 7):
http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html

Patched package uploaded for Mageia 2 and Cauldron.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated gimp packages fix security vulnerability:

GIMP 2.8.2 and earlier is vulnerable to memory corruption when reading XWD
files, which could lead even to arbitrary code execution (CVE-2012-5576).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5576
http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html
========================

Updated packages in core/updates_testing:
========================
gimp-2.8.2-1.2.mga2
libgimp2.0-devel-2.8.2-1.2.mga2
libgimp2.0_0-2.8.2-1.2.mga2
gimp-python-2.8.2-1.2.mga2

from gimp-2.8.2-1.2.mga2.src.rpm
Comment 1 claire robinson 2012-12-07 18:29:14 CET 
Possible PoC test file: https://bugzilla.gnome.org/attachment.cgi?id=227862

Taken from https://bugzilla.gnome.org/show_bug.cgi?id=687392
David Walser 2012-12-07 19:37:51 CET

URL: (none) => http://lwn.net/Vulnerabilities/528436/

Comment 2 Dave Hodgins 2012-12-08 03:45:03 CET 
Testing complete on Mageia 2 i586 and x86-64.

Before installing the update, opening the file causes a message warning that
gimp's internal state has been corrupted.  After installing the update, it
just warns that the file is corrrupt.

Could someone from the sysadmin team push the srpm
gimp-2.8.2-1.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated gimp packages fix security vulnerability:

GIMP 2.8.2 and earlier is vulnerable to memory corruption when reading XWD
files, which could lead even to arbitrary code execution (CVE-2012-5576).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5576
http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html

https://bugs.mageia.org/show_bug.cgi?id=8326

Keywords: (none) => validated_update
CC: (none) => davidwhodgins, sysadmin-bugs
Whiteboard: (none) => MGA2-64-OK MGA2-32-OK

Comment 3 Thomas Backlund 2012-12-11 22:28:15 CET 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0360

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED