Bug 18804 - gimp new security issue CVE-2016-4994
Summary: gimp new security issue CVE-2016-4994
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/692855/
Whiteboard: has_procedure MGA5-32-OK MGA5-64-OK a...
Keywords: validated_update
: 18945 (view as bug list)
Depends on:
Blocks:
 
Reported: 2016-06-28 00:41 CEST by David Walser
Modified: 2016-07-14 23:40 CEST (History)
4 users (show)

See Also:
Source RPM: gimp-2.8.16-1.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2016-06-28 00:41:45 CEST
Debian-LTS has issued an advisory on June 25:
http://lwn.net/Alerts/692816/

Upstream has made a commit to the 2.8 branch to fix the issue, as mentioned on the upstream bug:
https://bugzilla.gnome.org/show_bug.cgi?id=767873

Mageia 5 is also affected.
Comment 1 Shlomi Fish 2016-06-29 16:09:56 CEST
I submitted gimp-2.8.16-rel2 to Cauldron for fixing that - http://pkgsubmit.mageia.org/ . It includes the patch from the repository. After some testing , I will also build an mga v5 package.
Comment 2 David Walser 2016-06-30 03:31:21 CEST
Packages built:
gimp-2.8.14-4.1.mga5
libgimp2.0-devel-2.8.14-4.1.mga5
libgimp2.0_0-2.8.14-4.1.mga5
gimp-python-2.8.14-4.1.mga5

from gimp-2.8.14-4.1.mga5.src.rpm

Please assign to QA when it's ready for testing.
Comment 3 Shlomi Fish 2016-06-30 15:21:34 CEST
Assigning to QA as it's ready for testing. I don't know if there's a test procedure anywhere.
Comment 4 David Walser 2016-06-30 16:15:16 CEST
PoC file is attached to the GNOME bug.

Advisory:
========================

Updated gimp packages fix security vulnerability:

It was discovered that there was a use-after-free vulnerability in the channel
and layer properties parsing process in GIMP (CVE-2016-4994).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4994
https://bugzilla.gnome.org/show_bug.cgi?id=767873
http://lwn.net/Alerts/692816/
========================

Updated packages in core/updates_testing:
========================
gimp-2.8.14-4.1.mga5
libgimp2.0-devel-2.8.14-4.1.mga5
libgimp2.0_0-2.8.14-4.1.mga5
gimp-python-2.8.14-4.1.mga5

from gimp-2.8.14-4.1.mga5.src.rpm
Comment 5 David Walser 2016-07-01 19:32:19 CEST
Mageia 5 i586, GIMP opens the PoC file just fine.
Comment 6 Lewis Smith 2016-07-02 07:56:57 CEST
Thanks David for the 32-bit test.

Testing M5 x64
Using the test file https://bugzilla.gnome.org/attachment.cgi?id=330079
and command to try it in https://bugzilla.gnome.org/show_bug.cgi?id=767873

BEFORE the update:
 gimp-2.8.14-4.mga5
 lib64gimp2.0_0-2.8.14-4.mga5

 $ gimp Gimp_UaF.xcf

(gimp:20510): Gimp-Core-CRITICAL **: gimp_image_set_active_layer: assertion 'layer == NULL || GIMP_IS_LAYER (layer)' failed

AFTER the update:
 gimp-2.8.14-4.1.mga5
 lib64gimp2.0_0-2.8.14-4.1.mga5

$ gimp Gimp_UaF.xcf
 [NO failure message]

OK'ing & validating the update.
Comment 7 Mageia Robot 2016-07-05 17:48:17 CEST
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0241.html
Comment 8 David Walser 2016-07-14 23:40:27 CEST
*** Bug 18945 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.