Bug 22291 - gimp new security issues CVE-2017-1778[4-9]
Summary: gimp new security issues CVE-2017-1778[4-9]
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 5
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA5-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2017-12-31 18:19 CET by David Walser
Modified: 2018-01-03 15:57 CET (History)
5 users (show)

See Also:
Source RPM: gimp-2.8.14-4.2.mga5.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2017-12-31 18:19:19 CET 
+++ This bug was initially created as a clone of Bug #22252 +++

CVEs have been assigned for several security issues in the GIMP:
http://openwall.com/lists/oss-security/2017/12/20/1

Debian has issued an advisory for this on December 30:
https://www.debian.org/security/2017/dsa-4077

Patched packages uploaded for Mageia 5 and Cauldron.

Mageia 6 is having a build issue, so will deal with that later.

Advisory:
========================

Updated gimp packages fix security vulnerabilities:

Several vulnerabilities were discovered in the GIMP which could result in
denial of service (application crash) or potentially the execution of
arbitrary code if malformed files are opened (CVE-2017-17784, CVE-2017-17785,
CVE-2017-17786, CVE-2017-17787, CVE-2017-17788, CVE-2017-17789).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17784
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17785
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17786
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17787
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17788
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17789
https://www.debian.org/security/2017/dsa-4077
========================

Updated packages in core/updates_testing:
========================
gimp-2.8.14-4.3.mga5
libgimp2.0-devel-2.8.14-4.3.mga5
libgimp2.0_0-2.8.14-4.3.mga5
gimp-python-2.8.14-4.3.mga5

from gimp-2.8.14-4.3.mga5.src.rpm
Comment 1 Thomas Andrews 2018-01-01 04:31:31 CET 
On real hardware, 64-bit server kernel, nvidia graphics.

Installed gimp and libgimp, loaded an old map image with 68 layers, attempted several basic manipulations of the image and layers. Everything looked good.

OK for 64-bit on this hardware.

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA5-64-OK

Dave Hodgins 2018-01-01 08:47:35 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 2 Lewis Smith 2018-01-03 10:32:31 CET 
A good 64-bit test, just one release -> validation.
Being a fan of Gimp, I played with the update as well. All OK.
There is a chronic problme with Gimp of some of its dialogues being too tall, with the bottom (important buttons) chopped off behind taskbars. Upstream or us?

Keywords: (none) => validated_update
CC: (none) => lewyssmith, sysadmin-bugs

Comment 3 Mageia Robot 2018-01-03 11:33:19 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0030.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 4 Thomas Andrews 2018-01-03 15:57:16 CET 
(In reply to Lewis Smith from comment #2)
> A good 64-bit test, just one release -> validation.
> Being a fan of Gimp, I played with the update as well. All OK.
> There is a chronic problme with Gimp of some of its dialogues being too
> tall, with the bottom (important buttons) chopped off behind taskbars.
> Upstream or us?

I'm not seeing that on my display. Gimp has so many ways to customize it that I'm inclined to think it may be one or more of your settings that's the problem. 

One thing that used to bother me was that Gimp would put its windows where it wanted them, instead of where I did. That was before I discovered the setting to "Save window positions when closing."
Note You need to log in before you can comment on or make changes to this bug.