SUSE has issued an advisory today (May 31): https://lists.suse.com/pipermail/sle-security-updates/2022-May/011204.html Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Assigning to Stig who has maintained Gimp previously. CC'ing tv for the Gimp3 bit.
Assignee: bugsquad => smelrorCC: (none) => thierry.vignaud
Updates pushed to Cauldron for both 2.10 and 2.99(3.x)
Whiteboard: MGA8TOO => (none)Version: Cauldron => 8Source RPM: gimp-2.10.30-3.mga9.src.rpm, gimp3-2.99.10-2.mga9.src.rpm => gimp-2.10.24-1.mga8.src.rpm
Advisory ======== GIMP has been updated with an upstream fix for CVE-2022-30067. CVE-2022-30067: GIMP 2.10.30 and 2.99.10 are vulnerable to Buffer Overflow. Through a crafted XCF file, the program will allocate for a huge amount of memory, resulting in insufficient memory or program crash. References ========== http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30067 https://lists.suse.com/pipermail/sle-security-updates/2022-May/011204.html Files ===== Uploaded to core/updates_testing lib64gimp2.0_0-2.10.24-1.1.mga8 lib64gimp2.0-devel-2.10.24-1.1.mga8 gimp-2.10.24-1.1.mga8 from gimp-2.10.24-1.1.mga8.src.rpm
CVE: (none) => CVE-2022-30067Assignee: smelror => qa-bugs
Hi, in this bug I updated Gimp to 2.10.30 for Mageia 8. If someone can upload this to testing repositories, we update Gimp to 2.10.30, with this bugfixed. https://bugs.mageia.org/show_bug.cgi?id=29473 Greetings
CC: (none) => joselp
MGA8-64 Plasma on Lenovo B50 in Dutch No installaion issues. Tied a few color and size operations: works OK. Found crafted file in https://gitlab.gnome.org/GNOME/gimp/-/issues/8120. This version of GIMP rejects this file as being incomplete or damaged. I guess that demonstrates the fix. I will upload the XCF file.
Whiteboard: (none) => MGA8-64-OKCC: (none) => herman.viaene
Created attachment 13287 [details] crafted XCF file
I downloaded the "crafted XCF" file and attempted to load it into Gimp before updating. All it did, visibly anyway, is crash without any notice. No installation issues with the update. Ran the "crafted XCF" file again, and this time there was a notice that the file was corrupt, but no crash. So, as Herman says, that seems to demonstrate the fix. Loaded an XCF file that I have been working with recently, a color-coded map of our farm showing what crops we have planted or will be planting where, with labels showing field size. It is a complex image, with over 70 layers. When finished, it will be printed and turned in to the USDA. For this session, I made some corrections to the file, editing labels, redrawing some spots to closer represent reality, then saving the image. No issues to report, so confirming the OK.
CC: (none) => andrewsfarm
(In reply to Jose Manuel López from comment #4) > Hi, in this bug I updated Gimp to 2.10.30 for Mageia 8. If someone can > upload this to testing repositories, we update Gimp to 2.10.30, with this > bugfixed. > > https://bugs.mageia.org/show_bug.cgi?id=29473 > Jose, the proposed advisory for this bug says that Gimp 2.10.30 is vulnerable to this issue. I see nothing in Bug 29473 that shows that this particular issue was addressed in the 2.10.30 that you built. So, I'm not going to hold this back at this time. Validating this update, to get this fix out there. Advisory in Comment 3.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
CC: (none) => davidwhodginsKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0219.html
Status: NEW => RESOLVEDResolution: (none) => FIXED