Bug 7128 - gimp new security issues CVE-2012-3403 and CVE-2012-3481
: gimp new security issues CVE-2012-3403 and CVE-2012-3481
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/512443/
: MGA1TOO MGA2-32-OK MGA2-64-OK MGA1-64...
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-08-20 22:53 CEST by David Walser
Modified: 2012-08-23 10:31 CEST (History)
4 users (show)

See Also:
Source RPM: gimp-2.8.0-1.mga2.src.rpm
CVE:


Attachments

Description David Walser 2012-08-20 22:53:35 CEST
RedHat has issued an advisory today (August 20):
https://rhn.redhat.com/errata/RHSA-2012-1180.html

Patched packages uploaded for Mageia 1, Mageia 2, and Cauldron.

CVE-2011-2896 was previously fixed in Bug 3096.

Advisory:
========================

Updated gimp packages fix security vulnerabilities:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the GIMP's GIF image format plug-in. An attacker could create a
specially-crafted GIF image file that, when opened, could cause the GIF
plug-in to crash or, potentially, execute arbitrary code with the
privileges of the user running the GIMP (CVE-2012-3481).

A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file
format plug-in. An attacker could create a specially-crafted KiSS palette
file that, when opened, could cause the CEL plug-in to crash or,
potentially, execute arbitrary code with the privileges of the user running
the GIMP (CVE-2012-3403).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3481
https://rhn.redhat.com/errata/RHSA-2012-1180.html
========================

Updated packages in core/updates_testing:
========================
gimp-2.6.11-7.2.mga1
libgimp2.0-devel-2.6.11-7.2.mga1
libgimp2.0_0-2.6.11-7.2.mga1
gimp-python-2.6.11-7.2.mga1
gimp-2.8.0-1.1.mga2.
libgimp2.0-devel-2.8.0-1.1.mga2
libgimp2.0_0-2.8.0-1.1.mga2
gimp-python-2.8.0-1.1.mga2

from SRPMS:
gimp-2.6.11-7.2.mga1.src.rpm
gimp-2.8.0-1.1.mga2.src.rpm
Comment 1 Eduard Beliaev 2012-08-20 23:34:13 CEST
Works ok on Mageia 2 i568.
Comment 2 Eduard Beliaev 2012-08-21 01:47:19 CEST
Tested on Mageia 2 x86_64. No problems.
Comment 3 claire robinson 2012-08-21 19:44:29 CEST
PoC gif for CVE-2012-3481 here:
https://bugzilla.novell.com/attachment.cgi?id=502827

I've not managed to get a kiss cel file to work with gimp so far. lzh files from here won't open directly but renaming to .cel did open a blank window using 8.9Gb of memory.
Comment 4 claire robinson 2012-08-21 19:45:15 CEST
from here: http://otakuworld.com/kiss/
Comment 5 Dave Hodgins 2012-08-21 23:12:50 CEST
Testing Mageia 1 shortly.
Comment 6 Dave Hodgins 2012-08-21 23:41:44 CEST
Testing complete on Mageia 1 i586 and x86-64.

Testing using the attachment from
https://bugzilla.redhat.com/show_bug.cgi?id=727800

Could someone from the sysadmin team push the srpm
gimp-2.8.0-1.1.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates and the srpm
gimp-2.6.11-7.2.mga1.src.rpm
from Mageia 1 Core Updates Testing to Core Updates.

Advisory: Updated gimp packages fix security vulnerabilities:

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the GIMP's GIF image format plug-in. An attacker could create a
specially-crafted GIF image file that, when opened, could cause the GIF
plug-in to crash or, potentially, execute arbitrary code with the
privileges of the user running the GIMP (CVE-2012-3481).

A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file
format plug-in. An attacker could create a specially-crafted KiSS palette
file that, when opened, could cause the CEL plug-in to crash or,
potentially, execute arbitrary code with the privileges of the user running
the GIMP (CVE-2012-3403).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3403
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3481
https://rhn.redhat.com/errata/RHSA-2012-1180.html

https://bugs.mageia.org/show_bug.cgi?id=7128
Comment 7 Thomas Backlund 2012-08-23 10:31:23 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0236

Note You need to log in before you can comment on or make changes to this bug.