Bug 8326 - gimp new security issue CVE-2012-5576
: gimp new security issue CVE-2012-5576
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: major
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/528436/
: MGA2-64-OK MGA2-32-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-12-07 17:30 CET by David Walser
Modified: 2012-12-11 22:28 CET (History)
3 users (show)

See Also:
Source RPM: gimp-2.8.2-1.1.mga2.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2012-12-07 17:30:48 CET
OpenSuSE has issued an advisory today (December 7):
http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html

Patched package uploaded for Mageia 2 and Cauldron.

Patch checked into Mageia 1 SVN.

Advisory:
========================

Updated gimp packages fix security vulnerability:

GIMP 2.8.2 and earlier is vulnerable to memory corruption when reading XWD
files, which could lead even to arbitrary code execution (CVE-2012-5576).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5576
http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html
========================

Updated packages in core/updates_testing:
========================
gimp-2.8.2-1.2.mga2
libgimp2.0-devel-2.8.2-1.2.mga2
libgimp2.0_0-2.8.2-1.2.mga2
gimp-python-2.8.2-1.2.mga2

from gimp-2.8.2-1.2.mga2.src.rpm
Comment 1 claire robinson 2012-12-07 18:29:14 CET
Possible PoC test file: https://bugzilla.gnome.org/attachment.cgi?id=227862

Taken from https://bugzilla.gnome.org/show_bug.cgi?id=687392
Comment 2 Dave Hodgins 2012-12-08 03:45:03 CET
Testing complete on Mageia 2 i586 and x86-64.

Before installing the update, opening the file causes a message warning that
gimp's internal state has been corrupted.  After installing the update, it
just warns that the file is corrrupt.

Could someone from the sysadmin team push the srpm
gimp-2.8.2-1.2.mga2.src.rpm
from Mageia 2 Core Updates Testing to Core Updates.

Advisory: Updated gimp packages fix security vulnerability:

GIMP 2.8.2 and earlier is vulnerable to memory corruption when reading XWD
files, which could lead even to arbitrary code execution (CVE-2012-5576).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5576
http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html

https://bugs.mageia.org/show_bug.cgi?id=8326
Comment 3 Thomas Backlund 2012-12-11 22:28:15 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0360

Note You need to log in before you can comment on or make changes to this bug.