OpenSuSE has issued an advisory today (December 7): http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html Patched package uploaded for Mageia 2 and Cauldron. Patch checked into Mageia 1 SVN. Advisory: ======================== Updated gimp packages fix security vulnerability: GIMP 2.8.2 and earlier is vulnerable to memory corruption when reading XWD files, which could lead even to arbitrary code execution (CVE-2012-5576). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5576 http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html ======================== Updated packages in core/updates_testing: ======================== gimp-2.8.2-1.2.mga2 libgimp2.0-devel-2.8.2-1.2.mga2 libgimp2.0_0-2.8.2-1.2.mga2 gimp-python-2.8.2-1.2.mga2 from gimp-2.8.2-1.2.mga2.src.rpm
Possible PoC test file: https://bugzilla.gnome.org/attachment.cgi?id=227862 Taken from https://bugzilla.gnome.org/show_bug.cgi?id=687392
URL: (none) => http://lwn.net/Vulnerabilities/528436/
Testing complete on Mageia 2 i586 and x86-64. Before installing the update, opening the file causes a message warning that gimp's internal state has been corrupted. After installing the update, it just warns that the file is corrrupt. Could someone from the sysadmin team push the srpm gimp-2.8.2-1.2.mga2.src.rpm from Mageia 2 Core Updates Testing to Core Updates. Advisory: Updated gimp packages fix security vulnerability: GIMP 2.8.2 and earlier is vulnerable to memory corruption when reading XWD files, which could lead even to arbitrary code execution (CVE-2012-5576). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5576 http://lists.opensuse.org/opensuse-updates/2012-12/msg00017.html https://bugs.mageia.org/show_bug.cgi?id=8326
Keywords: (none) => validated_updateCC: (none) => davidwhodgins, sysadmin-bugsWhiteboard: (none) => MGA2-64-OK MGA2-32-OK
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0360
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED