Your message dated Sat, 11 Jun 2011 22:33:01 +0000
with message-id <[email protected]>
and subject line Bug#629830: fixed in gimp 2.6.11-3
has caused the Debian Bug report #629830,
regarding gimp vulnerable to CVE-2011-1782
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
629830: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629830
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: gimp
Version: 2.6.11-2
Severity: normal
Tags: patch
User: [email protected]
Usertags: origin-ubuntu oneiric ubuntu-patch
*** /tmp/tmphuxFni
In Ubuntu, the attached patch was applied to achieve the following security
fix:
* SECURITY UPDATE: denial of service and possible code execution via
malformed PSP image file
- debian/patches/08_CVE-2011-1782.patch: further fix buffer overflow in
plug-ins/common/file-psp.c.
- CVE-2011-1782
Thanks for considering the patch.
-- System Information:
Debian Release: squeeze/sid
APT prefers natty-updates
APT policy: (500, 'natty-updates'), (500, 'natty-security'), (500,
'natty-proposed'), (500, 'natty')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.38-10-generic (SMP w/4 CPU cores)
Locale: LANG=en_CA.UTF-8, LC_CTYPE=en_CA.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru gimp-2.6.11/debian/changelog gimp-2.6.11/debian/changelog
diff -Nru gimp-2.6.11/debian/patches/08_CVE-2011-1782.patch gimp-2.6.11/debian/patches/08_CVE-2011-1782.patch
--- gimp-2.6.11/debian/patches/08_CVE-2011-1782.patch 1969-12-31 19:00:00.000000000 -0500
+++ gimp-2.6.11/debian/patches/08_CVE-2011-1782.patch 2011-06-08 10:34:23.000000000 -0400
@@ -0,0 +1,17 @@
+Description: fix denial of service and possible code execution via
+ malformed PSP image file
+Origin: upstream, http://git.gnome.org/browse/gimp/commit?id=f657361db04de69ce003328724c59e3f942d7d15
+
+Index: gimp-2.6.11/plug-ins/common/file-psp.c
+===================================================================
+--- gimp-2.6.11.orig/plug-ins/common/file-psp.c 2011-06-08 10:31:55.406816426 -0400
++++ gimp-2.6.11/plug-ins/common/file-psp.c 2011-06-08 10:32:06.516816421 -0400
+@@ -1246,7 +1246,7 @@
+ fread (buf, runcount, 1, f);
+
+ /* prevent buffer overflow for bogus data */
+- runcount = MIN (runcount, endq - q);
++ runcount = MIN (runcount, (endq - q) / bytespp);
+
+ if (bytespp == 1)
+ {
diff -Nru gimp-2.6.11/debian/patches/series gimp-2.6.11/debian/patches/series
--- gimp-2.6.11/debian/patches/series 2011-05-17 12:27:03.000000000 -0400
+++ gimp-2.6.11/debian/patches/series 2011-06-08 10:31:46.000000000 -0400
@@ -4,3 +4,4 @@
06_CVE-2010-4543.patch
05_CVE-2010-454x.patch
07_binutils-gold.patch
+08_CVE-2011-1782.patch
--- End Message ---
--- Begin Message ---
Source: gimp
Source-Version: 2.6.11-3
We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive:
gimp-data_2.6.11-3_all.deb
to main/g/gimp/gimp-data_2.6.11-3_all.deb
gimp-dbg_2.6.11-3_amd64.deb
to main/g/gimp/gimp-dbg_2.6.11-3_amd64.deb
gimp_2.6.11-3.debian.tar.gz
to main/g/gimp/gimp_2.6.11-3.debian.tar.gz
gimp_2.6.11-3.dsc
to main/g/gimp/gimp_2.6.11-3.dsc
gimp_2.6.11-3_amd64.deb
to main/g/gimp/gimp_2.6.11-3_amd64.deb
libgimp2.0-dev_2.6.11-3_amd64.deb
to main/g/gimp/libgimp2.0-dev_2.6.11-3_amd64.deb
libgimp2.0-doc_2.6.11-3_all.deb
to main/g/gimp/libgimp2.0-doc_2.6.11-3_all.deb
libgimp2.0_2.6.11-3_amd64.deb
to main/g/gimp/libgimp2.0_2.6.11-3_amd64.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Ari Pollak <[email protected]> (supplier of updated gimp package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160
Format: 1.8
Date: Sat, 11 Jun 2011 17:30:56 -0400
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: source all amd64
Version: 2.6.11-3
Distribution: unstable
Urgency: low
Maintainer: Ari Pollak <[email protected]>
Changed-By: Ari Pollak <[email protected]>
Description:
gimp - The GNU Image Manipulation Program
gimp-data - Data files for GIMP
gimp-dbg - Debugging symbols for GIMP
libgimp2.0 - Libraries for the GNU Image Manipulation Program
libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
libgimp2.0-doc - Developers' Documentation for the GIMP library
Closes: 629830
Changes:
gimp (2.6.11-3) unstable; urgency=low
.
* Fix buffer overflow in PSP reading code (CVE-2011-1782) (Closes: #629830)
Checksums-Sha1:
32d2f202ef7b33cb8771ad5ad3f497162485a504 1940 gimp_2.6.11-3.dsc
72757183c6c429c61ada845e0c8e12b1810091a7 45329 gimp_2.6.11-3.debian.tar.gz
e08aafb10b1e0141bcff4169627a268602819cb2 11672180 gimp-data_2.6.11-3_all.deb
32d225bbb424ae3d3b5cd64a2daecd050b77aa03 1101862
libgimp2.0-doc_2.6.11-3_all.deb
53cb7b5c13aa411dfdcd52d00cdb539e4e8ef497 1183514 libgimp2.0_2.6.11-3_amd64.deb
11b86d17a61a94c84f92e386d090f60f1ff5438f 5000468 gimp_2.6.11-3_amd64.deb
7840b5658d155f52693eb5b93712cd8915977815 184936
libgimp2.0-dev_2.6.11-3_amd64.deb
2a25cdb4d45cbfee84b284fabf6586ec228903f4 14745876 gimp-dbg_2.6.11-3_amd64.deb
Checksums-Sha256:
5d6a754e6252ffe81b86d744ec3956a03a904e8bace0597f48c494e58a0981cb 1940
gimp_2.6.11-3.dsc
49b28c05b11a31f3615afae275d8b3cf92ca70f5afebd920a45f05bcc5784945 45329
gimp_2.6.11-3.debian.tar.gz
8b5d93371ac600b4ba67b98f5c67ccc67710cdbd5640e4457ba27f681387de0b 11672180
gimp-data_2.6.11-3_all.deb
eaa295d78159667760db9eb84f47a7687357c85ff5b62228af356f18cc619ac3 1101862
libgimp2.0-doc_2.6.11-3_all.deb
19f6ceced3dbb6d2c111ca95f3bc99e57e10cae0785fc988d01253a6f0cf8dd2 1183514
libgimp2.0_2.6.11-3_amd64.deb
362f7528536053cdf80b8c9380e876a0c264324abae95f6ba28306a489cb607d 5000468
gimp_2.6.11-3_amd64.deb
afa8b0b8d12a6360429f264a7b9db4f5a03d6d9387eae7759af96255f7c2e195 184936
libgimp2.0-dev_2.6.11-3_amd64.deb
1f055b1e36417bdc036cb38f562eed8a097069852c9e7565f23849d2dbe208a2 14745876
gimp-dbg_2.6.11-3_amd64.deb
Files:
023619a500394462583a1bd20d9843be 1940 graphics optional gimp_2.6.11-3.dsc
30e5b3b7f08367626741ac38a547d41c 45329 graphics optional
gimp_2.6.11-3.debian.tar.gz
d8d3867c59d47ef479a484e3fb124dc3 11672180 graphics optional
gimp-data_2.6.11-3_all.deb
23a32529acc5d792698cf66725bfbee7 1101862 doc optional
libgimp2.0-doc_2.6.11-3_all.deb
1535ca19e5f53fdc769500595737d19a 1183514 libs optional
libgimp2.0_2.6.11-3_amd64.deb
9d706cf7386465706b0d664e2d81cc31 5000468 graphics optional
gimp_2.6.11-3_amd64.deb
8687a2291cce76f2ab0647226bfbb206 184936 libdevel optional
libgimp2.0-dev_2.6.11-3_amd64.deb
764646d145d9e74c6254839ad4be5657 14745876 debug extra
gimp-dbg_2.6.11-3_amd64.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEAREDAAYFAk3z6aoACgkQwO+u47cOQDtZLACgiktkZmsnGDrvDCzTITXDv6E/
oaMAnRPtZ5tOq2K/KzlnFh0bvObzGLOm
=fPEX
-----END PGP SIGNATURE-----
--- End Message ---
