[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
There are no updated debdiffs to sponsor, unsubscribing ubuntu-security- sponsors for now. Please resubscribe the group once updated debdiffs have been attached to this bug. Thanks! -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Changed in: gimp (Ubuntu) Importance: Undecided => Low ** Changed in: gimp (Ubuntu Bionic) Importance: Undecided => Low ** Changed in: gimp (Ubuntu Focal) Importance: Undecided => Low ** Changed in: gimp (Ubuntu Jammy) Importance: Undecided => Low -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
Sorry for the comment. I have hidden it and I will update my patches and request sponsorship. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
> All the CVEs fixed by the attached debdiffs have priority low or negligible. > Therefore, these updates should not be sponsored until a higher priority issue > is found in GIMP. I don't think it is right to try and say these should not be sponsored until a higher priority issue is found - it is just that other higher priority updates for other packages will usually take precedence. Please try not to talk with authority about things which you do not have authority over. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
If there is substantial demand for these CVEs getting fixed, please comment on this bug or otherwise notify me (for example via email). ** Description changed: - The version in Bionic is vulnerable to all CVEs listed below. + The versions in Bionic, Focal and Jammy is vulnerable to all CVEs listed + below. - The versions in Focal and Jammy are vulnerable to CVE-2022-30067 and - CVE-2022-32990. - - Please publish patched packages. + When a higher priority security issue appears in GIMP or substantial + demand exists for these fixes, please publish patched packages. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
All the CVEs fixed by the attached debdiffs have priority low or negligible. Therefore, these updates should not be sponsored until a higher priority issue is found in GIMP. -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
I took a look at the debdiffs in #2, #3, and #8, and here are my comments: For Bionic: - The package doesn't build with the debdiff provided. Please fix and make sure it builds before submitting it again. - In CVE-2022-32990-2.patch, you dropped the section that patches xcf_load_buffer, but in Bionic, the function is called xcf_load_hierarchy, please add the section back and patch the appropriate function. For Focal: - The patch for CVE-2018-12713 is missing, please add it. For Jammy: - The patch for CVE-2018-12713 is missing, please add it. - You seemed to have bumped the version of gegl required in the debian/control file for no reason, and it is not mentioned in the changelog. Please remove this change. Once those changes are done and new debdiffs have been attached, please detail the testing that you performed to make sure Gimp still works, thanks! -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
This bug was fixed in the package gimp - 2.10.32-1 --- gimp (2.10.32-1) unstable; urgency=high * New upstream release (LP: #1982422) - Includes crash fixes CVE-2022-30067 and CVE-2022-32990 * debian/control.in: Bump minimum gegl to 0.4.36 * debian/libgimp2.0.symbols: Add new symbol -- Jeremy Bicha Mon, 01 Aug 2022 09:39:35 -0400 ** Changed in: gimp (Ubuntu) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Also affects: gimp (Ubuntu Jammy) Importance: Undecided Status: New ** Also affects: gimp (Ubuntu Focal) Importance: Undecided Status: New ** Also affects: gimp (Ubuntu Bionic) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
Hi Luis, as part of the sponsoring/updating process, you have to run tests and inform us about its results and instructions. Testing an update is important. At a minimum, be sure to: 1. build in a clean build environment 2. verify the package still installs 3. verify the package upgrades cleanly 4. verify the package still functions properly 5. use public exploits and Proof of Concept(s) (PoC) (if available) to verify the bug is fixed 6. run any test suites available for such package -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
I have not done any testing. ** Changed in: gimp (Ubuntu) Assignee: Luís Cunha dos Reis Infante da Câmara (luis220413) => (unassigned) ** Patch removed: "gimp_bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+attachment/5605036/+files/gimp_bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "gimp_bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+attachment/5605038/+files/gimp_bionic.debdiff -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "gimp_bionic.debdiff" https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+attachment/5605036/+files/gimp_bionic.debdiff ** Changed in: gimp (Ubuntu) Status: In Progress => Fix Committed -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
Thanks Luís, we'll have a look at this. What testing have you done with the resulting packages? Thanks -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
The attachment "gimp_focal.debdiff" seems to be a debdiff. The ubuntu- sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team. [This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.] ** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "gimp_jammy.debdiff" https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+attachment/5604449/+files/gimp_jammy.debdiff -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
** Patch added: "gimp_focal.debdiff" https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+attachment/5604447/+files/gimp_focal.debdiff -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
[Bug 1982422] Re: Multiple vulnerabilities in Bionic, Focal and Jammy
Patched packages for Focal and Jammy are building in my PPA: https://launchpad.net/~luis220413/+archive/ubuntu/security-updates. ** Changed in: gimp (Ubuntu) Status: New => In Progress ** Changed in: gimp (Ubuntu) Assignee: (unassigned) => Luís Cunha dos Reis Infante da Câmara (luis220413) -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gimp in Ubuntu. https://bugs.launchpad.net/bugs/1982422 Title: Multiple vulnerabilities in Bionic, Focal and Jammy To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1982422/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
