Bug#555929: marked as done (gimp: CVE-2009-1570 heap overflow due to integer overflow when parsing bmp files)

Sat, 21 Nov 2009 09:11:03 -0800 

Your message dated Sat, 21 Nov 2009 17:04:49 +0000
with message-id <e1nbtod-0008it...@ries.debian.org>
and subject line Bug#555929: fixed in gimp 2.6.7-1.1
has caused the Debian Bug report #555929,
regarding gimp: CVE-2009-1570 heap overflow due to integer overflow when 
parsing bmp files
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
555929: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=555929
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message --- 
Package: gimp
Severity: grave
Tags: security patch

Hi,
the following CVE (Common Vulnerabilities & Exposures) id was
published for gimp.

CVE-2009-1570[0]:
| Secunia Research has discovered a vulnerability in Gimp, which can be
| exploited by malicious people to potentially compromise a user's 
| system.
| 
| The vulnerability is caused by an integer overflow error within the
| "ReadImage()" function in plug-ins/file-bmp/bmp-read.c. This can be
| exploited to cause a heap-based buffer overflow by e.g. tricking a
| user into opening a specially crafted BMP file.

If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.

Patch: 
http://git.gnome.org/cgit/gimp/commit/?id=e3afc99b2fa7aeddf0dba4778663160a5bc682d3

Do you also have the time to provide updated packages for stable/oldstable?

For further information see:

[0] http://secunia.com/secunia_research/2009-42/
    http://security-tracker.debian.org/tracker/CVE-2009-1570

-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: pgp9OHWjSSaKq.pgp
Description: PGP signature


--- End Message ---
--- Begin Message --- 
Source: gimp
Source-Version: 2.6.7-1.1

We believe that the bug you reported is fixed in the latest version of
gimp, which is due to be installed in the Debian FTP archive:

gimp-data_2.6.7-1.1_all.deb
  to main/g/gimp/gimp-data_2.6.7-1.1_all.deb
gimp-dbg_2.6.7-1.1_amd64.deb
  to main/g/gimp/gimp-dbg_2.6.7-1.1_amd64.deb
gimp_2.6.7-1.1.diff.gz
  to main/g/gimp/gimp_2.6.7-1.1.diff.gz
gimp_2.6.7-1.1.dsc
  to main/g/gimp/gimp_2.6.7-1.1.dsc
gimp_2.6.7-1.1_amd64.deb
  to main/g/gimp/gimp_2.6.7-1.1_amd64.deb
libgimp2.0-dev_2.6.7-1.1_amd64.deb
  to main/g/gimp/libgimp2.0-dev_2.6.7-1.1_amd64.deb
libgimp2.0-doc_2.6.7-1.1_all.deb
  to main/g/gimp/libgimp2.0-doc_2.6.7-1.1_all.deb
libgimp2.0_2.6.7-1.1_amd64.deb
  to main/g/gimp/libgimp2.0_2.6.7-1.1_amd64.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 555...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <n...@debian.org> (supplier of updated gimp package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Sat, 21 Nov 2009 14:57:51 +0100
Source: gimp
Binary: libgimp2.0 gimp gimp-data libgimp2.0-dev libgimp2.0-doc gimp-dbg
Architecture: source all amd64
Version: 2.6.7-1.1
Distribution: unstable
Urgency: high
Maintainer: Ari Pollak <a...@debian.org>
Changed-By: Nico Golde <n...@debian.org>
Description: 
 gimp       - The GNU Image Manipulation Program
 gimp-data  - Data files for GIMP
 gimp-dbg   - Debugging symbols for GIMP
 libgimp2.0 - Libraries for the GNU Image Manipulation Program
 libgimp2.0-dev - Headers and other files for compiling plugins for GIMP
 libgimp2.0-doc - Developers' Documentation for the GIMP library
Closes: 553234 555929 556750
Changes: 
 gimp (2.6.7-1.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * This update fixes the following security issues:
     - CVE-2009-3909: integer overflow in PSD file loader leading to
       a heap-based buffer overflow (Closes: #556750).
     - CVE-2009-1570: integer overflow in BMP file loader leading to
       a heap-based buffer overflow (Closes: #555929).
   * Add ${shlibs: Depends} to depends of libgimp-dev (Closes: #553234).
Checksums-Sha1: 
 063b8df139c9c8110c438566179419dbd4763da7 1948 gimp_2.6.7-1.1.dsc
 ab6ff9a2cf1c329ae2eb1cb0187a970588dccfd6 45057 gimp_2.6.7-1.1.diff.gz
 8f9f036586de837879d08bb4804cf68b0ffb84c6 11045246 gimp-data_2.6.7-1.1_all.deb
 89a21721083320452d60a2911708ffef13b0af6a 1074066 
libgimp2.0-doc_2.6.7-1.1_all.deb
 ac2773b706e928585bcc5bde6e144c2a2e4516df 1134256 libgimp2.0_2.6.7-1.1_amd64.deb
 c88679fc7bb5e98b4bd9909d94a4ce5f7e150b5f 4913686 gimp_2.6.7-1.1_amd64.deb
 e8c5a3044a7212a0427d9e72e363f68037bc3f47 157090 
libgimp2.0-dev_2.6.7-1.1_amd64.deb
 e0b9139e61bc0fdeef84a32d8512bb26ccf811c4 13797466 gimp-dbg_2.6.7-1.1_amd64.deb
Checksums-Sha256: 
 feabc12a63edfa8cbc442ec093650679ce55760dc7a871aeb520191ff9648e2e 1948 
gimp_2.6.7-1.1.dsc
 190631712ba66e5c7eed75c2891983b0609d370025e2cf5fd67fa31ee11ef7fb 45057 
gimp_2.6.7-1.1.diff.gz
 c1c3f9a9bcb18b359a9e90f7f2623c919822ab4690b9e0d1ed21913134be9740 11045246 
gimp-data_2.6.7-1.1_all.deb
 31a80b404d04183ee7c67baa405d54d17e0baa9cfe406177d0d864f3091d579d 1074066 
libgimp2.0-doc_2.6.7-1.1_all.deb
 5c525373f768842fc67fdac006c9bab60238700a180b31ed6b2f70b106eb6fa7 1134256 
libgimp2.0_2.6.7-1.1_amd64.deb
 834eab4106583c3b49b1ef7dc89fa0c8fde164826c34e040afc8857925011e97 4913686 
gimp_2.6.7-1.1_amd64.deb
 46b6701c74647ad12ba19107d3510719e07df9ea4395f06e06df8fd767b90ab4 157090 
libgimp2.0-dev_2.6.7-1.1_amd64.deb
 082597a1f3d44f2921833ce7349e9a8565ff762be2eb141925991c1cb14a8a8a 13797466 
gimp-dbg_2.6.7-1.1_amd64.deb
Files: 
 e29a8a246b41c7d6e54be9ecf9baa237 1948 graphics optional gimp_2.6.7-1.1.dsc
 3062c9c69a9e59510a73e51eec9380d7 45057 graphics optional gimp_2.6.7-1.1.diff.gz
 e78b4cd448fade3f1b1d0779475cdf04 11045246 graphics optional 
gimp-data_2.6.7-1.1_all.deb
 4f7d8b438535940543f8ff261ebb6849 1074066 doc optional 
libgimp2.0-doc_2.6.7-1.1_all.deb
 c361ee0407cc79179b2ba6f0ca5f8533 1134256 libs optional 
libgimp2.0_2.6.7-1.1_amd64.deb
 ed7eefbb4b320b668f2a9a1bcb78c9f2 4913686 graphics optional 
gimp_2.6.7-1.1_amd64.deb
 c0344fa18150e41d010a6b72cd390224 157090 libdevel optional 
libgimp2.0-dev_2.6.7-1.1_amd64.deb
 0c2def267e3fbee92e099fceb72f6ded 13797466 debug extra 
gimp-dbg_2.6.7-1.1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iEYEARECAAYFAksIGKQACgkQHYflSXNkfP/vlgCgmjlof7ifhjQ0EWR4Q85jz81Q
vgAAoK7mIt2hal/2gTaJ2h/CnzHNNJjY
=3jGU
-----END PGP SIGNATURE-----

--- End Message ---

Reply via email to