As I wrote in https://bugzilla.gnome.org/show_bug.cgi?id=773233#c2 (that's the bug for the master branch, where GIMP 2.9.x is being made from), I could not reproduce the crash mentioned in the CVE. Probably no surprise, given that CVE was reported against GIMP 2.3.x
However, I'd like to stress that this bug might have been fixed a lot earlier if any of the downstream vendors who noticed it had reported it upstream. Please make sure that every non-Ubuntu-specific bug in Launchpad has a corresponding upstream bug report (adding a reference to thess is what the "Also affects project" link is for), or that an upstream report is made if you can't find one. ** Bug watch added: GNOME Bug Tracker #773233 https://bugzilla.gnome.org/show_bug.cgi?id=773233 -- You received this bug notification because you are a member of Ubuntu Studio Bugs, which is subscribed to gimp in Ubuntu. Matching subscriptions: Ubuntu Studio Bugs https://bugs.launchpad.net/bugs/1690544 Title: include proper fix for CVE-2007-3126, released in GIMP 2.8.22 Status in The Gimp: Fix Released Status in gimp package in Ubuntu: New Bug description: The GIMP developers announced at https://www.gimp.org/news/2017/05/11/gimp-2-8-22-released/ that version 2.8.22 finally includes a proper fix for the ancient ICO file import crash CVE-2007-3126. The fix should thus either be back-ported or GIMP bumped to 2.8.22 for supported Ubuntu versions. To manage notifications about this bug go to: https://bugs.launchpad.net/gimp/+bug/1690544/+subscriptions -- Mailing list: https://launchpad.net/~ubuntustudio-bugs Post to : [email protected] Unsubscribe : https://launchpad.net/~ubuntustudio-bugs More help : https://help.launchpad.net/ListHelp
