Public bug reported:
Hello.
GIMP package ('Universe/Security' section), available in "Xenial"/16.04
LTS Release, contains unfixed security issues and is vulnerable to, for
example, heap-buffer over-read, out of bounds read and stack-based
buffer over-read etc. The whole this is pretty strange, because Ubuntu
Releases released before and after "Xenial", contains updated GIMP
version!
Anyway, it looks this way: in "Trusty" the available version is:
'2.8.10-0ubuntu1.2' (please see [1]). "Bionic" has '2.8.20-1.1' version
(please see [2]). Both Releases contains fixes for mentioned security
issues: CVE-2017-* etc. However, GIMP version in "Xenial" is
'2.8.16-1ubuntu1.1' and does not contain any security updates from 2017.
(The last one is from Thu, 30 Jun 2016.; please see [3]).
Security updates with fixes for mentioned CVE's (please compare changes
in 1. and 2. with 3.) were released on Thu., 18 Jan 2018 - for "Trusty"
and Tue., 26 Dec 2017 - for "Bionic". In "Xenial", the last security
update is from Thu., 30 Jun 2016 (fix for CVE-2016-4994) and there is no
further updates!
Here is a CVE list, which are not fixed in "Xenial", but in "Trusty" and
"Bionic" only:
1/ CVE-2017-17786: Out of bounds read
2/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data
3/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
4/ CVE-2017-17787: Heap-based buffer over-read in read_creator_block
5/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
6/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
I wanted to send an email an email to Mr Marc Deslauriers, because he
made the last security update for GIMP in "Xenial" (fix for
CVE-2016-4994). But I decided to report a bug on Launchpad. I hope that
it's an acceptable way. If not, I'm sorry.
By the way: similar problems with unfixed security issues, can be found
e.g. in Audacious and Parole packages. But that's a different story,
completely different story...
Thanks, best regards.
______________________
1.
http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog
2.
http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog
3.
http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog
** Affects: gimp (Ubuntu)
Importance: Undecided
Status: Confirmed
** Tags: cve gimp security upgrade-software-version xenial
** Changed in: fglrx-installer (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to fglrx-installer in Ubuntu.
https://bugs.launchpad.net/bugs/1773561
Title:
Xenial/16.04: GIMP needs a security update - unfixed issues
(CVE-2017-*).
Status in gimp package in Ubuntu:
Confirmed
Bug description:
Hello.
GIMP package ('Universe/Security' section), available in
"Xenial"/16.04 LTS Release, contains unfixed security issues and is
vulnerable to, for example, heap-buffer over-read, out of bounds read
and stack-based buffer over-read etc. The whole this is pretty
strange, because Ubuntu Releases released before and after "Xenial",
contains updated GIMP version!
Anyway, it looks this way: in "Trusty" the available version is:
'2.8.10-0ubuntu1.2' (please see [1]). "Bionic" has '2.8.20-1.1'
version (please see [2]). Both Releases contains fixes for mentioned
security issues: CVE-2017-* etc. However, GIMP version in "Xenial" is
'2.8.16-1ubuntu1.1' and does not contain any security updates from
2017. (The last one is from Thu, 30 Jun 2016.; please see [3]).
Security updates with fixes for mentioned CVE's (please compare
changes in 1. and 2. with 3.) were released on Thu., 18 Jan 2018 - for
"Trusty" and Tue., 26 Dec 2017 - for "Bionic". In "Xenial", the last
security update is from Thu., 30 Jun 2016 (fix for CVE-2016-4994) and
there is no further updates!
Here is a CVE list, which are not fixed in "Xenial", but in "Trusty"
and "Bionic" only:
1/ CVE-2017-17786: Out of bounds read
2/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data
3/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
4/ CVE-2017-17787: Heap-based buffer over-read in read_creator_block
5/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
6/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
I wanted to send an email an email to Mr Marc Deslauriers, because he
made the last security update for GIMP in "Xenial" (fix for
CVE-2016-4994). But I decided to report a bug on Launchpad. I hope
that it's an acceptable way. If not, I'm sorry.
By the way: similar problems with unfixed security issues, can be
found e.g. in Audacious and Parole packages. But that's a different
story, completely different story...
Thanks, best regards.
______________________
1.
http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog
2.
http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog
3.
http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1773561/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
