| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 24 Jul 2006 12:59:09 +0200 From: Alberto Devesa <alberto.devesa@...leeye-software.com> To: full-disclosure@...ts.grok.org.uk Cc: gentoo-announce@...too.org, bugtraq@...urityfocus.com, security-alerts@...uxsecurity.com Subject: Re: [ GLSA 200607-08 ] GIMP: Buffer overflow I guess it should be version 2.2.12 instead of 1.2.12 On Sunday 23 July 2006 17:29, Sune Kloppenborg Jeppesen wrote: > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > Gentoo Linux Security Advisory GLSA 200607-08 > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > http://security.gentoo.org/ > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Severity: Normal > Title: GIMP: Buffer overflow > Date: July 23, 2006 > Bugs: #139524 > ID: 200607-08 > > - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - > > Synopsis > ======== > > GIMP is prone to a buffer overflow which may lead to the execution of > arbitrary code when loading specially crafted XCF files. > > Background > ========== > > GIMP is the GNU Image Manipulation Program. XCF is the native image > file format used by GIMP. > > Affected packages > ================= > > ------------------------------------------------------------------- > Package / Vulnerable / Unaffected > ------------------------------------------------------------------- > 1 media-gfx/gimp < 1.2.12 >= 1.2.12 > > Description > =========== > > Henning Makholm discovered that the "xcf_load_vector()" function is > vulnerable to a buffer overflow when loading a XCF file with a large > "num_axes" value. > > Impact > ====== > > An attacker could exploit this issue to execute arbitrary code by > enticing a user to open a specially crafted XCF file. > > Workaround > ========== > > There is no known workaround at this time. > > Resolution > ========== > > All GIMP users should update to the latest stable version: > > # emerge --sync > # emerge --ask --oneshot --verbose ">=media-gfx/gimp-1.2.12" > > References > ========== > > [ 1 ] CVE-2006-3404 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404 > > Availability > ============ > > This GLSA and any updates to it are available for viewing at > the Gentoo Security Website: > > http://security.gentoo.org/glsa/glsa-200607-08.xml > > Concerns? > ========= > > Security is a primary focus of Gentoo Linux and ensuring the > confidentiality and security of our users machines is of utmost > importance to us. Any security concerns should be addressed to > security@...too.org or alternatively, you may file a bug at > http://bugs.gentoo.org. > > License > ======= > > Copyright 2006 Gentoo Foundation, Inc; referenced text > belongs to its owner(s). > > The contents of this document are licensed under the > Creative Commons - Attribution / Share Alike license. > > http://creativecommons.org/licenses/by-sa/2.5 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists