include proper fix for CVE-2007-3126, released in GIMP 2.8.22

Bug #1690544 reported by nmaxx on 2017-05-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
The Gimp
Fix Released
gimp (Ubuntu)

Bug Description

The GIMP developers announced at that version 2.8.22 finally includes a proper fix for the ancient ICO file import crash CVE-2007-3126.
The fix should thus either be back-ported or GIMP bumped to 2.8.22 for supported Ubuntu versions.

CVE References

Changed in gimp:
importance: Unknown → Medium
status: Unknown → Fix Released
Michael Schumacher (schumaml) wrote :

As I wrote in (that's the bug for the master branch, where GIMP 2.9.x is being made from), I could not reproduce the crash mentioned in the CVE. Probably no surprise, given that CVE was reported against GIMP 2.3.x

However, I'd like to stress that this bug might have been fixed a lot earlier if any of the downstream vendors who noticed it had reported it upstream. Please make sure that every non-Ubuntu-specific bug in Launchpad has a corresponding upstream bug report (adding a reference to thess is what the "Also affects project" link is for), or that an upstream report is made if you can't find one.

Jeremy Bicha (jbicha) wrote :

This will be updated in Ubuntu 18.04 "bionic" via sync from Debian.

Changed in gimp (Ubuntu):
status: New → Fix Committed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gimp - 2.8.22-1

gimp (2.8.22-1) unstable; urgency=medium

  * New upstream release (Closes: #870568, #885382, CVE-2007-3126)
    (LP: #1690544)
  * Switch maintainer to Debian GNOME Team, with Ari's permission
  * Update Vcs fields for migration to
  * Drop old Breaks/Conflicts/Replaces not needed since Wheezy
  * Drop obsolete menu and .xpm files
  * Switch from cdbs to dh
  * Bump debhelper compat to 11

 -- Jeremy Bicha <email address hidden> Wed, 28 Mar 2018 12:21:18 -0400

Changed in gimp (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.