2018-05-26 17:27:12 |
daniel CURTIS |
bug |
|
|
added bug |
2018-05-26 17:28:02 |
daniel CURTIS |
fglrx-installer (Ubuntu): status |
New |
Confirmed |
|
2018-05-26 17:31:40 |
daniel CURTIS |
affects |
fglrx-installer (Ubuntu) |
gimp (Ubuntu) |
|
2018-05-26 18:04:43 |
daniel CURTIS |
description |
Hello.
GIMP package ('Universe/Security' section), available in "Xenial"/16.04 LTS Release, contains unfixed security issues and is vulnerable to, for example, heap-buffer over-read, out of bounds read and stack-based buffer over-read etc. The whole this is pretty strange, because Ubuntu Releases released before and after "Xenial", contains updated GIMP version!
Anyway, it looks this way: in "Trusty" the available version is: '2.8.10-0ubuntu1.2' (please see [1]). "Bionic" has '2.8.20-1.1' version (please see [2]). Both Releases contains fixes for mentioned security issues: CVE-2017-* etc. However, GIMP version in "Xenial" is '2.8.16-1ubuntu1.1' and does not contain any security updates from 2017. (The last one is from Thu, 30 Jun 2016.; please see [3]).
Security updates with fixes for mentioned CVE's (please compare changes in 1. and 2. with 3.) were released on Thu., 18 Jan 2018 - for "Trusty" and Tue., 26 Dec 2017 - for "Bionic". In "Xenial", the last security update is from Thu., 30 Jun 2016 (fix for CVE-2016-4994) and there is no further updates!
Here is a CVE list, which are not fixed in "Xenial", but in "Trusty" and "Bionic" only:
1/ CVE-2017-17786: Out of bounds read
2/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data
3/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
4/ CVE-2017-17787: Heap-based buffer over-read in read_creator_block
5/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
6/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
I wanted to send an email an email to Mr Marc Deslauriers, because he made the last security update for GIMP in "Xenial" (fix for CVE-2016-4994). But I decided to report a bug on Launchpad. I hope that it's an acceptable way. If not, I'm sorry.
By the way: similar problems with unfixed security issues, can be found e.g. in Audacious and Parole packages. But that's a different story, completely different story...
Thanks, best regards.
______________________
1. http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog
2. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog
3. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog |
Hello.
GIMP package ('Universe/Security' section), available in "Xenial"/16.04 LTS Release, contains unfixed security issues and is vulnerable to, for example, heap-buffer over-read, out of bounds read and stack-based buffer over-read etc. The whole this is pretty strange, because Ubuntu Releases released before and after "Xenial", contains updated GIMP version!
Anyway, it looks this way: in "Trusty" the available version is: '2.8.10-0ubuntu1.2' (please see [1]). "Bionic" has '2.8.20-1.1' version (please see [2]). Both Releases contains fixes for mentioned security issues: CVE-2017-* etc. However, GIMP version in "Xenial" is '2.8.16-1ubuntu1.1' and does not contain any security updates from 2017. (The last one is from Thu, 30 Jun 2016.; please see [3]).
Security updates with fixes for mentioned CVE's (please compare changes in 1. and 2. with 3.) were released on Thu., 18 Jan 2018 - for "Trusty" and Tue., 26 Dec 2017 - for "Bionic". In "Xenial", the last security update is from Thu., 30 Jun 2016 (fix for CVE-2016-4994) and there is no further updates!
Here is a CVE list, which are not fixed in "Xenial", but in "Trusty" and "Bionic" only:
1/ CVE-2017-17786: Out of bounds read
2/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data
3/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
4/ CVE-2017-17787: Heap-based buffer over-read in read_creator_block
5/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
6/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
I wanted to send an email an email to Mr Marc Deslauriers, because he made the last security update for GIMP in "Xenial" (fix for CVE-2016-4994). But I decided to report a bug on Launchpad. I hope that it's an acceptable way. If not, I'm sorry.
✗✗✗ And the most important thing: if an User had installed GIMP package in "Xenial" Release, he is affected because he is using a vulnerable version since one year! Security issues, mentioned above, are from 2017. So, maybe it's a good opportunity to update GIMP to v2.10.2 version, released on 20., May 2018? At least in non-LTS Releases. Of course I'm not talking about "Cosmic" here. (Version 2.8.X is very outdated).
By the way: similar problems with unfixed security issues, can be found e.g. in Audacious and Parole packages. But that's a different story, completely different story...
Thanks, best regards.
______________________
1. http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog
2. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog
3. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog |
|
2018-05-29 13:51:04 |
daniel CURTIS |
summary |
Xenial/16.04: GIMP needs a security update - unfixed issues (CVE-2017-*). |
Xenial/16.04: GIMP needs a security update - unfixed issues (CVE-2017: 17784-17789). |
|
2018-05-29 13:51:04 |
daniel CURTIS |
description |
Hello.
GIMP package ('Universe/Security' section), available in "Xenial"/16.04 LTS Release, contains unfixed security issues and is vulnerable to, for example, heap-buffer over-read, out of bounds read and stack-based buffer over-read etc. The whole this is pretty strange, because Ubuntu Releases released before and after "Xenial", contains updated GIMP version!
Anyway, it looks this way: in "Trusty" the available version is: '2.8.10-0ubuntu1.2' (please see [1]). "Bionic" has '2.8.20-1.1' version (please see [2]). Both Releases contains fixes for mentioned security issues: CVE-2017-* etc. However, GIMP version in "Xenial" is '2.8.16-1ubuntu1.1' and does not contain any security updates from 2017. (The last one is from Thu, 30 Jun 2016.; please see [3]).
Security updates with fixes for mentioned CVE's (please compare changes in 1. and 2. with 3.) were released on Thu., 18 Jan 2018 - for "Trusty" and Tue., 26 Dec 2017 - for "Bionic". In "Xenial", the last security update is from Thu., 30 Jun 2016 (fix for CVE-2016-4994) and there is no further updates!
Here is a CVE list, which are not fixed in "Xenial", but in "Trusty" and "Bionic" only:
1/ CVE-2017-17786: Out of bounds read
2/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data
3/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
4/ CVE-2017-17787: Heap-based buffer over-read in read_creator_block
5/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
6/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
I wanted to send an email an email to Mr Marc Deslauriers, because he made the last security update for GIMP in "Xenial" (fix for CVE-2016-4994). But I decided to report a bug on Launchpad. I hope that it's an acceptable way. If not, I'm sorry.
✗✗✗ And the most important thing: if an User had installed GIMP package in "Xenial" Release, he is affected because he is using a vulnerable version since one year! Security issues, mentioned above, are from 2017. So, maybe it's a good opportunity to update GIMP to v2.10.2 version, released on 20., May 2018? At least in non-LTS Releases. Of course I'm not talking about "Cosmic" here. (Version 2.8.X is very outdated).
By the way: similar problems with unfixed security issues, can be found e.g. in Audacious and Parole packages. But that's a different story, completely different story...
Thanks, best regards.
______________________
1. http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog
2. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog
3. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog |
Hello.
GIMP package ('Universe/Security' section), available in "Xenial"/16.04 LTS Release, contains unfixed security issues and is vulnerable to, for example, heap-buffer over-read, out of bounds read and stack-based buffer over-read etc. The whole thing is pretty strange, because Ubuntu Releases released before and after "Xenial", contains updated GIMP package!
Anyway, it looks this way: in "Trusty" the available version is: '2.8.10-0ubuntu1.2' (please see [1]). "Bionic" has '2.8.20-1.1' version (please see [2]). Both Releases contains fixes for mentioned security issues: CVE-2017-* etc. However, GIMP version in "Xenial" is '2.8.16-1ubuntu1.1' and does not contain any security updates from 2017. (The last one is from Thu, 30 Jun 2016.; please see [3]).
Security updates with fixes for mentioned CVE's (please compare changes in 1. and 2. with 3.) were released on Thu., 18 Jan 2018 - for "Trusty" and Tue., 26 Dec 2017 - for "Bionic". In "Xenial", the last security update is from Thu., 30 Jun 2016 (fix for CVE-2016-4994) and there is no further updates!
Here is a CVE list of security issues not fixed in "Xenial", but in "Trusty" and "Bionic" etc.:
1/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
2/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
3/ CVE-2017-17786: Out of bounds read
4/ CVE-2017-17787: Heap-based buffer over-read in read_creator_block
5/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
6/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data
And the most important thing: if User had installed GIMP package in "Xenial" Release, he is affected - since one year, at least - because of a vulnerable version. Security issues, mentioned above, are from 2017. So, maybe it's a good opportunity to update GIMP to v2.10.2 version, released on 20., May 2018? (Version 2.8.X is very outdated).
I wanted to send an email to Mr Marc Deslauriers, because he made the last security update for GIMP in "Xenial" (fix for CVE-2016-4994). But I decided to report a bug on Launchpad. I hope that it's an acceptable way. If not, I'm sorry.
By the way: similar problems with unfixed security issues, can be found e.g. in Audacious and Parole packages. But that's a different story, completely different story...
Thanks, best regards.
______________________
1. http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog
2. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog
3. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog |
|
2018-06-10 18:51:27 |
daniel CURTIS |
information type |
Public |
Public Security |
|
2018-06-11 14:08:59 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Xenial |
|
2018-06-11 14:08:59 |
Jeremy Bícha |
bug task added |
|
gimp (Ubuntu Xenial) |
|
2018-06-11 14:10:24 |
Jeremy Bícha |
nominated for series |
|
Ubuntu Artful |
|
2018-06-11 14:10:24 |
Jeremy Bícha |
bug task added |
|
gimp (Ubuntu Artful) |
|
2018-06-11 14:10:52 |
Jeremy Bícha |
bug |
|
|
added subscriber Leonidas S. Barbosa |
2018-09-08 17:56:51 |
daniel CURTIS |
gimp (Ubuntu): status |
Confirmed |
Incomplete |
|
2018-09-08 18:00:13 |
daniel CURTIS |
gimp (Ubuntu Xenial): status |
New |
Confirmed |
|
2019-02-14 10:28:42 |
daniel CURTIS |
gimp (Ubuntu Xenial): status |
Confirmed |
New |
|
2019-02-14 10:29:09 |
daniel CURTIS |
information type |
Public Security |
Private Security |
|
2019-02-14 14:44:12 |
Marc Deslauriers |
information type |
Private Security |
Public Security |
|
2020-04-27 23:43:22 |
Jeremy Bícha |
bug task deleted |
gimp (Ubuntu Artful) |
|
|
2020-10-22 18:41:24 |
Sebastien Bacher |
gimp (Ubuntu): status |
Incomplete |
Fix Released |
|
2020-10-22 18:41:29 |
Sebastien Bacher |
tags |
cve gimp security upgrade-software-version xenial |
cve gimp security upgrade-xenial-version xenial |
|