ubuntustudio-bugs team mailing list archive

Thread
Date

[Bug 1690544] Re: include proper fix for CVE-2007-3126, released in GIMP 2.8.22

To: ubuntustudio-bugs@xxxxxxxxxxxxxxxxxxx
From: Michael Schumacher <schumaml@xxxxxx>
Date: Sat, 13 May 2017 21:14:31 -0000
Reply-to: Bug 1690544 <1690544@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As I wrote in https://bugzilla.gnome.org/show_bug.cgi?id=773233#c2
(that's the bug for the master branch, where GIMP 2.9.x is being made
from), I could not reproduce the crash mentioned in the CVE. Probably no
surprise, given that CVE was reported against GIMP 2.3.x

However, I'd like to stress that this bug might have been fixed a lot
earlier if any of the downstream vendors who noticed it had reported it
upstream. Please make sure that every non-Ubuntu-specific bug in
Launchpad has a corresponding upstream bug report (adding a reference to
thess is what the "Also affects project" link is for), or that an
upstream report is made if you can't find one.

** Bug watch added: GNOME Bug Tracker #773233
   https://bugzilla.gnome.org/show_bug.cgi?id=773233

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to gimp in Ubuntu.
Matching subscriptions: Ubuntu Studio Bugs
https://bugs.launchpad.net/bugs/1690544

Title:
  include proper fix for CVE-2007-3126, released in GIMP 2.8.22

Status in The Gimp:
  Fix Released
Status in gimp package in Ubuntu:
  New

Bug description:
  The GIMP developers announced at https://www.gimp.org/news/2017/05/11/gimp-2-8-22-released/ that version 2.8.22 finally includes a proper fix for the ancient ICO file import crash CVE-2007-3126.
  The fix should thus either be back-ported or GIMP bumped to 2.8.22 for supported Ubuntu versions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/gimp/+bug/1690544/+subscriptions

References

[Bug 1690544] [NEW] include proper fix for CVE-2007-3126, released in GIMP 2.8.22
From: nmaxx, 2017-05-13