ubuntustudio-bugs team mailing list archive

Thread
Date
[Bug 1773561] Re: Xenial/16.04: GIMP needs a security update - unfixed issues (CVE-2017: 17784-17789).

To: ubuntustudio-bugs@xxxxxxxxxxxxxxxxxxx
From: daniel CURTIS <1773561@xxxxxxxxxxxxxxxxxx>
Date: Tue, 29 May 2018 13:51:04 -0000
Reply-to: Bug 1773561 <1773561@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx
** Summary changed:

- Xenial/16.04: GIMP needs a security update - unfixed issues (CVE-2017-*).
+ Xenial/16.04: GIMP needs a security update - unfixed issues (CVE-2017: 17784-17789).

** Description changed:

  Hello.
  
  GIMP package ('Universe/Security' section), available in "Xenial"/16.04
  LTS Release, contains unfixed security issues and is vulnerable to, for
  example, heap-buffer over-read, out of bounds read and stack-based
- buffer over-read etc. The whole this is pretty strange, because Ubuntu
+ buffer over-read etc. The whole thing is pretty strange, because Ubuntu
  Releases released before and after "Xenial", contains updated GIMP
- version!
+ package!
  
  Anyway, it looks this way: in "Trusty" the available version is:
  '2.8.10-0ubuntu1.2' (please see [1]). "Bionic" has '2.8.20-1.1' version
  (please see [2]). Both Releases contains fixes for mentioned security
  issues: CVE-2017-* etc. However, GIMP version in "Xenial" is
  '2.8.16-1ubuntu1.1' and does not contain any security updates from 2017.
  (The last one is from Thu, 30 Jun 2016.; please see [3]).
  
  Security updates with fixes for mentioned CVE's (please compare changes
  in 1. and 2. with 3.) were released on Thu., 18 Jan 2018 - for "Trusty"
  and Tue., 26 Dec 2017 - for "Bionic". In "Xenial", the last security
  update is from Thu., 30 Jun 2016 (fix for CVE-2016-4994) and there is no
  further updates!
  
- Here is a CVE list, which are not fixed in "Xenial", but in "Trusty" and
- "Bionic" only:
+ Here is a CVE list of security issues not fixed in "Xenial", but in
+ "Trusty" and "Bionic" etc.:
  
- 1/ CVE-2017-17786: Out of bounds read
- 2/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data
- 3/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
+ 1/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
+ 2/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
+ 3/ CVE-2017-17786: Out of bounds read
  4/ CVE-2017-17787: Heap-based buffer over-read in read_creator_block
- 5/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
- 6/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
+ 5/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
+ 6/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data
  
- I wanted to send an email an email to Mr Marc Deslauriers, because he
- made the last security update for GIMP in "Xenial" (fix for
- CVE-2016-4994). But I decided to report a bug on Launchpad. I hope that
- it's an acceptable way. If not, I'm sorry.
+ And the most important thing: if User had installed GIMP package in
+ "Xenial" Release, he is affected - since one year, at least - because of
+ a vulnerable version. Security issues, mentioned above, are from 2017.
+ So, maybe it's a good opportunity to update GIMP to v2.10.2 version,
+ released on 20., May 2018? (Version 2.8.X is very outdated).
  
- ✗✗✗ And the most important thing: if an User had installed GIMP package
- in "Xenial" Release, he is affected because he is using a vulnerable
- version since one year! Security issues, mentioned above, are from 2017.
- So, maybe it's a good opportunity to update GIMP to v2.10.2 version,
- released on 20., May 2018? At least in non-LTS Releases. Of course I'm
- not talking about "Cosmic" here. (Version 2.8.X is very outdated).
+ I wanted to send an email to Mr Marc Deslauriers, because he made the
+ last security update for GIMP in "Xenial" (fix for CVE-2016-4994). But I
+ decided to report a bug on Launchpad. I hope that it's an acceptable
+ way. If not, I'm sorry.
  
  By the way: similar problems with unfixed security issues, can be found
  e.g. in Audacious and Parole packages. But that's a different story,
  completely different story...
  
  Thanks, best regards.
  ______________________
  1. http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog 
  2. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog 
  3. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to gimp in Ubuntu.
Matching subscriptions: Ubuntu Studio Bugs
https://bugs.launchpad.net/bugs/1773561

Title:
  Xenial/16.04: GIMP needs a security update - unfixed issues (CVE-2017:
  17784-17789).

Status in gimp package in Ubuntu:
  Confirmed

Bug description:
  Hello.

  GIMP package ('Universe/Security' section), available in
  "Xenial"/16.04 LTS Release, contains unfixed security issues and is
  vulnerable to, for example, heap-buffer over-read, out of bounds read
  and stack-based buffer over-read etc. The whole thing is pretty
  strange, because Ubuntu Releases released before and after "Xenial",
  contains updated GIMP package!

  Anyway, it looks this way: in "Trusty" the available version is:
  '2.8.10-0ubuntu1.2' (please see [1]). "Bionic" has '2.8.20-1.1'
  version (please see [2]). Both Releases contains fixes for mentioned
  security issues: CVE-2017-* etc. However, GIMP version in "Xenial" is
  '2.8.16-1ubuntu1.1' and does not contain any security updates from
  2017. (The last one is from Thu, 30 Jun 2016.; please see [3]).

  Security updates with fixes for mentioned CVE's (please compare
  changes in 1. and 2. with 3.) were released on Thu., 18 Jan 2018 - for
  "Trusty" and Tue., 26 Dec 2017 - for "Bionic". In "Xenial", the last
  security update is from Thu., 30 Jun 2016 (fix for CVE-2016-4994) and
  there is no further updates!

  Here is a CVE list of security issues not fixed in "Xenial", but in
  "Trusty" and "Bionic" etc.:

  1/ CVE-2017-17784: Heap-buffer over-read in load_image file-gbr.c
  2/ CVE-2017-17785: Heap-based buffer overflow in fli_read_brun function
  3/ CVE-2017-17786: Out of bounds read
  4/ CVE-2017-17787: Heap-based buffer over-read in read_creator_block
  5/ CVE-2017-17788: Stack-based buffer over-read in xcf_load_stream
  6/ CVE-2017-17789: Heap-based buffer overflow in read_channel_data

  And the most important thing: if User had installed GIMP package in
  "Xenial" Release, he is affected - since one year, at least - because
  of a vulnerable version. Security issues, mentioned above, are from
  2017. So, maybe it's a good opportunity to update GIMP to v2.10.2
  version, released on 20., May 2018? (Version 2.8.X is very outdated).

  I wanted to send an email to Mr Marc Deslauriers, because he made the
  last security update for GIMP in "Xenial" (fix for CVE-2016-4994). But
  I decided to report a bug on Launchpad. I hope that it's an acceptable
  way. If not, I'm sorry.

  By the way: similar problems with unfixed security issues, can be
  found e.g. in Audacious and Parole packages. But that's a different
  story, completely different story...

  Thanks, best regards.
  ______________________
  1. http://changelogs.ubuntu.com/changelogs/pool/main/g/gimp/gimp_2.8.10-0ubuntu1.2/changelog 
  2. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.20-2/changelog 
  3. http://changelogs.ubuntu.com/changelogs/pool/universe/g/gimp/gimp_2.8.16-1ubuntu1.1/changelog

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gimp/+bug/1773561/+subscriptions