Nove sigurnosne ranjivosti programskog paketa Gimp

Uočeno je više sigurnosnih propusta u radu programskog paketa Gimp, distribuiranog s operacijskim sustavom Fedora 13. Propusti udaljenom napadaču omogućuju DoS (eng. Denial of Service) napad te proizvoljno izvršavanje programskog koda.

Paket:	gimp 2.x
Operacijski sustavi:	Fedora 13
Kritičnost:	7.5
Problem:	pogreška u programskoj komponenti, preljev međuspremnika
Iskorištavanje:	udaljeno
Posljedica:	proizvoljno izvršavanje programskog koda, uskraćivanje usluga (DoS)
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2010-4543, CVE-2011-1782, CVE-2010-4541, CVE-2010-4542, CVE-2010-4540
Izvorni ID preporuke:	FEDORA-2011-7397
Izvor:	Fedora

Problem:
Sigurnosni propusti se javljaju zbog preljeva međuspremnika u funkcijama kao što su "read_channel_data", "gfig_read_parameter_gimp_rgb", "load_preset_response", itd.
Posljedica:
Udaljenom napadaču propusti omogućuju napad uskraćivanjem usluga (DoS) te pokretanje zlonamjernog programskog koda.
Rješenje:
Korisnici se upućuju na korištenje nadogradnje.

Izvorni tekst preporuke

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2011-7397
2011-05-25 01:55:06
--------------------------------------------------------------------------------

Name        : gimp
Product     : Fedora 13
Version     : 2.6.11
Release     : 14.fc13
URL         : http://www.gimp.org/
Summary     : GNU Image Manipulation Program
Description :
GIMP (GNU Image Manipulation Program) is a powerful image composition and
editing program, which can be extremely useful for creating logos and other
graphics for webpages. GIMP has many of the tools and filters you would expect
to find in similar commercial offerings, and some interesting extras as well.
GIMP provides a large image manipulation toolbox, including channel operations
and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all
with multi-level undo.

--------------------------------------------------------------------------------
Update Information:

This update fixes buffer overflows in the PSP (CVE-2010-4543, CVE-2011-1782),
sphere-designer (CVE-2010-4541), gfig (CVE-2010-4542) and lighting
(CVE-2010-4540) plugins.
--------------------------------------------------------------------------------
ChangeLog:

* Mon May 23 2011 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-14
- fix buffer overflows in sphere-designer (CVE-2010-4541),
  gfig (CVE-2010-4542), lighting (CVE-2010-4540) plugins
* Mon May 23 2011 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-13
- harden PSP plugin against bogus input data (CVE-2010-4543, CVE-2011-1782)
* Sat May  7 2011 Christopher Aillon <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-12
- Update desktop database, icon cache scriptlets
* Fri May  6 2011 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-11
- simplify poppler-0.17 patch to avoid adding to libgimp (#698157)
* Wed May  4 2011 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-10
- don't use poppler/gdk_pixbuf API removed in poppler >= 0.17 (#698157)
- remove obsolete configure options
* Tue Mar 15 2011 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-9
- don't use HAL from F-16/RHEL-7 on
- explicitly use GIO/GVFS rather than gnome-vfs
* Sun Mar 13 2011 Marek Kasik <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-8
- Rebuild (poppler-0.16.3)
* Tue Feb  8 2011 Fedora Release Engineering <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.>
- 2:2.6.11-7
- Rebuilt for https://fedoraproject.org/wiki/Fedora_15_Mass_Rebuild
* Wed Feb  2 2011 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-6
- avoid traceback in pyslice plugin (#667958)
* Sat Jan  1 2011 Rex Dieter <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-5
- rebuild (poppler)
* Wed Dec 15 2010 Rex Dieter <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-4
- rebuild (poppler)
* Tue Nov  9 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-3
- avoid traceback in colorxhtml plugin (#651002)
* Sat Nov  6 2010 Rex Dieter <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-2
- rebuilt (poppler)
* Mon Oct  4 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.11-1
- version 2.6.11

  Overview of Changes from GIMP 2.6.10 to GIMP 2.6.11
  ===================================================

  * Bugs fixed:

   631199 - Printing and Print preview broken with cairo 1.10
   572865 - Parasite handling had problems and can cause crashing
   628893 - Error with string-append and gimp-drawable-get-name
   623850 - (Paco) Recursive Gaussian Filter error
   624487 - Fix incorrect "wrap mode" documentation values in Edge plug-in
   557380 - Difference of Gaussians gives blank doc if "Invert" selected
   627009 - Image type filter doesn't include .rgba SGI files
   626020 - Console window opening on file-ps-load
   624698 - Wood 1 and Wood 2 have bad alpha value
   624275 - Image saved from google docs generates a
            'gimp-image-set-resolution' error message

  * Updated translations:

   German (de)
   Spanish (es)
   Italian (it)
   Japanese (ja)
   Romanian (ro)
   Chinese (Hong Kong) (zh_HK)
   Chinese (Taiwan) (zh_HK)
* Tue Aug 24 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.10-5
- don't require gtk-doc but own %{_datadir}/gtk-doc (#604355, #604169)
* Thu Aug 19 2010 Rex Dieter <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.10-4
- rebuild (poppler)
* Wed Aug 11 2010 David Malcolm <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.10-3
- recompiling .py files against Python 2.7 (rhbz#623309)
* Fri Jul  9 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.10-2
- distribute license and other documentation with gimp-libs
* Fri Jul  9 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.10-1
- version 2.6.10

  Overview of Changes from GIMP 2.6.9 to GIMP 2.6.10
  ==================================================

  * Bugs fixed:

   613328 - TGA files saved with incorrect header yOrigin data
   623290 - Save As... does not save Windows Bitmap as default in dialog
   621363 - CMYK decompose broken
   595170 - brush - color from gradient works wrong in greyscale
   613838 - Error in gimp-hue-saturation PDB call
   622608 - GIMP crashes when clicking any scroll bar from combo boxes
   565459 - newly opened images are put into the background

  * Updated translations:

   German (de)
   Italian (it)
   Romanian (ro)
   Portuguese (pt)

- remove obsolete combo-popup patch
- update script-fu-ipv6 patch
* Mon Jul  5 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.9-5
- rebuild against libwebkitgtk (instead of libwebkit)
* Tue Jun 29 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.9-4
- script-fu: make rest of server IPv6-aware (#198367)
* Mon Jun 28 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.9-3
- script-fu: make logging IPv6-aware (#198367)
* Fri Jun 25 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.9-2
- fix clicking scroll bar buttons from combo boxes
* Wed Jun 23 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.9-1
- version 2.6.9

  Overview of Changes from GIMP 2.6.8 to GIMP 2.6.9
  =================================================

  * Bugs fixed:

   612618 - Font selection remains visible
   622234 - gimp.desktop: image/x-psd in MimeTypes twice
   622196 - Unportable test(1) construct in configure script
   620604 - Description of "histogram" procedure is slightly inaccurate
   541586 - Tool options not saved/loaded correctly?
   614153 - Importing PDF files with long titles
   600112 - blur-gauss-selective.exe crashes
   599233 - Dialog of "Save as BMP" ignores changes which are not made
            with a mous
   565001 - Text-Tool crashes when edit a 2.4.2 version xcf
   610478 - Layer preview suddenly stops getting updated
   609026 - leaks shared memory
   609056 - Exporting to Alias PIX format fails
   608188 - a few strings in Save as... > Raw image data dialog are always
            in English
   604820 - GEGL Operation "path" crashes GIMP
   603711 - Crashes when using path tool
   607242 - GIMP 2.7.0 fails to build against libpng 1.4.0
   606372 - Saving to .ppm fails on indexed colorspace
   605237 - the "Antialiasing..." message in the progress bar does not show
            translated
   604508 - gimp-layer-new-from-visible should work from updated projection

  * Updated and new translations:

   Asturian (ast)
   Basque (eu)
   Burmese (my)
   Catalan (ca)
   Chinese (Hong Kong) (zh_HK)
   Chinese (Taiwan) (zh_HK)
   German (de)
   Italian (it)
   Latvian (lv)
   Low German (nds)
   Romanian (ro)
   Simplified Chinese (zh_CN)
   Slovenian (sl)
   Ukrainian (uk)
   Valencian (ca@valencia)

- remove obsolete gtk219, never-stack-trace-desktop, indexed-pnm patches
- don't manually provide "gimp-libs%{?_isa}" in gimp-libs
- don't package %{_datadir}/gtk-doc/html, but dirs beneath
* Wed Jun 23 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.8-10
- get rid of obsolete gimp-plugin-mgr
* Tue Jun 22 2010 Matthias Clasen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.8-9
- Rebuild against new poppler
* Fri Jun 18 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.8-8
- backport fix for saving indexed PNM files (#605615)
* Mon Apr 19 2010 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.8-7
- add --stack-trace-mode=never to desktop file
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #706939 - CVE-2010-4540 CVE-2010-4541 CVE-2010-4542 CVE-2010-4543
CVE-2011-1782 CVE-2010-4543 gimp various flaws [fedora-all]
        https://bugzilla.redhat.com/show_bug.cgi?id=706939
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update gimp' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Nove sigurnosne ranjivosti programskog paketa Gimp

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Nove sigurnosne ranjivosti programskog paketa Gimp

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti