Dvije ranjivosti paketa GIMP

U radu programskog paketa GIMP (GNU Image Manipulation Program), distribuiranog s operacijskim sustavom Fedora 16, otkrivene su dvije sigurnosne ranjivosti. Moguće ih je iskoristiti udaljeno, za izvođenje DoS napada ili pokretanje proizvoljnog programskog koda.

Paket:	gimp 2.x
Operacijski sustavi:	Fedora 16
Kritičnost:	5.9
Problem:	cjelobrojno prepisivanje, pogreška u programskoj funkciji, preljev međuspremnika
Iskorištavanje:	udaljeno
Posljedica:	proizvoljno izvršavanje programskog koda, uskraćivanje usluga (DoS)
Rješenje:	programska zakrpa proizvođača
CVE:	CVE-2012-3403, CVE-2012-3481
Izvorni ID preporuke:	FEDORA-2012-12364
Izvor:	Fedora

Problem:
Ranjivosti se očituju u prepisivanju spremnika na gomili u dodatku KiSS CEL te cjelobrojnog prepisivanja u funkciji "ReadImage".
Posljedica:
Napadačima omogućuju izvođenje DoS (eng. Denial of Service) napada ili izvršavanje proizvoljnog programskog koda
Rješenje:
Korisnicima se savjetuje instalacija zakrpa.

Izvorni tekst preporuke

--------------------------------------------------------------------------------
Fedora Update Notification
FEDORA-2012-12364
2012-08-21 09:29:13
--------------------------------------------------------------------------------

Name        : gimp
Product     : Fedora 16
Version     : 2.6.12
Release     : 2.fc16
URL         : http://www.gimp.org/
Summary     : GNU Image Manipulation Program
Description :
GIMP (GNU Image Manipulation Program) is a powerful image composition and
editing program, which can be extremely useful for creating logos and other
graphics for webpages. GIMP has many of the tools and filters you would expect
to find in similar commercial offerings, and some interesting extras as well.
GIMP provides a large image manipulation toolbox, including channel operations
and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all
with multi-level undo.

--------------------------------------------------------------------------------
Update Information:

This update fixes security and stability issues in various image format loaders.
Security issues fixed include CVE-2012-3403 and CVE-2012-3481.
--------------------------------------------------------------------------------
ChangeLog:

* Mon Aug 20 2012 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.12-2
- fix crash in fits loader (#834627)
- fix overflow in CEL plug-in (CVE-2012-3403)
- fix overflow in GIF loader (CVE-2012-3481)
* Tue Jan 31 2012 Nils Philippsen <Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.> - 2:2.6.12-1
- version 2.6.12

  Overview of Changes from GIMP 2.6.11 to GIMP 2.6.12
  ===================================================

  * Bugs fixed:

   627328 - GIMP 2.6.10 segfaults when CTRL-left click on a layer mask
   631885 - GIMP fails to import a path from SVG
   631728 - Crash or Gtk-CRITICAL on File->Open
   641259 - [abrt] gimp-2:2.6.11-1.fc14: py-slice.py:172:slice:TypeError:
integer argument expected, got float
   640219 - gimp(1) manpage fixes
   640612 - Sample Colorize does not function non-interactively
   646947 - file-pdf-load: Don't use deprecated API
   639203 - file-psp: fix for bogus input data
   639203 - Fixes for some buffer overflow problems
   652280 - Guard against crash due to quitting while DND is processed
   660305 - fails to build with -Werror=format-security

   ... plus a ton of others.

  * Updated translations:

   Asturian (ast)
   Catalan (Valencian) (ca@valencia)
   Danish (da)
   Greek (el)
   Esperanto (eo)
   Spanish (es)
   Italian (it)
   Japanese (ja)
   Kazakh (kk)
   Latvian (la)
   Norwegian Nynorsk (nn)
   Polish (pl)
   Portuguese (pt)
   Brazilian Portuguese (pt_BR)
   Russian (ru)
   Turkish (tr)
   Simplified Chinese (zh_CN)
--------------------------------------------------------------------------------
References:

  [ 1 ] Bug #839020 - CVE-2012-3403 gimp (CEL plug-in): heap buffer overflow
when loading external palette files
        https://bugzilla.redhat.com/show_bug.cgi?id=839020
  [ 2 ] Bug #847303 - CVE-2012-3481 Gimp (GIF plug-in): Heap-based buffer
overflow by loading certain GIF images
        https://bugzilla.redhat.com/show_bug.cgi?id=847303
--------------------------------------------------------------------------------

This update can be installed with the "yum" update program.  Use 
su -c 'yum update gimp' at the command line.
For more information, refer to "Managing Software with yum",
available at http://docs.fedoraproject.org/yum/.

All packages are signed with the Fedora Project GPG key.  More details on the
GPG keys used by the Fedora Project can be found at
https://fedoraproject.org/keys
--------------------------------------------------------------------------------
_______________________________________________
package-announce mailing list
Ova e-mail adresa je zaštićena od spambota. Potrebno je omogućiti JavaScript da je vidite.
https://admin.fedoraproject.org/mailman/listinfo/package-announce

Dvije ranjivosti paketa GIMP

Tražilica portala

Aktivnosti

O CIS-u

Posljednje vijesti

Posljednji dokumenti

Dvije ranjivosti paketa GIMP

Tražilica portala

Aktivnosti

O CIS-u

Posljednje sigurnosne preporuke

Posljednje vijesti

Popularni članci

Posljednji dokumenti