Ubuntu
gimp package

Multiple vulnerabilities in Focal and Jammy

Bug #1982422 reported by Luís Infante da Câmara
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
gimp (Ubuntu)
Fix Released
Low
Unassigned
Bionic
Invalid
Low
Unassigned
Focal
Fix Released
Low
Unassigned
Jammy
Fix Released
Low
Unassigned

Bug Description

The versions in Focal and Jammy are vulnerable to all CVEs listed below.

When a higher priority security issue appears in GIMP or substantial demand exists for these fixes, please publish patched packages.

See original description
Tags: patch
Luís Infante da Câmara (luis220413)
information type: Private Security → Public Security
no longer affects: gtk+2.0 (Ubuntu)
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Patched packages for Focal and Jammy are building in my PPA: https://launchpad.net/~luis220413/+archive/ubuntu/security-updates.

Changed in gimp (Ubuntu):
status: New → In Progress
assignee: nobody → Luís Cunha dos Reis Infante da Câmara (luis220413)
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Ubuntu Foundations Team Bug Bot (crichton) wrote :

The attachment "gimp_focal.debdiff" seems to be a debdiff. The ubuntu-sponsors team has been subscribed to the bug report so that they can review and hopefully sponsor the debdiff. If the attachment isn't a patch, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are member of the ~ubuntu-sponsors, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issue please contact him.]

tags: added: patch
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Thanks Luís, we'll have a look at this. What testing have you done with the resulting packages?

Thanks

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

I have not done any testing.

Changed in gimp (Ubuntu):
status: In Progress → Fix Committed
assignee: Luís Cunha dos Reis Infante da Câmara (luis220413) → nobody
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Eduardo Barretto (ebarretto) wrote :

Hi Luis,

as part of the sponsoring/updating process, you have to run tests and inform us about its results and instructions.

Testing an update is important. At a minimum, be sure to:
1. build in a clean build environment
2. verify the package still installs
3. verify the package upgrades cleanly
4. verify the package still functions properly
5. use public exploits and Proof of Concept(s) (PoC) (if available) to verify the bug is fixed
6. run any test suites available for such package

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gimp - 2.10.32-1

---------------
gimp (2.10.32-1) unstable; urgency=high

  * New upstream release (LP: #1982422)
    - Includes crash fixes CVE-2022-30067 and CVE-2022-32990
  * debian/control.in: Bump minimum gegl to 0.4.36
  * debian/libgimp2.0.symbols: Add new symbol

 -- Jeremy Bicha <email address hidden> Mon, 01 Aug 2022 09:39:35 -0400

Changed in gimp (Ubuntu):
status: Fix Committed → Fix Released
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I took a look at the debdiffs in #2, #3, and #8, and here are my comments:

For Bionic:

- The package doesn't build with the debdiff provided. Please fix and make sure it builds before submitting it again.
- In CVE-2022-32990-2.patch, you dropped the section that patches xcf_load_buffer, but in Bionic, the function is called xcf_load_hierarchy, please add the section back and patch the appropriate function.

For Focal:
- The patch for CVE-2018-12713 is missing, please add it.

For Jammy:

- The patch for CVE-2018-12713 is missing, please add it.
- You seemed to have bumped the version of gegl required in the debian/control file for no reason, and it is not mentioned in the changelog. Please remove this change.

Once those changes are done and new debdiffs have been attached, please detail the testing that you performed to make sure Gimp still works, thanks!

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

If there is substantial demand for these CVEs getting fixed, please comment on this bug or otherwise notify me (for example via email).

description: updated
Revision history for this message
Alex Murray (alexmurray) wrote :

> All the CVEs fixed by the attached debdiffs have priority low or negligible.
> Therefore, these updates should not be sponsored until a higher priority issue
> is found in GIMP.

I don't think it is right to try and say these should not be sponsored until a higher priority issue is found - it is just that other higher priority updates for other packages will usually take precedence. Please try not to talk with authority about things which you do not have authority over.

Revision history for this message
Luís Infante da Câmara (luis220413) wrote :

Sorry for the comment. I have hidden it and I will update my patches and request sponsorship.

Mathew Hodson (mhodson)
Changed in gimp (Ubuntu):
importance: Undecided → Low
Changed in gimp (Ubuntu Bionic):
importance: Undecided → Low
Changed in gimp (Ubuntu Focal):
importance: Undecided → Low
Changed in gimp (Ubuntu Jammy):
importance: Undecided → Low
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

There are no updated debdiffs to sponsor, unsubscribing ubuntu-security-sponsors for now. Please resubscribe the group once updated debdiffs have been attached to this bug. Thanks!

Luís Infante da Câmara (luis220413)
summary: - Multiple vulnerabilities in Bionic, Focal and Jammy
+ Multiple vulnerabilities in Focal and Jammy
Changed in gimp (Ubuntu Bionic):
status: New → Invalid
description: updated
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Luís Infante da Câmara (luis220413) wrote :
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gimp - 2.10.18-1ubuntu0.1

---------------
gimp (2.10.18-1ubuntu0.1) focal-security; urgency=medium

  [ Luís Infante da Câmara ]
  * SECURITY UPDATE: Buffer overflow leading to insufficient memory or
    program crash via a crafted XCF file (LP: #1982422)
    - debian/patches/CVE-2022-30067.patch: Stop loading paths and skip to
      the next property when xcf_old_path fails.
    - CVE-2022-30067
  * SECURITY UPDATE: Denial of service via a crafted XCF file
    (LP: #1982422)
    - debian/patches/CVE-2022-32990-1.patch: Check maximum dimensions when
      loading XCF files.
    - debian/patches/CVE-2022-32990-2.patch: Check for invalid offsets when
      loading XCF files.
    - debian/patches/CVE-2022-32990-3.patch: Return TRUE in
      gimp_channel_is_empty when channel is NULL.
    - CVE-2022-32990

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DDS File Parsing Heap-based Buffer Overflow
    - debian/patches/CVE-2023-44441-1.patch: verify header information in
      plug-ins/file-dds/ddsread.c.
    - debian/patches/CVE-2023-44441-2.patch: fix checks in
      plug-ins/file-dds/ddsread.c.
    - debian/patches/CVE-2023-44441-3.patch: add additional fixes in
      plug-ins/file-dds/ddsread.c.
    - CVE-2023-44441
  * SECURITY UPDATE: PSD File Parsing Heap-based Buffer Overflow
    - debian/patches/CVE-2023-44442.patch: add missing break statement in
      plug-ins/file-psd/psd-util.c.
    - CVE-2023-44442
  * SECURITY UPDATE: PSP File Parsing Off-By-One
    - debian/patches/CVE-2023-44444.patch: fix buffer size in
      plug-ins/common/file-psp.c.
    - CVE-2023-44444

 -- Marc Deslauriers <email address hidden> Tue, 28 Nov 2023 07:38:10 -0500

Changed in gimp (Ubuntu Focal):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gimp - 2.10.30-1ubuntu0.1

---------------
gimp (2.10.30-1ubuntu0.1) jammy-security; urgency=medium

  [ Luís Infante da Câmara ]
  * SECURITY UPDATE: Buffer overflow leading to insufficient memory or
    program crash via a crafted XCF file (LP: #1982422)
    - debian/patches/CVE-2022-30067.patch: Stop loading paths and skip to
      the next property when xcf_old_path fails.
    - CVE-2022-30067
  * SECURITY UPDATE: Denial of service via a crafted XCF file
    (LP: #1982422)
    - debian/patches/CVE-2022-32990-1.patch: Check maximum dimensions when
      loading XCF files.
    - debian/patches/CVE-2022-32990-2.patch: Check for invalid offsets when
      loading XCF files.
    - debian/patches/CVE-2022-32990-3.patch: Return TRUE in
      gimp_channel_is_empty when channel is NULL.
    - CVE-2022-32990

  [ Marc Deslauriers ]
  * SECURITY UPDATE: DDS File Parsing Heap-based Buffer Overflow
    - debian/patches/CVE-2023-44441-1.patch: verify header information in
      plug-ins/file-dds/ddsread.c.
    - debian/patches/CVE-2023-44441-2.patch: fix checks in
      plug-ins/file-dds/ddsread.c.
    - debian/patches/CVE-2023-44441-3.patch: add additional fixes in
      plug-ins/file-dds/ddsread.c.
    - CVE-2023-44441
  * SECURITY UPDATE: PSD File Parsing Heap-based Buffer Overflow
    - debian/patches/CVE-2023-44442.patch: add missing break statement in
      plug-ins/file-psd/psd-util.c.
    - CVE-2023-44442
  * SECURITY UPDATE: PSP File Parsing Integer Overflow and Off-By-One
    - debian/patches/CVE-2023-44443_44444.patch: check
      color_palette_entries and fix buffer size in
      plug-ins/common/file-psp.c.
    - CVE-2023-44443
    - CVE-2023-44444

 -- Marc Deslauriers <email address hidden> Tue, 28 Nov 2023 07:38:10 -0500

Changed in gimp (Ubuntu Jammy):
status: New → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.