Skip to navigation

Security Advisory Moderate: gimp security update

Advisory: RHSA-2012:1181-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-08-20
Last updated on: 2012-08-20
Affected Products: RHEL Desktop Workstation (v. 5 client)
Red Hat Enterprise Linux (v. 5 server)
Red Hat Enterprise Linux Desktop (v. 5 client)
CVEs (cve.mitre.org): CVE-2009-3909
CVE-2011-2896
CVE-2012-3402
CVE-2012-3403
CVE-2012-3481

Details

Updated gimp packages that fix multiple security issues are now available
for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

The GIMP (GNU Image Manipulation Program) is an image composition and
editing program.

Multiple integer overflow flaws, leading to heap-based buffer overflows,
were found in the GIMP's Adobe Photoshop (PSD) image file plug-in. An
attacker could create a specially-crafted PSD image file that, when opened,
could cause the PSD plug-in to crash or, potentially, execute arbitrary
code with the privileges of the user running the GIMP. (CVE-2009-3909,
CVE-2012-3402)

An integer overflow flaw, leading to a heap-based buffer overflow, was
found in the GIMP's GIF image format plug-in. An attacker could create a
specially-crafted GIF image file that, when opened, could cause the GIF
plug-in to crash or, potentially, execute arbitrary code with the
privileges of the user running the GIMP. (CVE-2012-3481)

A heap-based buffer overflow flaw was found in the Lempel-Ziv-Welch (LZW)
decompression algorithm implementation used by the GIMP's GIF image format
plug-in. An attacker could create a specially-crafted GIF image file that,
when opened, could cause the GIF plug-in to crash or, potentially, execute
arbitrary code with the privileges of the user running the GIMP.
(CVE-2011-2896)

A heap-based buffer overflow flaw was found in the GIMP's KiSS CEL file
format plug-in. An attacker could create a specially-crafted KiSS palette
file that, when opened, could cause the CEL plug-in to crash or,
potentially, execute arbitrary code with the privileges of the user running
the GIMP. (CVE-2012-3403)

Red Hat would like to thank Secunia Research for reporting CVE-2009-3909,
and Matthias Weckbecker of the SUSE Security Team for reporting
CVE-2012-3481.

Users of the GIMP are advised to upgrade to these updated packages, which
contain backported patches to correct these issues. The GIMP must be
restarted for the update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

RHEL Desktop Workstation (v. 5 client)

SRPMS:
gimp-2.2.13-2.0.7.el5_8.5.src.rpm
File outdated by:  RHSA-2013:1778
    MD5: 7f62d7bdd7c2394888621696c0d50a17
SHA-256: d7503fe84454fb4083361f7ff390dad280e7aa4605e5f73bc17b59d5c96bc971
 
IA-32:
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 91b152a32daf003d3849f106c8b15ab2
SHA-256: e49bd6f83915a0fc34f152e31d57bd96213225b7c7005715a3721f5f3f46b9bb
gimp-devel-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 40a49d4ad7432c4daecc64d4a0f74cf6
SHA-256: 91a108ccfd2e364d60a87dd8717c9ea67b2358578e5087dd6b7da5587081ed2e
 
x86_64:
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 91b152a32daf003d3849f106c8b15ab2
SHA-256: e49bd6f83915a0fc34f152e31d57bd96213225b7c7005715a3721f5f3f46b9bb
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: e53694184b7c899a0a817eeb8434dde7
SHA-256: da63d4bcbd18b7648c73ee251877ff69a1becdbb7953057b5995a5a23cf1d0c1
gimp-devel-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 40a49d4ad7432c4daecc64d4a0f74cf6
SHA-256: 91a108ccfd2e364d60a87dd8717c9ea67b2358578e5087dd6b7da5587081ed2e
gimp-devel-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 57370ab8523cded2a9c47b3a1bc61b2f
SHA-256: d68d47f3a354796d3de8ee5041ec98bcbfbaa21322c50d3e9c8720239e6c70c4
 
Red Hat Enterprise Linux (v. 5 server)

SRPMS:
gimp-2.2.13-2.0.7.el5_8.5.src.rpm
File outdated by:  RHSA-2013:1778
    MD5: 7f62d7bdd7c2394888621696c0d50a17
SHA-256: d7503fe84454fb4083361f7ff390dad280e7aa4605e5f73bc17b59d5c96bc971
 
IA-32:
gimp-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 2de4396d1f54686312e0ec8ef4b8211d
SHA-256: 4eda1c8e2f7fdc67df453a4e8c21b8a2f95158432e49f292e8331c30a662efed
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 91b152a32daf003d3849f106c8b15ab2
SHA-256: e49bd6f83915a0fc34f152e31d57bd96213225b7c7005715a3721f5f3f46b9bb
gimp-devel-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 40a49d4ad7432c4daecc64d4a0f74cf6
SHA-256: 91a108ccfd2e364d60a87dd8717c9ea67b2358578e5087dd6b7da5587081ed2e
gimp-libs-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: bfd55265f3dd725eb639968b6a9205dc
SHA-256: 6f2c5cb810a41420f5ffde44ffaba9459d4d68190231e74c9a396f146ca80f8a
 
IA-64:
gimp-2.2.13-2.0.7.el5_8.5.ia64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 7c352fbe954875e0ba81b14acc92146d
SHA-256: 10d45e9e07edd8421759445cbc633f86f08e85c6d287cc02b297a33759582989
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.ia64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 2bc3e8a551eaccd60161c73b2e501b6b
SHA-256: 631e1f3374c54036ea40a466aa56570296a6a50ba897c0938e607cd54d79c6f4
gimp-devel-2.2.13-2.0.7.el5_8.5.ia64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 3d14778571fe88d69ed1d55183b118e6
SHA-256: 60b01539c41773486e0531450ea03afadb73e169843475e0d4ddd6f2928a99ff
gimp-libs-2.2.13-2.0.7.el5_8.5.ia64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 999bba6f4e025bdd931ef10608b47028
SHA-256: 47095dde35d057fcb4e8c5d28b10bb0e2b25adea2bac590fd756a8acdfcd714c
 
PPC:
gimp-2.2.13-2.0.7.el5_8.5.ppc.rpm
File outdated by:  RHSA-2013:1778
    MD5: e948036f5baa5af5a806ba57c7d8e0df
SHA-256: c8e482110567497a3c7bad350fd9b6af4ebd2c1bb3e9d0dbb895251e6e5bc307
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.ppc.rpm
File outdated by:  RHSA-2013:1778
    MD5: 045c44c3b174ccb90326b2bcc81c03aa
SHA-256: 2d0becda1c5ddd0e4da380b28d5a1a60e753f2d707f79b8843244532ef805167
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.ppc64.rpm
File outdated by:  RHSA-2013:1778
    MD5: f1af889ce45304f4cbf21183d2021e40
SHA-256: fe7688f3c4b7b7a8fec628ec2c51d954617b8ed8b180f0bbd4cd81c6a8e2ff97
gimp-devel-2.2.13-2.0.7.el5_8.5.ppc.rpm
File outdated by:  RHSA-2013:1778
    MD5: 033d1141db446eea3c930c89d9eeaac3
SHA-256: b1e722ea3db103d7831a8079ac8c4a4762fdc90a2b2bf37f032549fa29b49273
gimp-devel-2.2.13-2.0.7.el5_8.5.ppc64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 9f4716369a1f73f3572eda6b3e370d73
SHA-256: 0efbc7f2486f57f841ec9dcf740e354b7679bab4b1392c5dab738b0fe88b8f29
gimp-libs-2.2.13-2.0.7.el5_8.5.ppc.rpm
File outdated by:  RHSA-2013:1778
    MD5: 2fd3fcaac57f56fa81481b437c34e7d2
SHA-256: 0b589e0102caa671620948b05c6ce22b9e19aab9925196a0ad1b3ac805c6fb8e
gimp-libs-2.2.13-2.0.7.el5_8.5.ppc64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 763cdce62616a3c0072c118b329939ba
SHA-256: b2311b66612cdb98a26b1d6ceea36112fefcafbdda45f21f0b0f49b53beed549
 
s390x:
gimp-2.2.13-2.0.7.el5_8.5.s390x.rpm
File outdated by:  RHSA-2013:1778
    MD5: 9934659898aaa381d51b5c06e9589eb2
SHA-256: a76bb0f748c61e54b6c4b55d9dc5d17114a894abb07b3bda4c91f0826dbee37a
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.s390.rpm
File outdated by:  RHSA-2013:1778
    MD5: 9ea9af2806f5c32ea5e2e969ddec2535
SHA-256: 65ccbdda3af41a00264f12c254ff1565e2826e8da219bf94e5262a95fe9ec54e
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.s390x.rpm
File outdated by:  RHSA-2013:1778
    MD5: 405cd579ff5f5da0730ed5b5af7584f7
SHA-256: 78647e6038f78aa7d2bc2ea3a8df7200fd0c17f0b00f32fbbf136a7477237111
gimp-devel-2.2.13-2.0.7.el5_8.5.s390.rpm
File outdated by:  RHSA-2013:1778
    MD5: e9f3a90adc0c6218ab939a0d5571692b
SHA-256: 472a67af2de5bdca2ac3059c7719df5233312c9f82978a6a8ee294b14c48975a
gimp-devel-2.2.13-2.0.7.el5_8.5.s390x.rpm
File outdated by:  RHSA-2013:1778
    MD5: fa56b639d4f041ccedb967039e65377b
SHA-256: 1f60b559b52c1312fdb54436105fb47a81ab5797b039942750973847dfb04ad9
gimp-libs-2.2.13-2.0.7.el5_8.5.s390.rpm
File outdated by:  RHSA-2013:1778
    MD5: 5fdb3ae9997276b44f0e721ffab7e68f
SHA-256: 4f40f4f8b7f2e9bde31b10f44fc471e43525183abbe80ccafe519db7db3dfb6e
gimp-libs-2.2.13-2.0.7.el5_8.5.s390x.rpm
File outdated by:  RHSA-2013:1778
    MD5: a53b49b8209daf5b3ce0056acb736b5a
SHA-256: 1a85b9ab0dffae0b2fc842a94140d753f509061573723b7d5831dd11bd71bfe6
 
x86_64:
gimp-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: ba6ddbe3086b7b427a8fa4007cd19d49
SHA-256: d740ee590c4910929a7e28433e29b6dd25d7e60a7da561a0aaa3b4ca24abfe9e
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 91b152a32daf003d3849f106c8b15ab2
SHA-256: e49bd6f83915a0fc34f152e31d57bd96213225b7c7005715a3721f5f3f46b9bb
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: e53694184b7c899a0a817eeb8434dde7
SHA-256: da63d4bcbd18b7648c73ee251877ff69a1becdbb7953057b5995a5a23cf1d0c1
gimp-devel-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 40a49d4ad7432c4daecc64d4a0f74cf6
SHA-256: 91a108ccfd2e364d60a87dd8717c9ea67b2358578e5087dd6b7da5587081ed2e
gimp-devel-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 57370ab8523cded2a9c47b3a1bc61b2f
SHA-256: d68d47f3a354796d3de8ee5041ec98bcbfbaa21322c50d3e9c8720239e6c70c4
gimp-libs-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: bfd55265f3dd725eb639968b6a9205dc
SHA-256: 6f2c5cb810a41420f5ffde44ffaba9459d4d68190231e74c9a396f146ca80f8a
gimp-libs-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 0efd5e376e33e73987d7486c316dfef9
SHA-256: acfb35251459fff76a0740cc756f2960dc203d3573ee8efe1f7fdfc375c09708
 
Red Hat Enterprise Linux Desktop (v. 5 client)

SRPMS:
gimp-2.2.13-2.0.7.el5_8.5.src.rpm
File outdated by:  RHSA-2013:1778
    MD5: 7f62d7bdd7c2394888621696c0d50a17
SHA-256: d7503fe84454fb4083361f7ff390dad280e7aa4605e5f73bc17b59d5c96bc971
 
IA-32:
gimp-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 2de4396d1f54686312e0ec8ef4b8211d
SHA-256: 4eda1c8e2f7fdc67df453a4e8c21b8a2f95158432e49f292e8331c30a662efed
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 91b152a32daf003d3849f106c8b15ab2
SHA-256: e49bd6f83915a0fc34f152e31d57bd96213225b7c7005715a3721f5f3f46b9bb
gimp-libs-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: bfd55265f3dd725eb639968b6a9205dc
SHA-256: 6f2c5cb810a41420f5ffde44ffaba9459d4d68190231e74c9a396f146ca80f8a
 
x86_64:
gimp-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: ba6ddbe3086b7b427a8fa4007cd19d49
SHA-256: d740ee590c4910929a7e28433e29b6dd25d7e60a7da561a0aaa3b4ca24abfe9e
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: 91b152a32daf003d3849f106c8b15ab2
SHA-256: e49bd6f83915a0fc34f152e31d57bd96213225b7c7005715a3721f5f3f46b9bb
gimp-debuginfo-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: e53694184b7c899a0a817eeb8434dde7
SHA-256: da63d4bcbd18b7648c73ee251877ff69a1becdbb7953057b5995a5a23cf1d0c1
gimp-libs-2.2.13-2.0.7.el5_8.5.i386.rpm
File outdated by:  RHSA-2013:1778
    MD5: bfd55265f3dd725eb639968b6a9205dc
SHA-256: 6f2c5cb810a41420f5ffde44ffaba9459d4d68190231e74c9a396f146ca80f8a
gimp-libs-2.2.13-2.0.7.el5_8.5.x86_64.rpm
File outdated by:  RHSA-2013:1778
    MD5: 0efd5e376e33e73987d7486c316dfef9
SHA-256: acfb35251459fff76a0740cc756f2960dc203d3573ee8efe1f7fdfc375c09708
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

537370 - CVE-2009-3909 Gimp: Integer overflow in the PSD image file plugin
727800 - CVE-2011-2896 David Koblas' GIF decoder LZW decoder buffer overflow
838941 - CVE-2012-3402 gimp (PSD plug-in): Heap-buffer overflow by decoding certain PSD headers
839020 - CVE-2012-3403 gimp (CEL plug-in): heap buffer overflow when loading external palette files
847303 - CVE-2012-3481 Gimp (GIF plug-in): Heap-based buffer overflow by loading certain GIF images


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/