Bug 1073627 (CVE-2017-17789)

Summary: VUL-1: CVE-2017-17789: gimp: Heap overflow in PSP
Product: [Novell Products] SUSE Security Incidents Reporter: Alexander Bergmann <abergmann>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P4 - Low CC: abergmann, gnome-bugs, sreeves, wolfgang.frisch, yfjiang, zcjia
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/196890/
Whiteboard: CVSSv2:SUSE:CVE-2017-17789:2.1:(AV:L/AC:L/Au:N/C:N/I:N/A:P) CVSSv3:SUSE:CVE-2017-17789:3.3:(AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Alexander Bergmann 2017-12-20 09:16:45 UTC
http://seclists.org/oss-sec/2017/q4/427

CVE-2017-17789

Heap overflow in PSP (no patch, doesn't look straightforward to fix)
https://bugzilla.gnome.org/show_bug.cgi?id=790849
Comment 1 Alexander Bergmann 2017-12-20 10:34:24 UTC
Fix not available yet.
Comment 2 Scott Reeves 2018-08-17 22:26:31 UTC
Hi Yifan, can you have your team take this. Thanks.
Comment 4 Wolfgang Frisch 2020-08-19 11:54:25 UTC
References:
https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-17789.html
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=884837

Upstream fix:
https://gitlab.gnome.org/GNOME/gimp/-/commit/28e95fbeb5720e6005a088fa811f5bf3c1af48b8

SUSE:SLE-12-SP2:Update   gimp      Affected [1]
SUSE:SLE-15:Update       gimp      Affected [1]
SUSE:SLE-15-SP2:Update   gimp      Already fixed

[1] Upstream patch applies cleanly.
Comment 7 Jia Zhaocong 2020-09-01 07:36:58 UTC
Fix submitted and request accepted.
Comment 8 Swamp Workflow Management 2020-09-10 19:14:16 UTC
SUSE-SU-2020:2603-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1073627
CVE References: CVE-2017-17789
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    gimp-2.8.18-9.12.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    gimp-2.8.18-9.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2020-09-10 19:15:59 UTC
SUSE-SU-2020:2604-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1073627
CVE References: CVE-2017-17789
JIRA References: 
Sources used:
SUSE Linux Enterprise Workstation Extension 15-SP1 (src):    gimp-2.8.22-5.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-09-13 22:14:37 UTC
openSUSE-SU-2020:1420-1: An update that fixes one vulnerability is now available.

Category: security (low)
Bug References: 1073627
CVE References: CVE-2017-17789
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    gimp-2.8.22-lp151.5.3.1
Comment 11 Jia Zhaocong 2020-09-14 00:59:54 UTC
Forgot to mark as resolved fixed.
Comment 12 Jia Zhaocong 2020-09-14 01:10:03 UTC
(In reply to Jia Zhaocong from comment #11)
> Forgot to mark as resolved fixed.

Reopen for security team workflow.
Comment 13 Marcus Meissner 2020-09-14 12:25:23 UTC
all done, closing