Bugzilla – Full Text Bug Listing
|Summary:||VUL-1: CVE-2012-3236: gimp FIT file DoS|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Ludwig Nussel <lnussel>|
|Component:||Incidents||Assignee:||Vincent Untz <vuntz>|
|Status:||RESOLVED FIXED||QA Contact:||Security Team bot <security-team>|
|Priority:||P4 - Low||CC:||meissner, security-team, sreeves|
|Found By:||Other||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Ludwig Nussel 2012-06-22 13:43:23 UTC
Your friendly security team received the following report via vendor-sec. Please respond ASAP. This issue is not public yet, please keep any information about it inside SUSE. Note that build.opensuse.org *cannot* be used to prepare embargoed updates. CVE-2012-3236 Specially crafted "fit" files with a malformed 'XTENSION' can crash GIMP. http://www.reactionpenetrationtesting.co.uk/advisories/FIT-handling-DoS.html
Comment 3 Ludwig Nussel 2012-06-22 13:45:23 UTC
simply crash on NULL is not really a security issue in the context of GIMP. Fix for Factory sufficient when public.
Comment 4 Vincent Untz 2012-06-22 13:56:52 UTC
This is already public: http://git.gnome.org/browse/gimp/commit/?h=gimp-2-8&id=0474376d234bc3d0901fd5e86f89d778a6473dd8
Comment 5 Swamp Workflow Management 2012-06-22 22:00:30 UTC
bugbot adjusting priority
Comment 7 Vincent Untz 2012-06-25 07:25:35 UTC
So should we just go ahead and submit the fix, or do we still wait to wait until Friday?
Comment 8 Ludwig Nussel 2012-06-25 07:38:02 UTC
doesn't make sense to wait with a public bug report of course but the reporter hasn't answered the question yet. It's just a NULL deref so no risk in waiting though.
Comment 9 Vincent Untz 2012-06-25 09:10:28 UTC
Since I'm unsure I'll have time to deal with it later this week, I went ahead and submitted to G:A: sr#125930.
Comment 10 Vincent Untz 2012-06-25 09:29:58 UTC
https://build.opensuse.org/request/show/125934 Hrm, I guess there's no need to reassign to security-team since this is Factory-only as per comment 3, so closing.
Comment 11 Swamp Workflow Management 2018-05-02 10:41:14 UTC
This is an autogenerated message for OBS integration: This bug (768376) was mentioned in https://build.opensuse.org/request/show/603017 Factory / gimp