Bug 768376 - (CVE-2012-3236) VUL-1: CVE-2012-3236: gimp FIT file DoS
(CVE-2012-3236)
VUL-1: CVE-2012-3236: gimp FIT file DoS
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Vincent Untz
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-22 13:43 UTC by Ludwig Nussel
Modified: 2021-08-11 09:08 UTC (History)
3 users (show)

See Also:
Found By: Other
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ludwig Nussel 2012-06-22 13:43:23 UTC
Your friendly security team received the following report via vendor-sec.
Please respond ASAP.
This issue is not public yet, please keep any information about it inside SUSE.
Note that build.opensuse.org *cannot* be used to prepare embargoed updates.

CVE-2012-3236

Specially crafted "fit" files with a malformed 'XTENSION' can crash GIMP.

http://www.reactionpenetrationtesting.co.uk/advisories/FIT-handling-DoS.html
Comment 3 Ludwig Nussel 2012-06-22 13:45:23 UTC
simply crash on NULL is not really a security issue in the context of GIMP. Fix for Factory sufficient when public.
Comment 5 Swamp Workflow Management 2012-06-22 22:00:30 UTC
bugbot adjusting priority
Comment 6 Ludwig Nussel 2012-06-25 07:15:27 UTC
https://bugzilla.gnome.org/show_bug.cgi?id=676804
Comment 7 Vincent Untz 2012-06-25 07:25:35 UTC
So should we just go ahead and submit the fix, or do we still wait to wait until Friday?
Comment 8 Ludwig Nussel 2012-06-25 07:38:02 UTC
doesn't make sense to wait with a public bug report of course but the reporter hasn't answered the question yet. It's just a NULL deref so no risk in waiting though.
Comment 9 Vincent Untz 2012-06-25 09:10:28 UTC
Since I'm unsure I'll have time to deal with it later this week, I went ahead and submitted to G:A: sr#125930.
Comment 10 Vincent Untz 2012-06-25 09:29:58 UTC
https://build.opensuse.org/request/show/125934

Hrm, I guess there's no need to reassign to security-team since this is Factory-only as per comment 3, so closing.
Comment 11 Swamp Workflow Management 2018-05-02 10:41:14 UTC
This is an autogenerated message for OBS integration:
This bug (768376) was mentioned in
https://build.opensuse.org/request/show/603017 Factory / gimp
Comment 12 Swamp Workflow Management 2018-05-08 00:51:12 UTC
This is an autogenerated message for OBS integration:
This bug (768376) was mentioned in
https://build.opensuse.org/request/show/605190 15.0 / gimp