gimp-2.8.18-1.4 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10294 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z gimp-2.8.18-1.4 on GA media These are all security issues fixed in the gimp-2.8.18-1.4 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10294 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10294 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2010-4540/ SUSE CVE CVE-2010-4540 page https://www.suse.com/security/cve/CVE-2010-4541/ SUSE CVE CVE-2010-4541 page https://www.suse.com/security/cve/CVE-2010-4542/ SUSE CVE CVE-2010-4542 page https://www.suse.com/security/cve/CVE-2010-4543/ SUSE CVE CVE-2010-4543 page https://www.suse.com/security/cve/CVE-2011-2896/ SUSE CVE CVE-2011-2896 page https://www.suse.com/security/cve/CVE-2012-3236/ SUSE CVE CVE-2012-3236 page https://www.suse.com/security/cve/CVE-2012-5576/ SUSE CVE CVE-2012-5576 page https://www.suse.com/security/cve/CVE-2016-4994/ SUSE CVE CVE-2016-4994 page openSUSE Tumbleweed gimp-2.8.18-1.4 gimp-devel-2.8.18-1.4 gimp-help-browser-2.8.18-1.4 gimp-lang-2.8.18-1.4 gimp-plugin-aa-2.8.18-1.4 gimp-plugins-python-2.8.18-1.4 libgimp-2_0-0-2.8.18-1.4 libgimp-2_0-0-32bit-2.8.18-1.4 libgimpui-2_0-0-2.8.18-1.4 libgimpui-2_0-0-32bit-2.8.18-1.4 gimp-2.8.18-1.4 as a component of openSUSE Tumbleweed gimp-devel-2.8.18-1.4 as a component of openSUSE Tumbleweed gimp-help-browser-2.8.18-1.4 as a component of openSUSE Tumbleweed gimp-lang-2.8.18-1.4 as a component of openSUSE Tumbleweed gimp-plugin-aa-2.8.18-1.4 as a component of openSUSE Tumbleweed gimp-plugins-python-2.8.18-1.4 as a component of openSUSE Tumbleweed libgimp-2_0-0-2.8.18-1.4 as a component of openSUSE Tumbleweed libgimp-2_0-0-32bit-2.8.18-1.4 as a component of openSUSE Tumbleweed libgimpui-2_0-0-2.8.18-1.4 as a component of openSUSE Tumbleweed libgimpui-2_0-0-32bit-2.8.18-1.4 as a component of openSUSE Tumbleweed Stack-based buffer overflow in the load_preset_response function in plug-ins/lighting/lighting-ui.c in the "LIGHTING EFFECTS > LIGHT" plugin in GIMP 2.6.11 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long Position field in a plugin configuration file. NOTE: it may be uncommon to obtain a GIMP plugin configuration file from an untrusted source that is separate from the distribution of the plugin itself. NOTE: some of these details are obtained from third party information. CVE-2010-4540 openSUSE Tumbleweed:gimp-2.8.18-1.4 openSUSE Tumbleweed:gimp-devel-2.8.18-1.4 openSUSE Tumbleweed:gimp-help-browser-2.8.18-1.4 openSUSE Tumbleweed:gimp-lang-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugin-aa-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugins-python-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-32bit-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-32bit-2.8.18-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-4540.html CVE-2010-4540 https://bugzilla.suse.com/662043 SUSE Bug 662043 Stack-based buffer overflow in the loadit function in plug-ins/common/sphere-designer.c in the SPHERE DESIGNER plugin in GIMP 2.6.11 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long "Number of lights" field in a plugin configuration file. NOTE: it may be uncommon to obtain a GIMP plugin configuration file from an untrusted source that is separate from the distribution of the plugin itself. CVE-2010-4541 openSUSE Tumbleweed:gimp-2.8.18-1.4 openSUSE Tumbleweed:gimp-devel-2.8.18-1.4 openSUSE Tumbleweed:gimp-help-browser-2.8.18-1.4 openSUSE Tumbleweed:gimp-lang-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugin-aa-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugins-python-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-32bit-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-32bit-2.8.18-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-4541.html CVE-2010-4541 https://bugzilla.suse.com/662043 SUSE Bug 662043 Stack-based buffer overflow in the gfig_read_parameter_gimp_rgb function in plug-ins/gfig/gfig-style.c in the GFIG plugin in GIMP 2.6.11 allows user-assisted remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a long Foreground field in a plugin configuration file. NOTE: it may be uncommon to obtain a GIMP plugin configuration file from an untrusted source that is separate from the distribution of the plugin itself. NOTE: some of these details are obtained from third party information. CVE-2010-4542 openSUSE Tumbleweed:gimp-2.8.18-1.4 openSUSE Tumbleweed:gimp-devel-2.8.18-1.4 openSUSE Tumbleweed:gimp-help-browser-2.8.18-1.4 openSUSE Tumbleweed:gimp-lang-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugin-aa-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugins-python-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-32bit-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-32bit-2.8.18-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-4542.html CVE-2010-4542 https://bugzilla.suse.com/662043 SUSE Bug 662043 Heap-based buffer overflow in the read_channel_data function in file-psp.c in the Paint Shop Pro (PSP) plugin in GIMP 2.6.11 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a PSP_COMP_RLE (aka RLE compression) image file that begins a long run count at the end of the image. NOTE: some of these details are obtained from third party information. CVE-2010-4543 openSUSE Tumbleweed:gimp-2.8.18-1.4 openSUSE Tumbleweed:gimp-devel-2.8.18-1.4 openSUSE Tumbleweed:gimp-help-browser-2.8.18-1.4 openSUSE Tumbleweed:gimp-lang-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugin-aa-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugins-python-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-32bit-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-32bit-2.8.18-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2010-4543.html CVE-2010-4543 https://bugzilla.suse.com/662043 SUSE Bug 662043 https://bugzilla.suse.com/692877 SUSE Bug 692877 The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS, as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are absent from the decompression table when encountered, which allows remote attackers to trigger an infinite loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed stream, a related issue to CVE-2006-1168 and CVE-2011-2895. CVE-2011-2896 openSUSE Tumbleweed:gimp-2.8.18-1.4 openSUSE Tumbleweed:gimp-devel-2.8.18-1.4 openSUSE Tumbleweed:gimp-help-browser-2.8.18-1.4 openSUSE Tumbleweed:gimp-lang-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugin-aa-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugins-python-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-32bit-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-32bit-2.8.18-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2011-2896.html CVE-2011-2896 https://bugzilla.suse.com/601830 SUSE Bug 601830 https://bugzilla.suse.com/671735 SUSE Bug 671735 https://bugzilla.suse.com/680210 SUSE Bug 680210 https://bugzilla.suse.com/680212 SUSE Bug 680212 https://bugzilla.suse.com/700987 SUSE Bug 700987 https://bugzilla.suse.com/711490 SUSE Bug 711490 https://bugzilla.suse.com/711491 SUSE Bug 711491 https://bugzilla.suse.com/715643 SUSE Bug 715643 fits-io.c in GIMP before 2.8.1 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via a malformed XTENSION header of a .fit file, as demonstrated using a long string. CVE-2012-3236 openSUSE Tumbleweed:gimp-2.8.18-1.4 openSUSE Tumbleweed:gimp-devel-2.8.18-1.4 openSUSE Tumbleweed:gimp-help-browser-2.8.18-1.4 openSUSE Tumbleweed:gimp-lang-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugin-aa-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugins-python-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-32bit-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-32bit-2.8.18-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-3236.html CVE-2012-3236 https://bugzilla.suse.com/763595 SUSE Bug 763595 https://bugzilla.suse.com/768376 SUSE Bug 768376 https://bugzilla.suse.com/769565 SUSE Bug 769565 Multiple stack-based buffer overflows in file-xwd.c in the X Window Dump (XWD) plug-in in GIMP 2.8.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large (1) red, (2) green, or (3) blue color mask in an XWD file. CVE-2012-5576 openSUSE Tumbleweed:gimp-2.8.18-1.4 openSUSE Tumbleweed:gimp-devel-2.8.18-1.4 openSUSE Tumbleweed:gimp-help-browser-2.8.18-1.4 openSUSE Tumbleweed:gimp-lang-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugin-aa-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugins-python-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-32bit-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-32bit-2.8.18-1.4 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2012-5576.html CVE-2012-5576 https://bugzilla.suse.com/791372 SUSE Bug 791372 Use-after-free vulnerability in the xcf_load_image function in app/xcf/xcf-load.c in GIMP allows remote attackers to cause a denial of service (program crash) or possibly execute arbitrary code via a crafted XCF file. CVE-2016-4994 openSUSE Tumbleweed:gimp-2.8.18-1.4 openSUSE Tumbleweed:gimp-devel-2.8.18-1.4 openSUSE Tumbleweed:gimp-help-browser-2.8.18-1.4 openSUSE Tumbleweed:gimp-lang-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugin-aa-2.8.18-1.4 openSUSE Tumbleweed:gimp-plugins-python-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimp-2_0-0-32bit-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-2.8.18-1.4 openSUSE Tumbleweed:libgimpui-2_0-0-32bit-2.8.18-1.4 moderate 5.1 AV:N/AC:H/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-4994.html CVE-2016-4994 https://bugzilla.suse.com/986021 SUSE Bug 986021