[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sun] Schwachstelle in Gimp - Sun Alert ID 102720

To: win-sec-ssc@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Subject: [Sun] Schwachstelle in Gimp - Sun Alert ID 102720
From: WiN Site Security Contacts <win-sec-ssc@xxxxxxxxxxxxxxxxx>
Date: Tue, 21 Nov 2006 15:03:20 +0100 (CET)
Sender: <archive@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----

Liebe Kolleginnen und Kollegen,

soeben erreichte uns das nachfolgende Bulletin des SUN Customer Warning
System. Wir geben diese Informationen unveraendert an Sie weiter.

CVE-2006-3404 - Schwachstelle beim Laden von XCF-Bildern in Gimp

  Beim Laden von XCF-Bildern mit dem Bildbearbeitungsprogramm Gimp kann
  in app/xcf/xcf-load.c ein Buffer Overflow ausgeloest werden. Ein
  Angreifer kann das Programm zum Absturz bringen oder evtl. beliebige
  Befehle mit den Rechten des Benutzers ausfuehren, wenn dieser ein
  entsprechend manipuliertes Bild mit Gimp oeffnet.

Betroffen sind die folgenden Software Pakete und Plattformen:

  Programm gimp

  SPARC Plattform
    Solaris 10
  x86 Plattform
    Solaris 10 und JDS Release 2 fuer Solaris 9

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

Hersteller Advisory:
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-102720-1


(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
		Klaus Moeller, DFN-CERT


Sun(sm) Alert Notification
     * Sun Alert ID: 102720
     * Synopsis: Security Vulnerability in GIMP(1) May Lead to Denial of
       Service (DoS) or Execution of Arbitrary Code
     * Category: Security
     * Product: Solaris 9 Operating System, Solaris 10 Operating System
     * BugIDs: 6451577
     * Avoidance: Workaround
     * State: Workaround
     * Date Released: 20-Nov-2006
     * Date Closed:
     * Date Modified:

1. Impact

   A security vulnerability in the GNU Image Manipulation Program (GIMP) may
   allow a remote unprivileged user to cause a Denial of Service (DoS) to the
   GIMP application or execute arbitrary code with the privileges of a local
   user when that local user loads an XCF image file supplied by an untrusted
   source.

   This issue is described in the following document:
     * CVE-2006-3404 at:
       http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3404

2. Contributing Factors

   This issue can occur in the following releases:

   SPARC Platform
     * Solaris 10

   x86 Platform
     * JDS release 2 (for Solaris 9)
     * Solaris 10

   Note: Solaris 8 and Solaris 9 on the SPARC Platform and Solaris 8 on the x86
   Platform are not affected by this issue.

   To determine if JDS release 2 is installed on a Solaris 9 system, the
   following command can be run:
    % grep distributor-version /usr/share/gnome-about/gnome-version.xml
    <distributor-version>Sun Java Desktop System, Release 2</distributor-versio
n>


3. Symptoms

   There are no reliable symptoms that would show the described issues have
   been exploited.
   Solution Summary Top

4. Relief/Workaround

   To work around this issue do not load images from untrusted sources.

5. Resolution

   A final resolution is pending completion.

   This Sun Alert notification is being provided to you on an "AS IS" basis.
   This Sun Alert notification may contain information provided by third
   parties. The issues described in this Sun Alert notification may or may not
   impact your system(s). Sun makes no representations, warranties, or
   guarantees as to the information contained herein. ANY AND ALL WARRANTIES,
   EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION WARRANTIES OF
   MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT, ARE
   HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT YOU ACKNOWLEDGE THAT SUN SHALL
   IN NO EVENT BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, PUNITIVE, OR
   CONSEQUENTIAL DAMAGES THAT ARISE OUT OF YOUR USE OR FAILURE TO USE THE
   INFORMATION CONTAINED HEREIN. This Sun Alert notification contains Sun
   proprietary and confidential information. It is being provided to you
   pursuant to the provisions of your agreement to purchase services from Sun,
   or, if you do not have such an agreement, the Sun.com Terms of Use. This Sun
   Alert notification may only be used for the purposes contemplated by these
   agreements.

   Copyright 2000-2006 Sun Microsystems, Inc., 4150 Network Circle, Santa
   Clara, CA 95054 U.S.A. All rights reserved.

- -- 
Dipl. Inform. Klaus Moeller (CSIRT), DFN-CERT Services GmbH
https://www.dfn-cert.de/, +49-40-808077-555
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)

iQEVAwUBRWMHJ/BT2+ukQ5RFAQEoSwf/RmXxCsh/ouTJ7nUiWztpxxTvEOfEjnoy
eChw7gC+qUWmQXztW+b9IUZcNS6gmm4DcpvBsdHoxRx8hlwYJIJz9BACeTYWhucj
lIeRM3M/5mYDWOEqUU0PXt2XdcSfSsdsEI1jj5/bkfEzPYQCzg6OMPSSn5j9M8Vq
YboEFRniRNsssyeNp8B3wS+bH2AEsXll7n7epNJMKu7u8Ygr+G60YynjgxMkpx20
ucYt9cdIo4/YRxP96n5IUjkqfLvAWidS0j7WiS0IsYCoKJp55QvOJkTY3UB45oYM
0M/kLA61DlYyzYMTHcWl5ss85Rbk+KRkvLsRn8wjiAt+cY1aEiCpoA==
=1CTt
-----END PGP SIGNATURE-----

Prev by Date: [Debian] Schwachstelle in Linux-ftpd - DSA 1217-1
Next by Date: [Debian] Schwachstelle in proftpd - DSA 1218-1
Previous by thread: [Debian] Schwachstelle in Linux-ftpd - DSA 1217-1
Next by thread: [Debian] Schwachstelle in proftpd - DSA 1218-1
Index(es):
- Date
- Thread