Alpine: multiple gimp packages: security update to 2.6.11-r5 (deprecated)

critical Tenable Cloud Security Plugin ID 401251

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- The LZW decompressor in the LWZReadByte function in giftoppm.c in the David Koblas GIF decoder in PBMPLUS,
as used in the gif_read_lzw function in filter/image-gif.c in CUPS before 1.4.7, the LZWReadByte function
in plug-ins/common/file-gif-load.c in GIMP 2.6.11 and earlier, the LZWReadByte function in img/gifread.c
in XPCE in SWI-Prolog 5.10.4 and earlier, and other products, does not properly handle code words that are
absent from the decompression table when encountered, which allows remote attackers to trigger an infinite
loop or a heap-based buffer overflow, and possibly execute arbitrary code, via a crafted compressed
stream, a related issue to CVE-2006-1168 and CVE-2011-2895. (CVE-2011-2896)

See Also

https://git.alpinelinux.org/aports/commit/?id=1a21bc3a35de32521b021cc16cacff9beee38382

https://git.alpinelinux.org/aports/commit/?id=82c89b6953e72f3652e3610ee22f7965e667cacd

Plugin Details

Severity: Critical

ID: 401251

Version: Revision 1.24

Type: Local

Published: 8/16/2023

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.15

CVSS v2

Risk Factor: Medium

Base Score: 5.1

Temporal Score: 3.8

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2011-2896

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/10/2011

Vulnerability Publication Date: 8/15/2011

Reference Information

CVE: CVE-2011-2896

BID: 49148