Mandriva Linux Security Advisory : gimp (MDVSA-2012:142)

Medium Nessus Plugin ID 61987


The remote Mandriva Linux host is missing one or more security updates.


Multiple vulnerabilities has been discovered and corrected in gimp :

A heap-based buffer overflow flaw, leading to invalid free, was found in the way KISS CEL file format plug-in of Gimp, the GNU Image Manipulation Program, performed loading of certain palette files. A remote attacker could provide a specially crafted KISS palette file that, when opened in Gimp would cause the CEL plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the gimp executable (CVE-2012-3403).

Integer overflow, leading to heap-based buffer overflow flaw was found in the GIMP's GIF (Graphics Interchange Format) image file plug-in. An attacker could create a specially crafted GIF image file that, when opened, could cause the GIF plug-in to crash or, potentially, execute arbitrary code with the privileges of the user running the GIMP (CVE-2012-3481).

The updated gimp packages have been upgraded to the 2.6.12 version and patched to correct these issues.

Additionally for Mandriva Enterprise server 5 the gegl packages was upgraded to the 0.0.22 version and rebuilt for ffmpeg 0.5.9, the enscript packages was added because of a build dependency, the gutenprint and mtink packages was rebuilt against the gimp 2.6.12 libraries.


Update the affected packages.

Plugin Details

Severity: Medium

ID: 61987

File Name: mandriva_MDVSA-2012-142.nasl

Version: $Revision: 1.6 $

Type: local

Published: 2012/09/06

Modified: 2014/08/16

Dependencies: 12634

Risk Information

Risk Factor: Medium


Base Score: 6.8

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:mandriva:linux:gimp, p-cpe:/a:mandriva:linux:gimp-python, p-cpe:/a:mandriva:linux:lib64gimp2.0-devel, p-cpe:/a:mandriva:linux:lib64gimp2.0_0, p-cpe:/a:mandriva:linux:libgimp2.0-devel, p-cpe:/a:mandriva:linux:libgimp2.0_0, cpe:/o:mandriva:linux:2011

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Mandrake/release, Host/Mandrake/rpm-list

Exploit Available: false

Exploit Ease: No known exploits are available

Patch Publication Date: 2012/08/21

Reference Information

CVE: CVE-2012-3403, CVE-2012-3481

BID: 55101

MDVSA: 2012:142