Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 20 Aug 2012 08:26:27 -0400 (EDT)
From: Jan Lieskovsky <>
Cc:, Nils Philippsen <>,
        Florian Weimer <>
Subject: The Gimp PSD plug-in CVE-2012-3402 issue

Hello vendors,

  see below report about the GIMP's PSD plug-in CVE-2012-3402 issue:

Summary: Gimp (PSD plug-in): Heap-buffer overflow by decoding certain PSD headers

CVE: CVE-2012-3402

A heap-based buffer overflow flaw was found in the way Adobe Photoshop(tm) PSD plug-in
of Gimp, the GNU Image Manipulation Program, performed decoding of headers, when loading
certain Adobe Photoshop image files. A remote attacker could provide a specially-crafted
PSD image file that, when opened in Gimp would lead to PSD plug-in crash or, potentially,
arbitrary code execution with the privileges of the user running gimp executable.

Note: A different flaw than CVE-2009-3909.

CVSSv2: 6.8/AV:N/AC:M/Au:N/C:P/I:P/A:P

Affected versions: X <= 2.2.13
                   Newer versions (gimp-v2.6.X, gimp-v2.8.X, master) are not affected
                   by this issue.

Credit (please credit both people or no one):
1, Issue found by: Jan Lieskovsky,  Red Hat Security Response Team
2, Reproducer by:  Florian Weimer,  Red Hat Product Security Team

Further issue details and relevant patch in:


Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ