Some years ago, I wrote a set of small command-line programs that can extract image data from Gimp's native file format XCF. I call them xcftools and use them for automating some of the steps in the production of track maps. Others have, allegedly, found them useful too. (They are among the top Google leads to my personal website, which I'll admit may not be saying much).
A few weeks ago, Jörgen Grahn filed a bug report through Debian's bug tracking system, pointing out that the program would crash when its -C
option was used on a test image he provided. This turned out to be a buffer overrun bug, which provides a security hole. An attacker could infect a victim's account by constructing a special XCF file and then tricking the victim into using my tools on the XCF file, giving particular options to them. This vulnerability was assigned the tracking number CVE-2009-2175.
A bare-bones patch for the security issue has been available for some time in the Debian bug report log, but now here is an official source code release that fixes the bug along with a number of other, not security sensitive bugs.
This release also includes a small patch from Marcus Alanen that should make it easier to build an RPM package of xcftools.
The source tarball for xcftools 1.0.5 is available at http://henning.makholm.net/xcftools/xcftools-1.0.5.tar.gz. Its SHA-1 checksum is f4f532b6f32001ca6994e7cf5d0a94eb0d620ad8
; and here is a digital signature for the tarball:
-----BEGIN PGP SIGNATURE-----
iEYEABECAAYFAkpNTpgACgkQ+NrXGVy8F3OE7gCfbxPKBqeEMsdcaAiThi/HSfjD
CG0AoIJZwny2KQ+GAKGzGS0tRo/XrevF
=QyQ4
-----END PGP SIGNATURE-----
Now I just have to wait for somebody to upload the new version to the Debian repository. Typical of this to happen only a few months after I renounced my own upload privileges after they'd been unused for two years ...