>
> Regarding the libcairo2 problem: You are right, it is not
> available in Sarge. (I did not really check before.) It is
> also not possible to just install the version from testing
> since they require a different version of libc6. I
> downloaded gimp 2.2.6-1sarge1 and checked it with ldd: It
> also links against libcairo.so.2. So it seems that we have
> a bug here, probably introduced when the maintainer
> recompiled the gimp package after incorporating the
> security fix. You should file a bug report against gimp. It
> is very easy if you use the package "reportbug" which will
> automatically include the relevant information about your
> system. Give it a title like "2.2.6-1sarge1 links against
> libraries from testing" and include the output of "ldd
> $(which gimp) | grep 'not found'" in the bug report. The
> maintainer can probably fix it quickly.
>
> If you need to work with gimp in the meantime then you can
> downgrade to an older version which is most likely still in
> your package cache. Just do not open any .xcf files from
> untrusted sources since the older version is vulnerable to
> the buffer overflow exploit.
>
I just started reading this thread, so I hope I'm not asking
anyone to rehash a lot of the discussion.
I'm using Sarge, and I recently upgraded my gimp to
2.2.6-1sarge1 per the security recommendation. I used
"aptitude --download-only upgrade" followed later by "aptitude
upgrade."
The upgrade went through without any problems, and I'm able to
launch gimp normally. When I do 'ldd `which gimp`' I don't see
any reference to libcairo2. My sources.list only contains
Sarge repositories, and I haven't done any apt-pinning.
My current gimp and gimp-data packages were automatically
downloaded from security.debian.org by aptitude. Gimp works
here and is not dependent upon libcairo2 here.