Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 556314 (CVE-2015-4491) - <x11-libs/gdk-pixbuf-2.30.8-r2: heap overflow and DoS (CVE-2015-4491)
Summary: <x11-libs/gdk-pixbuf-2.30.8-r2: heap overflow and DoS (CVE-2015-4491)
Status: RESOLVED FIXED
Alias: CVE-2015-4491
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-07-30 12:00 UTC by Agostino Sarubbo
Modified: 2015-12-21 14:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-07-30 12:00:37 UTC
From ${URL} :

I would like to request a CVE for the heap overflow and DoS found in
several versions of gdk-pixbuf. It should be fixed:

https://bugzilla.gnome.org/show_bug.cgi?id=752297



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-08-01 00:57:17 UTC
Thanks, fixed in 2.30.8-r1 in the tree and in 2.31.5 in the overlay.

gdk-pixbuf-2.30.8-r1 is ready for stabilization.

+*gdk-pixbuf-2.30.8-r1 (01 Aug 2015)
+
+  01 Aug 2015; Alexandre Rostovtsev <tetromino@gentoo.org>
+  +gdk-pixbuf-2.30.8-r1.ebuild, +files/gdk-pixbuf-2.30.8-divide-by-zero.patch,
+  +files/gdk-pixbuf-2.30.8-pixops-overflow.patch:
+  Fix integer overflow in pixops (bug #556314, thanks to Agostino Sarubbo). Fix
+  gtk-doc installation (bug #549166, thanks to Rafał Mużyło).
Comment 2 Agostino Sarubbo gentoo-dev 2015-08-03 10:35:40 UTC
Arches, please test and mark stable:
=x11-libs/gdk-pixbuf-2.30.8-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-04 11:23:19 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-05 05:58:36 UTC
Stable for HPPA PPC64.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-05 09:58:56 UTC
ia64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2015-08-05 12:15:41 UTC
Stable on alpha.
Comment 7 Markus Meier gentoo-dev 2015-08-06 04:58:01 UTC
arm stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-06 13:35:50 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-08-26 07:30:28 UTC
ppc stable
Comment 10 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-08-26 07:50:15 UTC
Unfortunately, this overflow is not really fixed in 2.30.8-r1, see upstream git. So please no GLSA right now, another revbump will be needed.
Comment 11 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-09-01 05:18:49 UTC
Several additional integer overflow checks for this CVE from upstream git added in gdk-pixbuf-2.30.8-r2 in gentoo.git and in 2.31.6 in the overlay.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=084b0771c60902525706033d8d1ef2ac489954e1
https://gitweb.gentoo.org/proj/gnome.git/commit/?id=9e48855fcf4528e77c4c86b9bd1b12fa3176b23a

Arches, please test and mark stable:
=x11-libs/gdk-pixbuf-2.30.8-r2
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-02 04:33:29 UTC
Stable for HPPA PPC64.
Comment 13 Agostino Sarubbo gentoo-dev 2015-09-03 08:24:44 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-09-03 08:26:25 UTC
x86 stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-09-06 08:33:57 UTC
sparc stable
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2015-09-11 13:08:02 UTC
Stable on alpha.
Comment 17 Agostino Sarubbo gentoo-dev 2015-09-22 09:00:42 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2015-09-24 08:03:14 UTC
ia64 stable
Comment 19 Markus Meier gentoo-dev 2015-09-25 06:03:53 UTC
arm stable, all arches done.
Comment 20 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-10-12 23:47:58 UTC
Vulnerable ebuilds cleaned up: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cdb0716f28968157ee001bb954bc72b08b425c9

Note that gdk-pixbuf is also affected by CVE-2015-7673 and CVE-2015-7674 (see bug #562878) which were fixed by =gdk-pixbuf-2.32.1 - which is not yet stabilized.
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-10-13 00:51:17 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2015-12-21 14:21:23 UTC
This issue was resolved and addressed in
 GLSA 201512-05 at https://security.gentoo.org/glsa/201512-05
by GLSA coordinator Yury German (BlueKnight).