Discovered by Matthias Clasen <mclasen@redhat.com> The gdk-pixbuf bmp loader can be tricked into a double free, see http://bugzilla.gnome.org/show_bug.cgi?id=171707 Demo image here: http://bugzilla.gnome.org/attachment.cgi?id=39270&action=view This probably affects all version of gtk we ship. I haven't checked if it also affects the standalone gdk-pixbuf package. The bug http://bugzilla.gnome.org/show_bug.cgi?id=150664 has a collection of valid and invalid bmp test images in an attachment (http://bugzilla.gnome.org/attachment.cgi?id=39312&action=view) which we might want to give to QA for checking our other image loaders...
Foser please verify and advise.
CAN-2005-0891 "The codepath seems to be free once, start cleaning up, free again, so it's going to be a DoS rather than allow arbitrary code execution."
well yeah, easy to reproduce. I will patch gtk+ and gdk-pixbuf (both are affected) tomorrow.
It sure needs a fix, but not sure it needs a GLSA... Crashing upon viewing a file (with no possibility of code execution) is more a bug than a DoS attack, unless you can find services that rely on BMP decoding by gtk+...
Added media-libs/gdk-pixbuf-0.22.0-r4 & x11-libs/gtk+-2.6.4-r1 with fixes and marked stable x86. I think the worst you could do with this is crash a few browsers/mail applications that use gtkhtml for example.
Dropping this as a non-security issue, and considering it fixed. Reopen if you disagree.
*** Bug 94922 has been marked as a duplicate of this bug. ***