163678 2007-01-24 23:56 0000 gtk+-2 image DoS CVE-2007-0010 2007-06-26 10:33:29 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-0010 P2 minor --- 170853 171107 1 keith@email.arizona.edu gnome@gentoo.org gnome@gentoo.org pacho@condmat1.ciencias.uniovi.es keith@email.arizona.edu 2007-01-24 23:56:31 0000 This is lame: The GdkPixbufLoader function in GIMP ToolKit (GTK+) in GTK 2 (gtk2) before 2.4.13 allows context-dependent attackers to cause a denial of service (crash) via a malformed image file. Reproducible: Didn't try https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=218932 http://www.redhat.com/support/errata/RHSA-2007-0019.html hanno@gentoo.org 2007-01-25 08:43:37 0000 When reading the announcement, is there any reason why you think this is gimp-specific? I think this will affect all gtk2-apps. lkundrak@v3.sk 2007-01-25 16:18:02 0000 (In reply to comment #1) > When reading the announcement, is there any reason why you think this is > gimp-specific? I think this will affect all gtk2-apps. No reason. Actually it only has security implication in conjuction with software that has as stupid^Wsmart crash-handling as Evolution does. falco@gentoo.org 2007-02-06 12:36:18 0000 (In reply to comment #2) > > No reason. Actually it only has security implication in conjuction with > software that has as stupid^Wsmart crash-handling as Evolution does. > Yes but the bug resides in gtk+. Adding gnome herd in Cc. Since this is a client-side DoS with weak risk exposure (only a few softwares are concerned), i don't think that merit a security process. Usually we don't handle client-side DoSes. Reassigning to the gnome herd. dang@gentoo.org 2007-02-06 16:35:44 0000 That says "before 2.4.13" but 2.6.10 is the oldest version we have in the tree. Am I missing something? keith@email.arizona.edu 2007-02-06 19:25:05 0000 I think when I first reported the bug, I thought it was gimp specific and that the 2.4.13 was referring to gimp. oops. dang@gentoo.org 2007-02-07 04:14:10 0000 Okay, closing then. No problem. pva@gentoo.org 2007-03-11 12:58:54 0000 Reopening. CVE is wrong about version numbers. I think this misleading version comes from redhat where the fix for this problem was backported to gtk-2.14.13. But we use UPSTREAM gtk+ version where this bug was fixed later. Currently this bug still is in the latest stable gtk+-2.10.6. Daniel, I've CC you in gnome bugzilla where I've reported my observations ( bugzilla.gnome.org/353430 ). Repeating here: Bug is reproducible with gtk+-2.10.6 and is NOT reproducible with gtk+-2.10.7-r1. The following patch http://svn.gnome.org/viewcvs/gtk%2B/trunk/gdk-pixbuf/gdk-pixbuf-loader.c?r1=16010&r2=16803&pathrev=17165 and corresponding ChangeLog entry seems to fix the problem: 2006-12-09 Matthias Clasen <mclasen@redhat.com> * gdk-pixbuf-loader.c (gdk_pixbuf_loader_write): Behave as documented and close the loader when returning FALSE. http://svn.gnome.org/viewcvs/gtk%2B/trunk/gdk-pixbuf/gdk-pixbuf-loader.c?view=log&pathrev=17165 Obviously suggested solution is to stabilize gtk-2.10.7-r1. leio@gentoo.org 2007-03-11 18:46:27 0000 I would go for stabilizing the following: dev-libs/glib-2.12.9 x11-libs/pango-1.14.10 x11-libs/gtk+-2.10.9 (instead of just 2.10.7-r1). All of these (gtk+ and bottom stack) have been in the tree for over 30 days and seem due for stabilization. remi@gentoo.org 2007-03-11 22:51:37 0000 vote +1, they fix a few bugs here and there. Definitely worth stabilizing together. dang@gentoo.org 2007-03-13 23:54:11 0000 I agree. Arches: please stabilize dev-libs/glib-2.12.9 alpha amd64 arm hppa ia64 mips ppc ppc64 s390 sh sparc x86 x11-libs/pango-1.14.10 alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86 x11-libs/gtk+-2.10.9 alpha amd64 arm hppa ia64 mips ppc ppc64 sh sparc x86 mips: Since you don't have anything in the current major rev of any of these keyworded stable, feel free to leave them ~mips if you prefer. angelos@gentoo.org 2007-03-14 00:29:20 0000 everything emerges fine and works on amd64 Portage 2.1.2.2 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.5-r0, 2.6.20-beyond1 x86_64) ================================================================= System uname: 2.6.20-beyond1 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4600+ Gentoo Base System release 1.12.9 Timestamp of tree: Tue, 13 Mar 2007 23:50:01 +0000 distcc 2.18.3 x86_64-pc-linux-gnu (protocols 1 and 2) (default port 3632) [disabled] ccache version 2.4 [enabled] dev-java/java-config: 1.3.7, 2.0.31 dev-lang/python: 2.4.3-r4 dev-python/pycrypto: 2.0.1-r5 dev-util/ccache: 2.4-r6 sys-apps/sandbox: 1.2.17 sys-devel/autoconf: 2.13, 2.61 sys-devel/automake: 1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10 sys-devel/binutils: 2.16.1-r3 sys-devel/gcc-config: 1.3.14 sys-devel/libtool: 1.5.22 virtual/os-headers: 2.6.17-r2 ACCEPT_KEYWORDS="amd64" AUTOCLEAN="yes" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-march=k8 -O2 -pipe -msse3" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/X11/xkb" CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/php/apache1-php5/ext-active/ /etc/php/apache2-php5/ext-active/ /etc/php/cgi-php5/ext-active/ /etc/php/cli-php5/ext-active/ /etc/revdep-rebuild /etc/splash /etc/terminfo" CXXFLAGS="-march=k8 -O2 -pipe -msse3" DISTDIR="/usr/portage/distfiles" FEATURES="autoconfig buildsyspkg ccache collision-protect distlocks metadata-transfer multilib-strict parallel-fetch sandbox sfperms strict test" GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp.wh2.tu-dresden.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo ftp://ftp-stud.fht-esslingen.de/pub/Mirrors/gentoo/ ftp://ftp.gentoo.mesh-solutions.com/gentoo/ ftp://pandemonium.tiscali.de/pub/gentoo/ " LANG="en_US.ISO-8859-15" LC_ALL="en_US.ISO-8859-15" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_RSYNC_EXTRA_OPTS="--exclude-from=/etc/portage/rsync_excludes" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage/overlay /usr/portage/local/layman/break-my-gentoo-main" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X aac acpi alsa amd64 audiofile berkdb bitmap-fonts bzip2 cairo cdinstall cdr cli cracklib crypt cups dbus dri dvd dvdr dvdread eds emboss encode fam firefox fortran gdbm gif gpm gstreamer gtk gtk2 hal iconv jpeg ldap libg++ lirc logrotate mad midi mikmod mp3 mpeg ncurses nls nptl nptlonly offensive ogg opengl pam pcre php png ppds pppd quicktime readline reflection sdl session socks5 spl ssl svg symlink tcpd test tiff truetype truetype-fonts type1-fonts unicode v4l vorbis xinerama xorg xv xvid zlib" ALSA_CARDS="emu10k1" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="evdev keyboard" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LIRC_DEVICES="inputlirc" USERLAND="GNU" VIDEO_CARDS="fglrx nvidia" Unset: CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS jaervosz@gentoo.org 2007-03-14 07:37:19 0000 UnCCing Security as this seems like a "crash in client application only" type of thing. fauli@gentoo.org 2007-03-14 09:34:57 0000 x86 stable blubb@gentoo.org 2007-03-14 11:10:37 0000 amd64 stable, thanks Christoph jer@gentoo.org 2007-03-15 04:28:31 0000 Stable for HPPA. gustavoz@gentoo.org 2007-03-15 15:03:26 0000 sparc stable. corsair@gentoo.org 2007-03-15 16:59:12 0000 ppc64 stable wolf31o2@gentoo.org 2007-03-22 21:35:02 0000 alpha/ia64/ppc done... leio@gentoo.org 2007-05-18 14:08:10 0000 Packages that have some arches not marked stable yet (possibly on purpose, but still on CC list): x11-libs/pango-1.14.10 arm mips sh x11-libs/gtk+-2.10.9 arm mips sh Removing s390 from CC as they got the relevant glib version stable silently leio@gentoo.org 2007-06-26 10:33:29 0000 mips was done some time ago silently as well. All done now, closing as fixed