Summary: | <dev-dotnet/libgdiplus-2.6.7-r1: Multiple Integer Overflow Vulnerabilities (CVE-2010-1526) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Tim Sammut (RETIRED) <underling> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | dotnet |
Priority: | High | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- |
Description
Tim Sammut (RETIRED)
2010-08-23 16:55:03 UTC
CVE-2010-1526 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-1526): Multiple integer overflows in libgdiplus 2.6.7, as used in Mono, allow attackers to execute arbitrary code via (1) a crafted TIFF file, related to the gdip_load_tiff_image function in tiffcodec.c; (2) a crafted JPEG file, related to the gdip_load_jpeg_image_internal function in jpegcodec.c; or (3) a crafted BMP file, related to the gdip_read_bmp_image function in bmpcodec.c, leading to heap-based buffer overflows. +*libgdiplus-2.6.7-r1 (07 Sep 2010) + + 07 Sep 2010; Pacho Ramos <pacho@gentoo.org> +libgdiplus-2.6.7-r1.ebuild, + +files/libgdiplus-2.6.7-fix-overflows.patch: + Fix Multiple Integer Overflow Vulnerabilities (CVE-2010-1526) (bug + #334101) applying upstream patch also used in Fedora. Maybe it should be installed with the rest of mono-2.6.7 :-/ Arches, please test and mark stable: =dev-dotnet/libgdiplus-2.6.7-r1 Target keywords : "amd64 ppc x86" x86 stable amd64 done Marked ppc stable. GLSA request filed. This issue was resolved and addressed in GLSA 201401-01 at http://security.gentoo.org/glsa/glsa-201401-01.xml by GLSA coordinator Chris Reffett (creffett). |