Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 574382

Summary: <xfce-base/thunar-1.6.12-r1: integer overflow
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: xfce
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [noglsa cve]
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 574372    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-10 21:53:01 UTC 
xfce-base/thunar is vulnerable to CVE-2013-7447

See tracking bug for details.

##

kflaptop Thunar-1.6.10 # grep -r "cairo_pixels" -- *
thunar/thunar-gdk-extensions.c:  guchar          *cairo_pixels;
thunar/thunar-gdk-extensions.c:  cairo_pixels = g_malloc (height * cairo_stride);
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 16:36:36 UTC 
@xfce gtk+ is now fixed, could you please confirm if thunar still vulnerable?

Thank you

Gentoo Security Padawan
ChrisADR
Comment 2 Denis Dupeyron (RETIRED) gentoo-dev 2017-11-16 19:07:34 UTC 
Unfortunately latest thunar was still vulnerable. Upstream had a patch so I have applied it and pushed 1.6.12-r1.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-17 00:10:30 UTC 
Thanks, please call for stabilization when ready.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-03-23 21:17:43 UTC 
=xfce-base/thunar-1.16.13 is already stable.

@maintainers, please cleanup the vulnerable versions.

GLSA Vote: No
Comment 5 Larry the Git Cow gentoo-dev 2018-03-23 22:04:00 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1f5c6695d3744e5e73e55269e5be9ecfae910d67

commit 1f5c6695d3744e5e73e55269e5be9ecfae910d67
Author:     Michał Górny <mgorny@gentoo.org>
AuthorDate: 2018-03-23 21:59:51 +0000
Commit:     Michał Górny <mgorny@gentoo.org>
CommitDate: 2018-03-23 22:03:50 +0000

    xfce-base/thunar: Clean old up
    
    Bug: https://bugs.gentoo.org/574382

 xfce-base/thunar/Manifest                |  2 -
 xfce-base/thunar/thunar-1.6.10-r1.ebuild | 68 ---------------------------
 xfce-base/thunar/thunar-1.6.12-r1.ebuild | 80 --------------------------------
 3 files changed, 150 deletions(-)}
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2018-03-23 23:16:28 UTC 
Thanks, Michał!