Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562880 (CVE-2015-7673) - <x11-libs/gdk-pixbuf-2.32.1: Heap overflow and DoS vulnerability when scaling a TGA file (CVE-2015-7673)
Summary: <x11-libs/gdk-pixbuf-2.32.1: Heap overflow and DoS vulnerability when scaling...
Status: RESOLVED FIXED
Alias: CVE-2015-7673
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2015-7674 563052
Blocks:
  Show dependency tree
 
Reported: 2015-10-12 07:39 UTC by Agostino Sarubbo
Modified: 2015-12-21 14:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-12 07:39:12 UTC 
From ${URL} :

It was reported that heap overflow and DoS in gdk-pixbuf implementation occurs triggered by scaling 
TGA file. This library is used also by Firefox and Chromium, making them vulnerable.

Upstream patches:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=19f9685dbff7d1f929c61cf99188df917a18811d
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=edf6fb8d856574bc3bb3a703037f56533229267c
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=6ddca835100107e6b5841ce9d56074f6d98c387e
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-10-12 23:40:14 UTC 
Fixed by =gdk-pixbuf-2.32.1 - I think stabilization for both this and CVE-2015-7674 should be handled in one place, bug #562878 to avoid confusing arches :)

*** This bug has been marked as a duplicate of bug 562878 ***
Comment 2 Agostino Sarubbo gentoo-dev 2015-10-13 07:20:03 UTC 
(In reply to Alexandre Rostovtsev from comment #1)
> Fixed by =gdk-pixbuf-2.32.1 - I think stabilization for both this and
> CVE-2015-7674 should be handled in one place, bug #562878 to avoid confusing
> arches :)

Yes but duplicate means other.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2015-12-21 14:21:39 UTC 
This issue was resolved and addressed in
 GLSA 201512-05 at https://security.gentoo.org/glsa/201512-05
by GLSA coordinator Yury German (BlueKnight).