Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 712932 (CVE-2019-20326) - <media-gfx/gthumb-3.10.0: Buffer overflow in _cairo_image_surface_create_from_jpeg causes crash (CVE-2019-20326)
Summary: <media-gfx/gthumb-3.10.0: Buffer overflow in _cairo_image_surface_create_from...
Status: RESOLVED FIXED
Alias: CVE-2019-20326
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/gthumb...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-03-16 23:57 UTC by Sam James
Modified: 2020-08-11 02:20 UTC (History)
1 user (show)

See Also:
Package list:
media-gfx/gthumb-3.10.0
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-16 23:57:01 UTC 
Description:
"A heap-based buffer overflow in _cairo_image_surface_create_from_jpeg() in extensions/cairo_io/cairo-image-surface-jpeg.c in GNOME gThumb before 3.8.3 and Linux Mint Pix before 2.4.5 allows attackers to cause a crash and potentially execute arbitrary code via a crafted JPEG file."

Patch: https://gitlab.gnome.org/GNOME/gthumb/commit/4faa5ce2358812d23a1147953ee76f59631590ad

Release notes: https://gitlab.gnome.org/GNOME/gthumb/commit/ca8f528209ab78935c30e42fe53bdf1a24f3cb44
Comment 1 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-04-17 20:17:16 UTC 
@maintainer(s): ping
Comment 2 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-06-04 17:19:52 UTC 
ping
Comment 3 Larry the Git Cow gentoo-dev 2020-07-31 17:12:19 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed8b23504db441e536f0fce244c6df95ccb0c1b6

commit ed8b23504db441e536f0fce244c6df95ccb0c1b6
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-07-31 17:10:53 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-07-31 17:11:34 +0000

    media-gfx/gthumb: bump to 3.10.0
    
    Bug: https://bugs.gentoo.org/712932
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 media-gfx/gthumb/Manifest                    |  1 +
 media-gfx/gthumb/gthumb-3.10.0.ebuild        | 89 ++++++++++++++++++++++++++++
 profiles/arch/powerpc/ppc32/package.use.mask |  1 +
 3 files changed, 91 insertions(+)
Comment 4 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-07-31 17:32:09 UTC 
Let us know when ready to stable, thanks!
Comment 5 Agostino Sarubbo gentoo-dev 2020-08-05 14:00:32 UTC 
amd64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-08-05 14:26:05 UTC 
x86 stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 7 GLSAMaker/CVETool Bot gentoo-dev 2020-08-08 04:24:47 UTC 
This issue was resolved and addressed in
 GLSA 202008-05 at https://security.gentoo.org/glsa/202008-05
by GLSA coordinator Sam James (sam_c).
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-08 04:26:04 UTC 
Reopening for cleanup.
Comment 9 Larry the Git Cow gentoo-dev 2020-08-09 07:22:30 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=741f5f782444f855ae71146a54a6182224336dcf

commit 741f5f782444f855ae71146a54a6182224336dcf
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-08-08 15:21:39 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-08-09 07:19:29 +0000

    media-gfx/gthumb: security cleanup
    
    Bug: https://bugs.gentoo.org/712932
    Package-Manager: Portage-2.3.84, Repoman-2.3.20
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 media-gfx/gthumb/Manifest                          |  1 -
 .../gthumb/files/gthumb-3.6.2-exiv2-0.27.patch     | 31 -------
 media-gfx/gthumb/gthumb-3.6.2-r1.ebuild            | 99 ----------------------
 media-gfx/gthumb/metadata.xml                      |  3 +-
 4 files changed, 1 insertion(+), 133 deletions(-)
Comment 10 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-08-11 02:20:06 UTC 
Thanks!