Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 412033 (CVE-2012-2370)

Summary: <x11-libs/gdk-pixbuf-2.24.1-r1: integer overflow in xbm loader (CVE-2012-2370)
Product: Gentoo Security Reporter: Alexandre Rostovtsev (RETIRED) <tetromino>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=672811
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
test xbm file, will crash applications that use affected gdk-pixbuf versions none

Description Alexandre Rostovtsev (RETIRED) gentoo-dev 2012-04-14 20:51:57 UTC 
Created attachment 308981 [details]
test xbm file, will crash applications that use affected gdk-pixbuf versions

See https://bugzilla.gnome.org/show_bug.cgi?id=672811

Attempting to load the attached file in most gtk-based applications, including firefox, will result in a segfault if a vulnerable version of gdk-pixbuf is installed.

Fixed in gdk-pixbuf-2.24.1-r1 (should be stabilized) and gdk-pixbuf-2.26.1 (should not be stabilized for now due to glib-2.32 dependency).
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2012-04-15 04:10:29 UTC 
Thanks, Alexandre.

Arches, please test and mark stable:
=x11-libs/gdk-pixbuf-2.24.1-r1
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sh sparc x86"
Comment 2 Agostino Sarubbo gentoo-dev 2012-04-15 14:06:08 UTC 
amd64 stable
Comment 3 Jeff (JD) Horelick (RETIRED) gentoo-dev 2012-04-15 23:13:16 UTC 
x86 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2012-04-16 01:05:51 UTC 
Stable for HPPA.
Comment 5 Markus Meier gentoo-dev 2012-04-18 20:12:54 UTC 
arm stable
Comment 6 Raúl Porcel (RETIRED) gentoo-dev 2012-04-21 18:56:04 UTC 
alpha/ia64/sh/sparc stable
Comment 7 Mark Loeser (RETIRED) gentoo-dev 2012-05-13 19:28:12 UTC 
ppc was done already, ppc64 done as well now
Comment 8 Sean Amoss (RETIRED) gentoo-dev Security 2012-05-13 23:13:42 UTC 
Thanks, everyone. Added to existing GLSA request.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-06-23 20:34:32 UTC 
This issue was resolved and addressed in
 GLSA 201206-20 at http://security.gentoo.org/glsa/glsa-201206-20.xml
by GLSA coordinator Sean Amoss (ackle).
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2012-08-14 11:19:49 UTC 
CVE-2012-2370 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2370):
  Multiple integer overflows in the read_bitmap_file_data function in io-xbm.c
  in gdk-pixbuf before 2.26.1 allow remote attackers to cause a denial of
  service (application crash) via a negative (1) height or (2) width in an XBM
  file, which triggers a heap-based buffer overflow.