Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 556314 (CVE-2015-4491)

Summary: <x11-libs/gdk-pixbuf-2.30.8-r2: heap overflow and DoS (CVE-2015-4491)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gnome
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B2 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2015-07-30 12:00:37 UTC
From ${URL} :

I would like to request a CVE for the heap overflow and DoS found in
several versions of gdk-pixbuf. It should be fixed:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-08-01 00:57:17 UTC
Thanks, fixed in 2.30.8-r1 in the tree and in 2.31.5 in the overlay.

gdk-pixbuf-2.30.8-r1 is ready for stabilization.

+*gdk-pixbuf-2.30.8-r1 (01 Aug 2015)
+  01 Aug 2015; Alexandre Rostovtsev <>
+  +gdk-pixbuf-2.30.8-r1.ebuild, +files/gdk-pixbuf-2.30.8-divide-by-zero.patch,
+  +files/gdk-pixbuf-2.30.8-pixops-overflow.patch:
+  Fix integer overflow in pixops (bug #556314, thanks to Agostino Sarubbo). Fix
+  gtk-doc installation (bug #549166, thanks to Rafał Mużyło).
Comment 2 Agostino Sarubbo gentoo-dev 2015-08-03 10:35:40 UTC
Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 3 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-04 11:23:19 UTC
amd64 stable
Comment 4 Jeroen Roovers (RETIRED) gentoo-dev 2015-08-05 05:58:36 UTC
Stable for HPPA PPC64.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-05 09:58:56 UTC
ia64 stable
Comment 6 Tobias Klausmann (RETIRED) gentoo-dev 2015-08-05 12:15:41 UTC
Stable on alpha.
Comment 7 Markus Meier gentoo-dev 2015-08-06 04:58:01 UTC
arm stable
Comment 8 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-08-06 13:35:50 UTC
x86 stable
Comment 9 Agostino Sarubbo gentoo-dev 2015-08-26 07:30:28 UTC
ppc stable
Comment 10 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-08-26 07:50:15 UTC
Unfortunately, this overflow is not really fixed in 2.30.8-r1, see upstream git. So please no GLSA right now, another revbump will be needed.
Comment 11 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-09-01 05:18:49 UTC
Several additional integer overflow checks for this CVE from upstream git added in gdk-pixbuf-2.30.8-r2 in gentoo.git and in 2.31.6 in the overlay.

Arches, please test and mark stable:
Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
Comment 12 Jeroen Roovers (RETIRED) gentoo-dev 2015-09-02 04:33:29 UTC
Stable for HPPA PPC64.
Comment 13 Agostino Sarubbo gentoo-dev 2015-09-03 08:24:44 UTC
amd64 stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-09-03 08:26:25 UTC
x86 stable
Comment 15 Agostino Sarubbo gentoo-dev 2015-09-06 08:33:57 UTC
sparc stable
Comment 16 Tobias Klausmann (RETIRED) gentoo-dev 2015-09-11 13:08:02 UTC
Stable on alpha.
Comment 17 Agostino Sarubbo gentoo-dev 2015-09-22 09:00:42 UTC
ppc stable
Comment 18 Agostino Sarubbo gentoo-dev 2015-09-24 08:03:14 UTC
ia64 stable
Comment 19 Markus Meier gentoo-dev 2015-09-25 06:03:53 UTC
arm stable, all arches done.
Comment 20 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-10-12 23:47:58 UTC
Vulnerable ebuilds cleaned up:

Note that gdk-pixbuf is also affected by CVE-2015-7673 and CVE-2015-7674 (see bug #562878) which were fixed by =gdk-pixbuf-2.32.1 - which is not yet stabilized.
Comment 21 Yury German Gentoo Infrastructure gentoo-dev 2015-10-13 00:51:17 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 22 GLSAMaker/CVETool Bot gentoo-dev 2015-12-21 14:21:23 UTC
This issue was resolved and addressed in
 GLSA 201512-05 at
by GLSA coordinator Yury German (BlueKnight).