Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 574384

Summary: <app-office/pinpoint-0.1.8-r1: integer overflow (CVE-2013-7447)
Product: Gentoo Security Reporter: Kristian Fiskerstrand (RETIRED) <k_f>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: gnome
Priority: Normal Flags: stable-bot: sanity-check+
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.gnome.org/show_bug.cgi?id=762029
Whiteboard: B3 [noglsa cve]
Package list:
app-office/pinpoint-0.1.8-r1
 Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 574372    

Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-10 21:55:12 UTC 
app-office/pinpoint is vulnerable to CVE-2013-7447

See tracking bug for details.

##
kflaptop pinpoint-0.1.6 # grep -r "cairo_pixels" -- *
pp-cairo.c:  guchar          *cairo_pixels;
pp-cairo.c:  cairo_pixels = g_malloc (height * cairo_stride);
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 16:35:02 UTC 
@gnome could you confirm if package still vulnerable?

Thank you,

Gentoo Security Padawan
ChrisADR
Comment 2 Aaron Bauman (RETIRED) gentoo-dev 2018-03-25 14:49:37 UTC 
(In reply to Christopher Díaz Riveros from comment #1)
> @gnome could you confirm if package still vulnerable?
> 
> Thank you,
> 
> Gentoo Security Padawan
> ChrisADR

It is still vulnerable based on the upstream code in pinpoint-0.1.8 and the suggested patch referenced in the tracking bug.
Comment 3 Pacho Ramos gentoo-dev 2018-03-28 18:23:15 UTC 
[master 5dd55b83cc7] app-office/pinpoint: Fix CVE-2013-7447 (#574384)
 2 files changed, 83 insertions(+)
 create mode 100644 app-office/pinpoint/files/pinpoint-0.1.8-CVE-2013-7447.patch
 create mode 100644 app-office/pinpoint/pinpoint-0.1.8-r1.ebuild

And it seems to still work for me
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2018-03-29 14:54:04 UTC 
x86 stable
Comment 5 Larry the Git Cow gentoo-dev 2018-03-30 13:32:39 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58d6e1dd9160691073e81d4f7d2a25bf9be4f834

commit 58d6e1dd9160691073e81d4f7d2a25bf9be4f834
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-03-30 13:21:20 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-03-30 13:32:10 +0000

    app-office/pinpoint: amd64 stable
    
    Bug: https://bugs.gentoo.org/574384
    Package-Manager: Portage-2.3.26, Repoman-2.3.7

 app-office/pinpoint/pinpoint-0.1.8-r1.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)}
Comment 6 Larry the Git Cow gentoo-dev 2018-04-03 19:10:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a4ea394ad712beac42dd44aea9225a14efcc194d

commit a4ea394ad712beac42dd44aea9225a14efcc194d
Author:     Aaron Bauman <bman@gentoo.org>
AuthorDate: 2018-04-03 19:09:25 +0000
Commit:     Aaron Bauman <bman@gentoo.org>
CommitDate: 2018-04-03 19:09:25 +0000

    app-office/pinpoint: drop vulnerable
    
    Bug: https://bugs.gentoo.org/574384
    Package-Manager: Portage-2.3.28, Repoman-2.3.9

 app-office/pinpoint/pinpoint-0.1.8.ebuild | 47 -------------------------------
 1 file changed, 47 deletions(-)}