Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 64230

Summary: x11-libs/gtk+-2*, media-libs/gdk-pixbuf: Multiple Image Decoding Vulnerabilities
Product: Gentoo Security Reporter: Matthias Geerdsen (RETIRED) <vorlon>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: gnome
Priority: High    
Version: unspecified   
Hardware: All   
OS: All   
URL: http://bugzilla.gnome.org/show_bug.cgi?id=150601
Whiteboard: A2 [glsa] jaervosz
Package list:
Runtime testing required: ---
Bug Depends on:    
Bug Blocks: 64135    
Attachments:
Description Flags
gdk-pixbuf-0.22.0-CAN-2004-0753.patch
none
gdk-pixbuf-0.22.0-rh-alt-bound.patch none

Description Matthias Geerdsen (RETIRED) gentoo-dev 2004-09-16 03:06:34 UTC 
http://secunia.com/advisories/12542/ :

Description:
Multiple vulnerabilities have been reported in GdkPixBuf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.

1) A variant of a recently disclosed vulnerability in Qt exists within the BMP image processing functionality. This can be exploited to make an affected application enter an infinite loop when a specially crafted BMP image is processed.

2) An input validation error within the "pixbuf_create_from_xpm()" function when decoding XPM images can be exploited to cause an integer overflow when a specially crafted XPM image is processed.

Successful exploitation may in turn result in a heap-based buffer overflow, which potentially allows execution of arbitrary code.

3) A boundary error within the "xpm_extract_color()" function when decoding XPM images can be exploited to cause a stack-based buffer overflow when a specially crafted XPM image is processed.

Successful exploitation may allow execution of arbitrary code.

4) An input validation error within the ICO image decoding functionality can be exploited to cause an integer overflow when a specially crafted ICO image is processed.

Successful exploitation causes an affected application to crash.

Solution:
Secunia is currently not aware of an official updated version, which addresses the vulnerabilities.

However, updates have been issued by various Linux vendors.

Provided and/or discovered by:
2-4) Chris Evans

Original Advisory:
Chris Evans:
http://scary.beasts.org/security/CESA-2004-005.txt

GNOME Bugzilla:
http://bugzilla.gnome.org/show_bug.cgi?id=150601
Comment 1 Marc Ballarin 2004-09-16 03:18:11 UTC 
Note that this also affects the version of gdk-pixbuf in x11-libs/gtk+-2.4.4.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 03:33:13 UTC 
*** Bug 64233 has been marked as a duplicate of this bug. ***
Comment 3 Thierry Carrez (RETIRED) gentoo-dev 2004-09-16 03:38:30 UTC 
Same vulnerability, two packages affected :

x11-libs/gtk+
media-libs/gdk-pixbuf

CAN-2004-0753
CAN-2004-0782
CAN-2004-0783
CAN-2004-0788
Comment 4 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-16 09:17:23 UTC 
Created attachment 39701 [details, diff]
gdk-pixbuf-0.22.0-CAN-2004-0753.patch

Mandrake gdk-pixbuf-0.22.0-CAN-2004-0753.patch
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-16 09:18:08 UTC 
Created attachment 39702 [details, diff]
gdk-pixbuf-0.22.0-rh-alt-bound.patch

Mandrake gdk-pixbuf-0.22.0-rh-alt-bound.patch
Comment 6 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2004-09-16 09:45:20 UTC 
For good reason I'm not on the gnome team.

RH SRPMs can be found here:

ftp://updates.redhat.com/enterprise/3desktop/en/os/SRPMS/

Mandrake SRPMs here:

ftp://spirit.profinet.sk/mirrors/Mandrake/updates/10.0/SRPMS
Comment 7 Thierry Carrez (RETIRED) gentoo-dev 2004-09-18 01:43:14 UTC 
Updated Mandrake advisory :
http://www.mandrakesoft.com/security/advisories?name=MDKSA-2004:095-1

"The previous package had an incorrect patch applied that would cause some problems with other programs. The updated packages have the correct patch applied.
As well, patched gtk+2 packages, which also contain gdk-pixbuf, are now provided."
Comment 8 foser (RETIRED) gentoo-dev 2004-09-19 16:08:41 UTC 
Added gtk+-2.4.9-r1 & gdk-pixbuf-0.22.0-r3 with patches for these issues. Marked both stable on x86.
Comment 9 SpanKY gentoo-dev 2004-09-19 18:08:34 UTC 
amd64 stable
Comment 10 Jochen Maes (RETIRED) gentoo-dev 2004-09-20 04:00:56 UTC 
stable on ppc
Comment 11 Gustavo Zacarias (RETIRED) gentoo-dev 2004-09-20 06:52:14 UTC 
Sparc stable.
Comment 12 Thierry Carrez (RETIRED) gentoo-dev 2004-09-20 08:42:48 UTC 
SeJo: gdk-pixbuf wasn't marked ppc stable, apparently you only marked gtk+.
Comment 13 Bryan Østergaard (RETIRED) gentoo-dev 2004-09-20 10:54:38 UTC 
Stable on alpha.
Comment 14 SpanKY gentoo-dev 2004-09-20 18:11:35 UTC 
arm/hppa/ia64/ppc done
Comment 15 Thierry Carrez (RETIRED) gentoo-dev 2004-09-21 04:30:51 UTC 
Thx everyone. Ready for a GLSA.
Comment 16 Thierry Carrez (RETIRED) gentoo-dev 2004-09-21 13:55:25 UTC 
GLSA 200409-28
Comment 17 Tom Gall (RETIRED) gentoo-dev 2004-10-09 19:14:27 UTC 
stable on ppc64, thanks!
Comment 18 Hardave Riar (RETIRED) gentoo-dev 2004-10-16 23:49:44 UTC 
Stable on mips.