Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 759094 (CVE-2020-29385)

Summary: <x11-libs/gdk-pixbuf-2.42.2: infinite loop in GIF handling (CVE-2020-29385)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal CC: gnome
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
URL: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
Whiteboard: A3 [glsa+ cve]
Package list:
x11-libs/gdk-pixbuf-2.42.2 amd64 arm arm64 hppa ppc ppc64 sparc x86 s390 x11-libs/gdk-pixbuf-xlib-2.40.2 amd64 arm ppc ppc64 sparc x86
 Runtime testing required: ---

Description John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2020-12-08 18:14:34 UTC 
CVE-2020-29385:  infinite loop in write_indexes function in gdk-pixbuf/lzw.c
Issue: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
Advisory: https://discourse.gnome.org/t/security-advisory-for-gdk-pixbuf-2-42/4965

We'll need to stabilize the fixed version, 2.42.2.
Comment 1 Mart Raudsepp gentoo-dev 2020-12-08 21:12:08 UTC 
Intentionally stabling only a smaller set of arches from the gdk-pixbuf-xlib new split package, as it's a deprecated library. Hope I got it right which arches actually need it based on the few gdk-pixbuf-xlib consumers there are in the tree.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-10 21:42:03 UTC 
x86 stable
Comment 3 Rolf Eike Beer archtester 2020-12-11 14:27:03 UTC 
hppa/sparc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-11 23:20:54 UTC 
ppc/ppc64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-12 23:54:54 UTC 
arm64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-13 08:51:59 UTC 
arm stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-14 08:02:05 UTC 
amd64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-17 06:50:15 UTC 
s390 done

all arches done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-17 06:53:06 UTC 
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2020-12-17 14:00:02 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5063bf87c540dac932de11ffe14e39389a7492be

commit 5063bf87c540dac932de11ffe14e39389a7492be
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-12-17 13:46:40 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-12-17 13:59:47 +0000

    x11-libs/gdk-pixbuf: security cleanup
    
    Bug: https://bugs.gentoo.org/759094
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 x11-libs/gdk-pixbuf/Manifest                 |   2 -
 x11-libs/gdk-pixbuf/gdk-pixbuf-2.40.0.ebuild | 139 ---------------------------
 x11-libs/gdk-pixbuf/gdk-pixbuf-2.42.0.ebuild | 130 -------------------------
 x11-libs/gdk-pixbuf/metadata.xml             |   3 -
 4 files changed, 274 deletions(-)
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2020-12-22 23:00:49 UTC 
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:20:53 UTC 
This issue was resolved and addressed in
 GLSA 202012-15 at https://security.gentoo.org/glsa/202012-15
by GLSA coordinator Thomas Deutschmann (whissi).