Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 759094 (CVE-2020-29385)

Summary: <x11-libs/gdk-pixbuf-2.42.2: infinite loop in GIF handling (CVE-2020-29385)
Product: Gentoo Security Reporter: John Helmert III <ajak>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Severity: normal CC: gnome
Priority: Normal Keywords: CC-ARCHES
Version: unspecifiedFlags: nattka: sanity-check+
Hardware: All   
OS: Linux   
Whiteboard: A3 [glsa+ cve]
Package list:
x11-libs/gdk-pixbuf-2.42.2 amd64 arm arm64 hppa ppc ppc64 sparc x86 s390 x11-libs/gdk-pixbuf-xlib-2.40.2 amd64 arm ppc ppc64 sparc x86
Runtime testing required: ---

Description John Helmert III gentoo-dev Security 2020-12-08 18:14:34 UTC
CVE-2020-29385:  infinite loop in write_indexes function in gdk-pixbuf/lzw.c

We'll need to stabilize the fixed version, 2.42.2.
Comment 1 Mart Raudsepp gentoo-dev 2020-12-08 21:12:08 UTC
Intentionally stabling only a smaller set of arches from the gdk-pixbuf-xlib new split package, as it's a deprecated library. Hope I got it right which arches actually need it based on the few gdk-pixbuf-xlib consumers there are in the tree.
Comment 2 Thomas Deutschmann gentoo-dev 2020-12-10 21:42:03 UTC
x86 stable
Comment 3 Rolf Eike Beer archtester 2020-12-11 14:27:03 UTC
hppa/sparc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-11 23:20:54 UTC
ppc/ppc64 stable
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-12 23:54:54 UTC
arm64 done
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-13 08:51:59 UTC
arm stable
Comment 7 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-14 08:02:05 UTC
amd64 done
Comment 8 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-17 06:50:15 UTC
s390 done

all arches done
Comment 9 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-12-17 06:53:06 UTC
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2020-12-17 14:00:02 UTC
The bug has been referenced in the following commit(s):

commit 5063bf87c540dac932de11ffe14e39389a7492be
Author:     Mart Raudsepp <>
AuthorDate: 2020-12-17 13:46:40 +0000
Commit:     Mart Raudsepp <>
CommitDate: 2020-12-17 13:59:47 +0000

    x11-libs/gdk-pixbuf: security cleanup
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <>

 x11-libs/gdk-pixbuf/Manifest                 |   2 -
 x11-libs/gdk-pixbuf/gdk-pixbuf-2.40.0.ebuild | 139 ---------------------------
 x11-libs/gdk-pixbuf/gdk-pixbuf-2.42.0.ebuild | 130 -------------------------
 x11-libs/gdk-pixbuf/metadata.xml             |   3 -
 4 files changed, 274 deletions(-)
Comment 11 Thomas Deutschmann gentoo-dev 2020-12-22 23:00:49 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:20:53 UTC
This issue was resolved and addressed in
 GLSA 202012-15 at
by GLSA coordinator Thomas Deutschmann (whissi).