From ${URL} : I would like to request a CVE for the heap overflow and DoS found in several versions of gdk-pixbuf. It should be fixed: https://bugzilla.gnome.org/show_bug.cgi?id=752297 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Thanks, fixed in 2.30.8-r1 in the tree and in 2.31.5 in the overlay. gdk-pixbuf-2.30.8-r1 is ready for stabilization. +*gdk-pixbuf-2.30.8-r1 (01 Aug 2015) + + 01 Aug 2015; Alexandre Rostovtsev <tetromino@gentoo.org> + +gdk-pixbuf-2.30.8-r1.ebuild, +files/gdk-pixbuf-2.30.8-divide-by-zero.patch, + +files/gdk-pixbuf-2.30.8-pixops-overflow.patch: + Fix integer overflow in pixops (bug #556314, thanks to Agostino Sarubbo). Fix + gtk-doc installation (bug #549166, thanks to Rafał Mużyło).
Arches, please test and mark stable: =x11-libs/gdk-pixbuf-2.30.8-r1 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
amd64 stable
Stable for HPPA PPC64.
ia64 stable
Stable on alpha.
arm stable
x86 stable
ppc stable
Unfortunately, this overflow is not really fixed in 2.30.8-r1, see upstream git. So please no GLSA right now, another revbump will be needed.
Several additional integer overflow checks for this CVE from upstream git added in gdk-pixbuf-2.30.8-r2 in gentoo.git and in 2.31.6 in the overlay. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=084b0771c60902525706033d8d1ef2ac489954e1 https://gitweb.gentoo.org/proj/gnome.git/commit/?id=9e48855fcf4528e77c4c86b9bd1b12fa3176b23a Arches, please test and mark stable: =x11-libs/gdk-pixbuf-2.30.8-r2 Target keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"
sparc stable
arm stable, all arches done.
Vulnerable ebuilds cleaned up: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4cdb0716f28968157ee001bb954bc72b08b425c9 Note that gdk-pixbuf is also affected by CVE-2015-7673 and CVE-2015-7674 (see bug #562878) which were fixed by =gdk-pixbuf-2.32.1 - which is not yet stabilized.
Arches and Maintainer(s), Thank you for your work. New GLSA Request filed.
This issue was resolved and addressed in GLSA 201512-05 at https://security.gentoo.org/glsa/201512-05 by GLSA coordinator Yury German (BlueKnight).