Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 561526 - <x11-libs/pixman-{0.32.8,0.33.4}: Stack buffer overflow
Summary: <x11-libs/pixman-{0.32.8,0.33.4}: Stack buffer overflow
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2015-09-26 06:14 UTC by Matt Turner
Modified: 2016-12-13 06:51 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matt Turner gentoo-dev 2015-09-26 06:14:52 UTC
Contains only a small (security) bug fix over 0.32.6. Please stabilize.
Comment 1 Agostino Sarubbo gentoo-dev 2015-09-26 10:18:33 UTC
amd64 stable
Comment 2 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-09-26 18:22:11 UTC
x86 stable
Comment 3 Jeroen Roovers gentoo-dev 2015-09-28 02:58:16 UTC
Stable for HPPA PPC64.
Comment 4 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-10-01 11:19:07 UTC
arm stable
Comment 5 Tobias Klausmann gentoo-dev 2015-11-01 13:30:24 UTC
Stable on alpha.
Comment 6 Agostino Sarubbo gentoo-dev 2015-11-04 14:38:30 UTC
ppc stable
Comment 7 Agostino Sarubbo gentoo-dev 2015-11-05 11:00:15 UTC
sparc stable
Comment 8 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-11-08 00:01:55 UTC
ia64 stable
Comment 9 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-02 18:26:35 UTC
Does anyone have any more information then here?
http://lists.x.org/archives/xorg-announce/2015-September/002637.html

There is no information I could find (although a quick search) on what the vulnerability is.
Comment 10 Siarhei Siamashka 2015-12-21 19:16:38 UTC
(In reply to Yury German from comment #9)
> Does anyone have any more information then here?
> http://lists.x.org/archives/xorg-announce/2015-September/002637.html
> 
> There is no information I could find (although a quick search) on what the
> vulnerability is.

You can find more details in the commit message:
    http://cgit.freedesktop.org/pixman/commit/?id=8b49d4b6b460d0c9299bca4ccddd7cd00d8f8441
And in the original bugreport at
    https://bugs.freedesktop.org/show_bug.cgi?id=92027#c6

This can lead to at least a DoS on 32-bit x86 systems with ASLR disabled (maybe other configurations could be affected too) or even potential arbitrary code execution. I'm not aware of any real exploits or even PoC exploits, but this bug looked serious enough and had been fixed as soon as it was discovered.

Hope this helps.
Comment 11 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-24 00:02:36 UTC
Yes this helps a lot thank you!

We need to reverse stable on ia64, as that was never stable, and was made stable as part of this stabilization.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev Security 2015-12-24 00:03:48 UTC
(In reply to Yury German from comment #11)
> Yes this helps a lot thank you!
> 
> We need to reverse stable on ia64, as that was never stable, and was made
> stable as part of this stabilization.

Sorry should of been more clear - for Version: 0.33.4 Only. Not for 0.32.8 (that was stable)
Comment 13 Agostino Sarubbo gentoo-dev 2016-01-11 09:40:42 UTC
done for ia64
Comment 14 Yury German Gentoo Infrastructure gentoo-dev Security 2016-01-26 02:01:53 UTC
Cleanup still needed. Please remove unstable 0.33.2
Comment 15 Matt Turner gentoo-dev 2016-01-26 04:12:05 UTC
Removed. Thanks!
Comment 16 Yury German Gentoo Infrastructure gentoo-dev Security 2016-02-25 08:13:22 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2016-12-13 06:51:22 UTC
This issue was resolved and addressed in
 GLSA 201612-37 at https://security.gentoo.org/glsa/201612-37
by GLSA coordinator Aaron Bauman (b-man).