Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 562878 (CVE-2015-7674) - <x11-libs/gdk-pixbuf-2.32.1: Heap overflow when scaling a GIF file (CVE-2015-7674)
Summary: <x11-libs/gdk-pixbuf-2.32.1: Heap overflow when scaling a GIF file (CVE-2015-...
Alias: CVE-2015-7674
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa cve]
Depends on: 563052
Blocks: CVE-2015-7673
  Show dependency tree
Reported: 2015-10-12 07:38 UTC by Agostino Sarubbo
Modified: 2015-12-21 14:21 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-10-12 07:38:04 UTC
From ${URL} :

Heap overflow flaw was found in the gdk-pixbuf implementation triggered by the scaling of gif file. 
Affected versions are < 2.32.1.

Upstream patch:

CVE request:

@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-10-12 23:38:10 UTC
I am tired of manually backporting security fixes to 2.30.8 and risking getting something wrong. So let's get the real gdk-pixbuf-2.32.1 in the tree, since it does seem to work fine with gtk+-3.16.x in my testing.

commit 1dfb62b200770993df34d207358805fba6612605
Author: Alexandre Rostovtsev <>
Date:   Mon Oct 12 19:19:17 2015 -0400

    x11-libs/gdk-pixbuf: bump to 2.32.1, fixes heap overflows
    Fixes multiple heap overflows (CVE-2015-7673, CVE-2015-7674).
    Drops support for wbmp, ras, pcx formats.
    Fixes support for icns and 256x256 ico formats.
    Gentoo-Bug: 562878, 562880
    Reported-by: Agostino Sarubbo

Overflows fixed in =gdk-pixbuf-2.32.1 - please test and stabilize.
Comment 2 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-10-12 23:40:14 UTC
*** Bug 562880 has been marked as a duplicate of this bug. ***
Comment 3 Yury German Gentoo Infrastructure gentoo-dev 2015-10-13 00:33:36 UTC
Arches, please test and mark stable:


Target Keywords : "alpha amd64 arm hppa ia64 ppc ppc64 sparc x86"

Thank you!
Comment 4 Agostino Sarubbo gentoo-dev 2015-10-13 07:23:25 UTC
amd64 stable
Comment 5 Agostino Sarubbo gentoo-dev 2015-10-13 07:24:20 UTC
x86 stable
Comment 6 Jeroen Roovers (RETIRED) gentoo-dev 2015-10-14 04:01:07 UTC
Stable for HPPA PPC64.
Comment 7 Agostino Sarubbo gentoo-dev 2015-10-14 07:15:28 UTC
ppc stable
Comment 8 Tobias Klausmann (RETIRED) gentoo-dev 2015-10-21 13:20:56 UTC
Stable on alpha.
Comment 9 Markus Meier gentoo-dev 2015-11-03 19:16:27 UTC
arm stable
Comment 10 Agostino Sarubbo gentoo-dev 2015-11-05 10:59:06 UTC
sparc stable
Comment 11 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2015-11-07 23:54:10 UTC
ia64 stable
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2015-12-21 14:21:30 UTC
This issue was resolved and addressed in
 GLSA 201512-05 at
by GLSA coordinator Yury German (BlueKnight).