Hello MITRE, all, Virgil Grigoras and Vlad Orlov discovered an integer overflow flaw in gtk+2.0 in image handling: https://github.com/mate-desktop/eom/issues/93 Bert Massop discovered the same issue in the gtk+3.0 codebase: https://bugzilla.gnome.org/show_bug.cgi?id=703220 The fix replaces a direct height * cairo_stride multiplication with a call to g_malloc_n() which knows how to multiply correctly: https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6 - cairo_pixels = g_malloc (height * cairo_stride); + cairo_pixels = g_malloc_n (height, cairo_stride); This same bug appears to be copy-and-pasted to at least: eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 https://codesearch.debian.net/results/height%20%5C*%20cairo_stride/page_0 I haven't been able to find CVEs assigned for any of these issues. Thanks Related links: https://bugs.launchpad.net/ubuntu/+source/gtk+2.0/+bug/1540811 https://github.com/mate-desktop/eom/issues/93 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=799275 https://bugzilla.gnome.org/show_bug.cgi?id=703220 https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6 https://codesearch.debian.net/results/height%20%5C*%20cairo_stride/page_0
Dependent bugs closed.
