Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 574382 - <xfce-base/thunar-1.6.12-r1: integer overflow
Summary: <xfce-base/thunar-1.6.12-r1: integer overflow
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa cve]
Depends on:
Blocks: CVE-2013-7447
  Show dependency tree
Reported: 2016-02-10 21:53 UTC by Kristian Fiskerstrand (RETIRED)
Modified: 2018-03-23 23:16 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Kristian Fiskerstrand (RETIRED) gentoo-dev 2016-02-10 21:53:01 UTC
xfce-base/thunar is vulnerable to CVE-2013-7447

See tracking bug for details.


kflaptop Thunar-1.6.10 # grep -r "cairo_pixels" -- *
thunar/thunar-gdk-extensions.c:  guchar          *cairo_pixels;
thunar/thunar-gdk-extensions.c:  cairo_pixels = g_malloc (height * cairo_stride);
Comment 1 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-10-05 16:36:36 UTC
@xfce gtk+ is now fixed, could you please confirm if thunar still vulnerable?

Thank you

Gentoo Security Padawan
Comment 2 Denis Dupeyron (RETIRED) gentoo-dev 2017-11-16 19:07:34 UTC
Unfortunately latest thunar was still vulnerable. Upstream had a patch so I have applied it and pushed 1.6.12-r1.
Comment 3 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-11-17 00:10:30 UTC
Thanks, please call for stabilization when ready.
Comment 4 Aaron Bauman (RETIRED) gentoo-dev 2018-03-23 21:17:43 UTC
=xfce-base/thunar-1.16.13 is already stable.

@maintainers, please cleanup the vulnerable versions.

GLSA Vote: No
Comment 5 Larry the Git Cow gentoo-dev 2018-03-23 22:04:00 UTC
The bug has been referenced in the following commit(s):

commit 1f5c6695d3744e5e73e55269e5be9ecfae910d67
Author:     Michał Górny <>
AuthorDate: 2018-03-23 21:59:51 +0000
Commit:     Michał Górny <>
CommitDate: 2018-03-23 22:03:50 +0000

    xfce-base/thunar: Clean old up

 xfce-base/thunar/Manifest                |  2 -
 xfce-base/thunar/thunar-1.6.10-r1.ebuild | 68 ---------------------------
 xfce-base/thunar/thunar-1.6.12-r1.ebuild | 80 --------------------------------
 3 files changed, 150 deletions(-)}
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2018-03-23 23:16:28 UTC
Thanks, Michał!