Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 592976 - <x11-libs/gdk-pixbuf-2.34.0: Integer overflow in DecodeHeader causes out-of-bounds heap read in Oneline32 function
Summary: <x11-libs/gdk-pixbuf-2.34.0: Integer overflow in DecodeHeader causes out-of-b...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: A3 [glsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-06 08:16 UTC by Agostino Sarubbo
Modified: 2017-09-17 15:49 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2016-09-06 08:16:47 UTC
From ${URL} :

A remotely exploitable vulnerability was found in the bmp decoder in gdk-pixbuf. A maliciously crafted file could cause the application to crash.

Upstream bug:

https://bugzilla.gnome.org/show_bug.cgi?id=768738

Upstream fix:

https://git.gnome.org/browse/gdk-pixbuf/commit/?id=779429ce34e439c01d257444fe9d6739e72a2024


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Gilles Dartiguelongue gentoo-dev 2016-09-06 19:34:08 UTC
This is present in gdk-pixbuf-2.35.3 release. I will backport the patch to 2.34.
Comment 2 Gilles Dartiguelongue gentoo-dev 2016-11-02 23:48:05 UTC
2.36 was added to the tree masked with Gnome 3.22. If there is any hurry, I can remove it from mask as it appears to be fine on a stable system, otherwise, I should unmask Gnome 3.22 by this weekend.
Comment 3 Gilles Dartiguelongue gentoo-dev 2016-11-12 15:05:24 UTC
2.36 is now unmasked. Feel free to go ahead and stabilize it if needed.
Comment 4 Christopher Díaz Riveros (RETIRED) gentoo-dev Security 2017-07-20 17:37:35 UTC
PING:

The package seems to be stable on all stable arches, and there is no cleanup to do, should we vote for a GLSA and if not necessary close the report?
Comment 5 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:49:31 UTC
This issue was resolved and addressed in
 GLSA 201709-08 at https://security.gentoo.org/glsa/201709-08
by GLSA coordinator Aaron Bauman (b-man).