Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 605138 (CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333, CVE-2017-6009, CVE-2017-6010, CVE-2017-6011) - <media-gfx/icoutils-0.32.0: Multiple vulnerabilities
Summary: <media-gfx/icoutils-0.32.0: Multiple vulnerabilities
Alias: CVE-2017-5208, CVE-2017-5331, CVE-2017-5332, CVE-2017-5333, CVE-2017-6009, CVE-2017-6010, CVE-2017-6011
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa cve]
: 610714 (view as bug list)
Depends on:
Reported: 2017-01-09 01:41 UTC by Thomas Deutschmann (RETIRED)
Modified: 2018-01-25 00:34 UTC (History)
5 users (show)

See Also:
Package list:
Runtime testing required: ---
stable-bot: sanity-check+


Note You need to log in before you can comment on or make changes to this bug.
Description Thomas Deutschmann (RETIRED) gentoo-dev 2017-01-09 01:41:12 UTC
From v0.31.1 changelog:

2017-01-08: icoutils 0.31.1 released.
  Security fixes:
    Colin Watson, Debian bug
    Martin Gieseking, Fedora

@ Maintainer(s): Please bump to >=media-gfx/icoutils-0.31.1 and let us know when you are ready to stabilize.
Comment 1 Aaron Bauman (RETIRED) gentoo-dev 2017-01-11 03:53:57 UTC
from ${URL}:

> It turns out that this is not enough, so upstream has issued
> Could you please assign a further CVE for this follow up fix?

Use CVE-2017-5331.

> Furthermore I would like to ask if the following two commits from upstream,
> can have as well an identifier assigned:

Yes, but because these are immediately consecutive commits, the CVE
mapping may seem unusual.

Use CVE-2017-5332 for all of 1aa9f28f7bcbdfff6a84a15ac8d9a87559b1596a
and also the index correction in
1a108713ac26215c7568353f6e02e727e6d4b24a. In other words, the change
from "entries[c]" to "entries[c-skipped]" in
1a108713ac26215c7568353f6e02e727e6d4b24a cannot have a new CVE ID
because the code was never "shipped" with "entries[c]" in use. There
aren't two independent problems related to establishing a maximum
allowable value of the size variable.

Use CVE-2017-5333 for the separate vulnerability fixed by the
introduction of the "size >= sizeof(uint16_t)*2" test in
Comment 2 Kristian Fiskerstrand (RETIRED) gentoo-dev 2017-02-21 20:13:35 UTC
Further issues found in 0.31.1 incoming
Comment 3 Thomas Deutschmann (RETIRED) gentoo-dev 2017-03-16 09:12:58 UTC
*** Bug 610714 has been marked as a duplicate of this bug. ***
Comment 4 Larry the Git Cow gentoo-dev 2017-10-29 17:42:26 UTC
The bug has been referenced in the following commit(s):

commit 11af7de2cc8e6ff58ed74e58709a91a630bb4dc1
Author:     Thomas Deutschmann <>
AuthorDate: 2017-10-29 17:39:39 +0000
Commit:     Thomas Deutschmann <>
CommitDate: 2017-10-29 17:42:14 +0000

    media-gfx/icoutils: Bump to v0.32.0
    Thanks to Marty Plummer for the musl build fix (bug #631360).
    Package-Manager: Portage-2.3.13, Repoman-2.3.4

 media-gfx/icoutils/Manifest               |  1 +
 media-gfx/icoutils/icoutils-0.32.0.ebuild | 49 +++++++++++++++++++++++++++++++
 2 files changed, 50 insertions(+)}
Comment 5 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-29 17:44:28 UTC
@ Arches,

please test and mark stable: =media-gfx/icoutils-0.32.0
Comment 6 Thomas Deutschmann (RETIRED) gentoo-dev 2017-10-29 21:09:52 UTC
x86 stable
Comment 7 Manuel Rüger (RETIRED) gentoo-dev 2017-11-02 10:30:41 UTC
Stable on amd64
Comment 8 Sergei Trofimovich (RETIRED) gentoo-dev 2017-11-12 10:41:15 UTC
ppc stable
Comment 9 D'juan McDonald (domhnall) 2018-01-05 03:33:19 UTC
All supported arches stabilized. @maintainer(s), proceed to cleanup, thank you.

Gentoo Security Padawan
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2018-01-11 23:00:19 UTC
This issue was resolved and addressed in
 GLSA 201801-12 at
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 11 Thomas Deutschmann (RETIRED) gentoo-dev 2018-01-11 23:03:08 UTC
Re-opening for cleanup.

@ Maintainer(s): Please cleanup and drop <media-gfx/icoutils-0.32.0!