Multiple vulnerabilities have been reported in GdkPixBuf, which can be exploited by malicious people to cause a DoS (Denial of Service) and potentially compromise a vulnerable system.
1) A variant of a recently disclosed vulnerability in Qt exists within the BMP image processing functionality. This can be exploited to make an affected application enter an infinite loop when a specially crafted BMP image is processed.
2) An input validation error within the "pixbuf_create_from_xpm()" function when decoding XPM images can be exploited to cause an integer overflow when a specially crafted XPM image is processed.
Successful exploitation may in turn result in a heap-based buffer overflow, which potentially allows execution of arbitrary code.
3) A boundary error within the "xpm_extract_color()" function when decoding XPM images can be exploited to cause a stack-based buffer overflow when a specially crafted XPM image is processed.
Successful exploitation may allow execution of arbitrary code.
4) An input validation error within the ICO image decoding functionality can be exploited to cause an integer overflow when a specially crafted ICO image is processed.
Successful exploitation causes an affected application to crash.
Secunia is currently not aware of an official updated version, which addresses the vulnerabilities.
However, updates have been issued by various Linux vendors.
Provided and/or discovered by:
2-4) Chris Evans
Note that this also affects the version of gdk-pixbuf in x11-libs/gtk+-2.4.4.
*** Bug 64233 has been marked as a duplicate of this bug. ***
Same vulnerability, two packages affected :
Created attachment 39701 [details, diff]
Created attachment 39702 [details, diff]
For good reason I'm not on the gnome team.
RH SRPMs can be found here:
Mandrake SRPMs here:
Updated Mandrake advisory :
"The previous package had an incorrect patch applied that would cause some problems with other programs. The updated packages have the correct patch applied.
As well, patched gtk+2 packages, which also contain gdk-pixbuf, are now provided."
Added gtk+-2.4.9-r1 & gdk-pixbuf-0.22.0-r3 with patches for these issues. Marked both stable on x86.
stable on ppc
SeJo: gdk-pixbuf wasn't marked ppc stable, apparently you only marked gtk+.
Stable on alpha.
Thx everyone. Ready for a GLSA.
stable on ppc64, thanks!
Stable on mips.