Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 630026 (CVE-2017-2862, CVE-2017-2870) - <x11-libs/gdk-pixbuf-2.36.9: remote code execution vulnerabilities
Summary: <x11-libs/gdk-pixbuf-2.36.9: remote code execution vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-2862, CVE-2017-2870
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa cve]
Keywords:
Depends on: CVE-2017-6311, CVE-2017-6312, CVE-2017-6313, CVE-2017-6314
Blocks:
  Show dependency tree
 
Reported: 2017-09-05 19:14 UTC by Aleksandr Wagner (Kivak)
Modified: 2020-06-04 03:47 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aleksandr Wagner (Kivak) 2017-09-05 19:14:39 UTC
CVE-2017-2862 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2862):

An exploitable heap overflow vulnerability exists in the gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf 2.36.6. A specially crafted jpeg file can cause a heap overflow resulting in remote code execution. An attacker can send a file or url to trigger this vulnerability. 

References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0366

CVE-2017-2870 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2870):

An exploitable integer overflow vulnerability exists in the tiff_image_parse functionality of Gdk-Pixbuf 2.36.6 when compiled with Clang. A specially crafted tiff file can cause a heap-overflow resulting in remote code execution. An attacker can send a file or a URL to trigger this vulnerability. 

References:

https://www.talosintelligence.com/vulnerability_reports/TALOS-2017-0377

@Maintainer(s): The fixed version needs to be stabilized for ppc, ppc64, and hppa in order to remove it from the tree.
Comment 1 Gilles Dartiguelongue (RETIRED) gentoo-dev 2017-09-10 09:54:07 UTC
2.36.9 is now stable.
Comment 2 Aleksandr Wagner (Kivak) 2017-09-10 14:36:57 UTC
Stabilization and cleanup occurred on bug 611390.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2017-09-17 15:49:51 UTC
This issue was resolved and addressed in
 GLSA 201709-08 at https://security.gentoo.org/glsa/201709-08
by GLSA coordinator Aaron Bauman (b-man).