Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 759094 (CVE-2020-29385) - <x11-libs/gdk-pixbuf-2.42.2: infinite loop in GIF handling (CVE-2020-29385)
Summary: <x11-libs/gdk-pixbuf-2.42.2: infinite loop in GIF handling (CVE-2020-29385)
Status: RESOLVED FIXED
Alias: CVE-2020-29385
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://gitlab.gnome.org/GNOME/gdk-pi...
Whiteboard: A3 [glsa+ cve]
Keywords: CC-ARCHES
Depends on:
Blocks:
 
Reported: 2020-12-08 18:14 UTC by John Helmert III
Modified: 2020-12-23 20:20 UTC (History)
1 user (show)

See Also:
Package list:
x11-libs/gdk-pixbuf-2.42.2 amd64 arm arm64 hppa ppc ppc64 sparc x86 s390 x11-libs/gdk-pixbuf-xlib-2.40.2 amd64 arm ppc ppc64 sparc x86
Runtime testing required: ---
nattka: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description John Helmert III gentoo-dev Security 2020-12-08 18:14:34 UTC
CVE-2020-29385:  infinite loop in write_indexes function in gdk-pixbuf/lzw.c
Issue: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/issues/164
Advisory: https://discourse.gnome.org/t/security-advisory-for-gdk-pixbuf-2-42/4965

We'll need to stabilize the fixed version, 2.42.2.
Comment 1 Mart Raudsepp gentoo-dev 2020-12-08 21:12:08 UTC
Intentionally stabling only a smaller set of arches from the gdk-pixbuf-xlib new split package, as it's a deprecated library. Hope I got it right which arches actually need it based on the few gdk-pixbuf-xlib consumers there are in the tree.
Comment 2 Thomas Deutschmann gentoo-dev Security 2020-12-10 21:42:03 UTC
x86 stable
Comment 3 Rolf Eike Beer archtester 2020-12-11 14:27:03 UTC
hppa/sparc stable
Comment 4 Sergei Trofimovich (RETIRED) gentoo-dev 2020-12-11 23:20:54 UTC
ppc/ppc64 stable
Comment 5 Sam James archtester gentoo-dev Security 2020-12-12 23:54:54 UTC
arm64 done
Comment 6 Sam James archtester gentoo-dev Security 2020-12-13 08:51:59 UTC
arm stable
Comment 7 Sam James archtester gentoo-dev Security 2020-12-14 08:02:05 UTC
amd64 done
Comment 8 Sam James archtester gentoo-dev Security 2020-12-17 06:50:15 UTC
s390 done

all arches done
Comment 9 Sam James archtester gentoo-dev Security 2020-12-17 06:53:06 UTC
Please cleanup.
Comment 10 Larry the Git Cow gentoo-dev 2020-12-17 14:00:02 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=5063bf87c540dac932de11ffe14e39389a7492be

commit 5063bf87c540dac932de11ffe14e39389a7492be
Author:     Mart Raudsepp <leio@gentoo.org>
AuthorDate: 2020-12-17 13:46:40 +0000
Commit:     Mart Raudsepp <leio@gentoo.org>
CommitDate: 2020-12-17 13:59:47 +0000

    x11-libs/gdk-pixbuf: security cleanup
    
    Bug: https://bugs.gentoo.org/759094
    Package-Manager: Portage-3.0.12, Repoman-3.0.2
    Signed-off-by: Mart Raudsepp <leio@gentoo.org>

 x11-libs/gdk-pixbuf/Manifest                 |   2 -
 x11-libs/gdk-pixbuf/gdk-pixbuf-2.40.0.ebuild | 139 ---------------------------
 x11-libs/gdk-pixbuf/gdk-pixbuf-2.42.0.ebuild | 130 -------------------------
 x11-libs/gdk-pixbuf/metadata.xml             |   3 -
 4 files changed, 274 deletions(-)
Comment 11 Thomas Deutschmann gentoo-dev Security 2020-12-22 23:00:49 UTC
New GLSA request filed.
Comment 12 GLSAMaker/CVETool Bot gentoo-dev 2020-12-23 20:20:53 UTC
This issue was resolved and addressed in
 GLSA 202012-15 at https://security.gentoo.org/glsa/202012-15
by GLSA coordinator Thomas Deutschmann (whissi).