Bug 17731

Created attachment 7448 [details]
gtk+2-2.24.9-avoid_integer_overflow.patch

I added a patch which i converted from debdiff for gtk+2-224.9 (Cauldron). If i find a spare time i'll prepare a patch for Mageia 5 one (gtk+2-2.24.26) too tonight.

Also i' ll patch eom tonight. For both Cauldron and Mageia 5. Should i open seperate bug reports per package for updates?

Patch comes from: https://launchpadlibrarian.net/236011849/gtk2-gdk-xenial-debdiff

(In reply to Atilla ÃNTAÅ from comment #1)
> Also i' ll patch eom tonight. For both Cauldron and Mageia 5. Should i open
> seperate bug reports per package for updates?

Unless we can get everything patched in a timely manner, then yes we could use this bug as a tracker and put the updates in separate bugs that block this one.

David, as i understand from the bug reports and oss-security mailing list this cve isn' t applicable for current gtk+3 versions. It has already included fix since June 2013 (See: https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6). Am i right or missed something? If i'm right, then would you mind to remove gtk+3 from bug summary?

Indeed, the affected code appears to no longer be present in gtk+3.0.

Summary: eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0, gtk+3.0 new integer overflow security issue => eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 new integer overflow security issue
Source RPM: eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0, gtk+3.0 => eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0

CVE-2013-7447 assigned:
http://openwall.com/lists/oss-security/2016/02/10/6

Summary: eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 new integer overflow security issue => eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 new integer overflow security issue (CVE-2013-7447)

gtk+2.0 and eom packages both patched and submitted for both Cauldron and Mageia 5. See mga #17738 gtk+2.0 update and mga # 17739 for eom update.

Hardware: i586 => All

Thunar fixed in Cauldron and in mga5 (bug 17741).

Patches checked into SVN for pinpoint and eog.

I'm concerned about gnome-photos and gambas3, because they also have this exact same code, which can be easily patched as the others have been, but they also have many instances of similar g_malloc calls, and I'm wondering if those need to be changed too.

gambas3-3.8.4/gb.gtk/src/gtools.cpp:      *buf=(char*)g_malloc(sizeof(char)*(len+1));
gambas3-3.8.4/gb.gtk/src/gtools.cpp:      *buf=(char*)g_malloc(sizeof(char)*(len+1));
gambas3-3.8.4/gb.gtk/src/gtools.cpp:      *buf=(char*)g_malloc(sizeof(char)*(len+1));
gambas3-3.8.4/gb.gtk/src/gtools.cpp:      cairo_pixels = (uchar *)g_malloc (height * cairo_stride);
gambas3-3.8.4/gb.gtk/src/gmessage.cpp:                    DIALOG_path=(char*)g_malloc( sizeof(char)*(strlen(buf)+1) );
gambas3-3.8.4/gb.gtk/src/gmessage.cpp:            DIALOG_paths=(char**)g_malloc(sizeof(char*)*(g_slist_length(names)+1) );
gambas3-3.8.4/gb.gtk/src/gmessage.cpp:                    DIALOG_paths[b]=(char*)g_malloc( sizeof(char)*(strlen(buf)+1) );
gambas3-3.8.4/gb.gtk/src/gmessage.cpp:    DIALOG_path=(char*)g_malloc( sizeof(char)*(strlen(vl)+1) );
gambas3-3.8.4/gb.gtk/src/gfont.cpp:              buf2=(char*)g_malloc(sizeof(char)*(strlen(buf1)+1));

gnome-photos-3.19.4/src/photos-print-preview.c:  cairo_pixels = g_malloc (height * cairo_stride);
gnome-photos-3.19.4/src/photos-base-item.c:  buf = g_malloc0 (stride * roi.height);
gnome-photos-3.19.4/src/photos-operation-png-guess-sizes.c:  pixels = g_malloc0 (width * bpp);
gnome-photos-3.19.4/src/gegl-gtk-view-helper.c:    buf = g_malloc0(stride * roi.height);
gnome-photos-3.19.4/src/photos-operation-jpg-guess-sizes.c:  row_pointer[0] = g_malloc (width * bpp);

After talking to Seth, the original reporter, I've patched just the cairo_pixels one in gambas3, but I have patched all of them in gnome-photos.

All updates pushed :o)

Status: NEW => RESOLVED
Resolution: (none) => FIXED