Bug 19070

Summary: gdk-pixbuf2.0 new security issue CVE-2016-6352
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: lewyssmith, marja11, sysadmin-bugs, tarazed25
Version: 5Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/700113/
Whiteboard: MGA5-64-OK MGA5-32-OK
Source RPM: gdk-pixbuf2.0-2.34.0-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2016-07-27 23:47:03 CEST 
A CVE has been assigned for a security issue in gdk-pixbuf2.0:
http://openwall.com/lists/oss-security/2016/07/26/11

The upstream bug is here:
https://bugzilla.gnome.org/show_bug.cgi?id=769170

There is no fix available yet.

Mageia 5 is also affected.
David Walser 2016-07-27 23:47:13 CEST

Whiteboard: (none) => MGA5TOO

Comment 1 Marja Van Waes 2016-07-28 08:26:09 CEST 
Assigning to all packagers collectively, since there is no maintainer for this package.

CC: (none) => marja11
Assignee: bugsquad => pkg-bugs

Comment 2 David Walser 2016-09-09 17:46:47 CEST 
openSUSE has issued an advisory for this today (September 9):
https://lists.opensuse.org/opensuse-updates/2016-09/msg00040.html

Patched packages uploaded for Mageia 5 and Cauldron.

Mageia 5 was also updated to 2.32.3 (as was openSUSE).

Advisory:
========================

Updated gdk-pixbuf2.0 packages fix security vulnerability:

A write out-of-bounds parsing an ico file was found in gdk-pixbuf. A
maliciously crafted file can cause the application to crash (CVE-2016-6352).

The gdk-pixbuf2.0 package has been updated to version 2.32.3 and patched to fix
this issue, and a few other possible security issues.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6352
https://git.gnome.org/browse/gdk-pixbuf/tree/NEWS?h=gdk-pixbuf-2-32&id=c09a36169fdb97fcb937acc7c08909b1fb99e952
https://lists.opensuse.org/opensuse-updates/2016-09/msg00040.html
========================

Updated packages in core/updates_testing:
========================
gdk-pixbuf2.0-2.32.3-1.mga5
libgdk_pixbuf2.0_0-2.32.3-1.mga5
libgdk_pixbuf2.0-devel-2.32.3-1.mga5
libgdk_pixbuf-gir2.0-2.32.3-1.mga5

from gdk-pixbuf2.0-2.32.3-1.mga5.src.rpm

URL: (none) => http://lwn.net/Vulnerabilities/700113/
Version: Cauldron => 5
Assignee: pkg-bugs => qa-bugs
Whiteboard: MGA5TOO => (none)
Severity: normal => major

Comment 3 Lewis Smith 2016-09-16 14:33:16 CEST 
Testing Mageia 5 x64 real hardware with AMD/ATI/Radeon graphics

From bug 18476: "To test, make sure Firefox can load images OK."

Updated from version  -2.32.1-1.1 to:
 gdk-pixbuf2.0-2.32.3-1.mga5
 lib64gdk_pixbuf-gir2.0-2.32.3-1.mga5
 lib64gdk_pixbuf2.0_0-2.32.3-1.mga5
 lib64gdk_pixbuf2.0-devel-2.32.3-1.mga5
Using Firefox, looked at a selection of on-line JPEG, GIF & PNG images. Everything seems OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Comment 4 Len Lawrence 2016-09-23 23:19:18 CEST 
Updated gdk-pixbuf packages on i586 virtualbox.

Loaded images in Firefox from astronomical sites and local image directory to test various formats; PNG, JPEG, SVG, GIF, PNG, ICO.  Bitmap images would not load but they probably don't anyway.

This looks OK.

CC: (none) => tarazed25

Len Lawrence 2016-09-23 23:21:57 CEST

Whiteboard: MGA5-64-OK => MGA5-64-OK MGA5-32-OK

Comment 5 Lewis Smith 2016-09-25 09:09:12 CEST 
Validating this update; advisory to follow.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2016-09-25 17:46:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0322.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED