Bug 21334

Summary: gdk-pixbuf new security issues fixed in 2.36.7
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: davidwhodgins, herman.viaene, mageia, sysadmin-bugs
Version: 6Keywords: validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA6-32-OK advisory
Source RPM: gdk-pixbuf2.0-2.36.6-1.mga6.src.rpm CVE:
Status comment:

Description David Walser 2017-07-23 22:05:36 CEST 
Upstream has released gdk-pixbuf2.0 2.36.7 on July 18:
https://git.gnome.org/browse/gdk-pixbuf/tree/NEWS?id=9c188574e25cb8e1306be6b575c95e30fca4adb2

It fixes some integer overflows.  We should update it for Mageia 6.
Comment 1 Nicolas Lécureuil 2017-07-26 18:36:13 CEST 
pushed in update_testing

CC: (none) => mageia
Assignee: olav => qa-bugs

Comment 2 David Walser 2017-07-26 22:17:27 CEST 
Advisory:
========================

Updated gdk-pixbuf2.0 packages fix security vulnerabilities:

The gdk-pixbuf2.0 package has been updated to version 2.36.7, which fixes
integer overflows in the ico, bmp, and tiff decoder, as well as fixing other
bugs.

References:
https://git.gnome.org/browse/gdk-pixbuf/tree/NEWS?id=9c188574e25cb8e1306be6b575c95e30fca4adb2
========================

Updated packages in core/updates_testing:
========================
gdk-pixbuf2.0-2.36.7-1.mga6
libgdk_pixbuf2.0_0-2.36.7-1.mga6
libgdk_pixbuf2.0-devel-2.36.7-1.mga6
libgdk_pixbuf-gir2.0-2.36.7-1.mga6

from gdk-pixbuf2.0-2.36.7-1.mga6.src.rpm
Comment 3 Herman Viaene 2017-07-28 10:39:39 CEST 
MGA6-32 on Asus A6000VM MATE
Installation: I have no idea how come, but these update packs were already installed. Proceeding anyway.
Ref to bug 19070 Comment 3 and 4, checked that images (photos, cartoons) from a newspaper are showing up OK in Firefox.
Same in Firefox for local JPG, PNG and GIF files. Firefox went into a never ending loop with local TIF files: After File - open, pick a tif file, this opens a new tab with a confirmation dialogue "Open in Firefox", click OK, which opens a new tab with a confirmation dialogue ..... etc.....
Used the ristretto to open a local TIF file (works OK) and the trace gives:
open("/lib/libgdk_pixbuf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
So OK and validating.

Keywords: (none) => validated_update
Whiteboard: (none) => MGA6-32-OK
CC: (none) => herman.viaene, sysadmin-bugs

Dave Hodgins 2017-07-30 04:30:24 CEST

Whiteboard: MGA6-32-OK => MGA6-32-OK advisory
CC: (none) => davidwhodgins

Comment 4 Mageia Robot 2017-07-30 10:18:09 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2017-0227.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED