| Summary: | gdk-pixbuf2.0 new security issues CVE-2017-2862 CVE-2017-2870 CVE-2017-6312 CVE-2017-6313 CVE-2017-6314 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | normal | ||
| Priority: | Normal | CC: | davidwhodgins, herman.viaene, marja11, sysadmin-bugs, zombie.ryushu |
| Version: | 6 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA5TOO MGA5-32-OK MGA5-64-OK | ||
| Source RPM: | gdk-pixbuf2.0-2.36.7-1.mga6.src.rpm | CVE: | |
| Status comment: | |||
|
Description
David Walser
2017-09-07 15:14:50 CEST
David Walser
2017-09-07 15:14:57 CEST
Whiteboard:
(none) =>
MGA5TOO Assigning to all packagers collectively, since there is no registered maintainer for this package. Assignee:
bugsquad =>
pkg-bugs openSUSE has issued an advisory for this on September 8: https://lists.opensuse.org/opensuse-updates/2017-09/msg00031.html There is also CVE-2017-6311 from this Ubuntu advisory from today (September 18): https://usn.ubuntu.com/usn/usn-3418-1/ Mageia 6 already had the commits for CVE-2017-2862, CVE-2017-2870, and CVE-2017-6311 in 2.36.10. Advisory: ======================== Updated gdk-pixbuf2.0 packages fix security vulnerabilities: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability (CVE-2017-2862). tiff_image_parse Code Execution Vulnerability (CVE-2017-2870). Ariel Zelivansky discovered that the GDK-PixBuf library did not properly handle printing certain error messages. If an user or automated system were tricked into opening a specially crafted image file, a remote attacker could use this flaw to cause GDK-PixBuf to crash, resulting in a denial of service (CVE-2017-6311). Out-of-bounds read on io-ico.c (CVE-2017-6312). A dangerous integer underflow in io-icns.c (CVE-2017-6313). Infinite loop in io-tiff.c (CVE-2017-6314). Note, the CVE-2017-2862, CVE-2017-2870, and CVE-2017-6311 issues only affected Mageia 5. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2862 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2870 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6311 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6312 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6313 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6314 https://usn.ubuntu.com/usn/usn-3418-1/ https://lists.opensuse.org/opensuse-updates/2017-09/msg00031.html ======================== Updated packages in core/updates_testing: ======================== gdk-pixbuf2.0-2.32.3-1.1.mga5 libgdk_pixbuf2.0_0-2.32.3-1.1.mga5 libgdk_pixbuf2.0-devel-2.32.3-1.1.mga5 libgdk_pixbuf-gir2.0-2.32.3-1.1.mga5 gdk-pixbuf2.0-2.36.10-1.1.mga6 libgdk_pixbuf2.0_0-2.36.10-1.1.mga6 libgdk_pixbuf2.0-devel-2.36.10-1.1.mga6 libgdk_pixbuf-gir2.0-2.36.10-1.1.mga6 from SRPMS: gdk-pixbuf2.0-2.32.3-1.1.mga5.src.rpm gdk-pixbuf2.0-2.36.10-1.1.mga6.src.rpm Assignee:
pkg-bugs =>
qa-bugs To prioritise. MGA5-32 on Dell Latitude D600 Xfce No installation issues Ref to bug 21658 Comment 7 for at test $ convert 1973.jpg -colorspace Gray grayslide1.jpg produces a perfect grayslide viewed in ristretto. CC:
(none) =>
herman.viaene
Dave Hodgins
2018-01-01 07:30:59 CET
Keywords:
(none) =>
advisory Similar testing on MGA5 x86_64. Validating the update. Keywords:
(none) =>
validated_update An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0016.html Resolution:
(none) =>
FIXED |