Bug 28181

Summary: gdk-pixbuf2.0 possible new security issues in GIF loader (including CVE-2020-29385 and CVE-2021-20240)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: Olav Vitters <olav>
Status: RESOLVED INVALID QA Contact: Sec team <security>
Severity: critical    
Priority: Normal    
Version: 7   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: gdk-pixbuf2.0-2.38.1-3.mga7.src.rpm CVE:
Status comment:

Description David Walser 2021-01-21 16:52:19 CET 
SUSE has issued an advisory today (January 21):
https://lists.suse.com/pipermail/sle-security-updates/2021-January/008233.html

The issue is fixed upstream in 2.42.2, apparently here:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81

They also fixed another GIF loader issue, that appears to have been fixed in 2.42.0 here:
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e

Ubuntu says 2.38 isn't affected by the CVE, so this may be invalid, but we should check the second issue too:
https://ubuntu.com/security/CVE-2020-29385
Comment 1 Lewis Smith 2021-01-21 20:45:05 CET 
OK to assign to you, Olav, as having done the new version commits for this SRPM (including this M7 one) ?

Assignee: bugsquad => olav

Comment 2 David Walser 2021-01-26 05:47:01 CET 
openSUSE has issued an advisory for this on January 24:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Z47MEXBMS3R7XMG63LBJMBIYUX3ZTEJI/
Comment 3 David Walser 2021-02-26 19:31:50 CET 
(In reply to David Walser from comment #0)
> They also fixed another GIF loader issue, that appears to have been fixed in
> 2.42.0 here:
> https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/
> 086e8adf4cc352cd11572f96066b001b545f354e

This one is CVE-2021-20240:
https://ubuntu.com/security/CVE-2021-20240

Ubuntu has issued an advisory for that on February 22:
https://ubuntu.com/security/notices/USN-4743-1

Severity: normal => major
Summary: gdk-pixbuf2.0 possible new security issues in GIF loader (including CVE-2020-29385) => gdk-pixbuf2.0 possible new security issues in GIF loader (including CVE-2020-29385 and CVE-2021-20240)

Comment 4 David Walser 2021-02-27 20:06:54 CET 
Fedora has issued an advisory for this on February 23:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EANWYODLOJDFLMBH6WEKJJMQ5PKLEWML/

Severity: major => critical

Comment 5 David Walser 2021-06-27 19:20:05 CEST 
2.38.1 isn't affected by either of these.

Resolution: (none) => INVALID
Status: NEW => RESOLVED