Bug 30045

Assigning to you, Olav, as the principle packager who has dealt with this.

Assignee: bugsquad => olav

openSUSE has issued an advisory for this today (September 7):
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LAG7HNTW3KWGP2EF5FBPHDA3R5UPDYZY/

Debian has issued an advisory for this on September 11:
https://www.debian.org/security/2022/dsa-5228

Ubuntu has issued an advisory for this on September 13:
https://ubuntu.com/security/notices/USN-5607-1

Hi,

Version 2.42.9 (already in Cauldron) solves that issue.

Best regards,

Nico.

Source RPM: gdk-pixbuf2.0-2.42.6-1.mga9.src.rpm => gdk-pixbuf2.0-2.42.2-1.1.mga8.src.rpm
Whiteboard: MGA8TOO => (none)
CVE: (none) => CVE-2021-44648
CC: (none) => nicolas.salguero
Status comment: Patch available from Fedora => (none)
Version: Cauldron => 8

Suggested advisory:
========================

The updated packages fix a security vulnerability:

GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12. (CVE-2021-44648)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44648
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PEKBMOO52RXONWKB6ZKKHTVPLF6WC3KF/
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LAG7HNTW3KWGP2EF5FBPHDA3R5UPDYZY/
https://www.debian.org/security/2022/dsa-5228
https://ubuntu.com/security/notices/USN-5607-1
========================

Updated packages in core/updates_testing:
========================
gdk-pixbuf2.0-2.42.2-1.2.mga8
lib(64)gdk_pixbuf2.0_0-2.42.2-1.2.mga8
lib(64)gdk_pixbuf2.0-devel-2.42.2-1.2.mga8
lib(64)gdk_pixbuf-gir2.0-2.42.2-1.2.mga8

from SRPM:
gdk-pixbuf2.0-2.42.2-1.2.mga8.src.rpm

Assignee: olav => qa-bugs
Status comment: Patch available from Fedora => (none)
Status: NEW => ASSIGNED

MGA8-64 Plasma system. No installation issues.

I used the test procedure from https://bugs.mageia.org/show_bug.cgi?id=21658#c7 modified because the vulnerability involved decoding GIF images.

I downloaded a version of a daily comic strip, in color.

$ convert 2340248.gif mallard.jpg converted the image into JPG.
$ convert 2340248.gif -colorspace Gray mallardgray.jpg converted to JPG, in grayscale.

Both resulting images displayed perfectly in Gwenview.

Giving this an OK, and validating. Advisory in Comment 6.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update
Whiteboard: (none) => MGA8-64-OK

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0402.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED