Bug 6567

Summary: gdk-pixbuf2.0 new security issue CVE-2012-2370
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: normal    
Priority: Normal CC: davidwhodgins, stormi-mageia, sysadmin-bugs, tmb
Version: 1Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/503372/
Whiteboard: MGA1-32-OK MGA1-64-OK
Source RPM: gdk-pixbuf2.0-2.22.1-3.1.mga1.src.rpm CVE:
Status comment:

Description David Walser 2012-06-25 23:56:44 CEST 
An integer overflow in gdk-pixbuf2.0 was fixed upstream in 2.24.1-r1.

Mageia 2 has 2.26.1 which is not affected.

Patched package for Mageia 1 uploaded.

Advisory:
========================

Updated gdk-pixbuf2.0 packages fix security vulnerability:

An integer overflow flaw was found in the way X BitMap (XBM) image
file format loader of gdk-pixbuf, an image loading library used with
GNOME, used to read bitmap file data for certain images. A remote
attacker could provide a specially-crafted XBM image file, which once
loaded in an application linked against gdk-pixbuf, would lead to that
application termination (GLib error and application abort)
(CVE-2012-2370).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2370
https://bugzilla.redhat.com/show_bug.cgi?id=822468
========================

Updated packages in core/updates_testing:
========================
gdk-pixbuf2.0-2.22.1-3.2.mga1
libgdk_pixbuf2.0_0-2.22.1-3.2.mga1
libgdk_pixbuf2.0-devel-2.22.1-3.2.mga1

from gdk-pixbuf2.0-2.22.1-3.2.mga1.src.rpm
Comment 1 Dave Hodgins 2012-07-04 02:42:03 CEST 
Testing complete on Mageia 1 i586.

Testing using the attachment (id=210585) from
https://bugzilla.gnome.org/show_bug.cgi?id=672811

Before the update ...
$ eog .

GLib-ERROR **: gmem.c:170: failed to allocate 4294967291 bytes
aborting...
Aborted

After the update, eog starts and displays a message that it could not
load the image test.xbm

CC: (none) => davidwhodgins
Whiteboard: (none) => mga1-32-OK

Comment 2 Samuel Verschelde 2012-07-08 14:03:02 CEST 
tested the same way as in comment #1 on Mageia 1 x86_64

Update validated.

see comment #0 for advisory and SRPM.

Keywords: (none) => validated_update
CC: (none) => stormi, sysadmin-bugs
Whiteboard: mga1-32-OK => MGA1-32-OK MGA1-64-OK

Comment 3 Thomas Backlund 2012-07-10 00:25:15 CEST 
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0149

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED