A CVE was requested for an integer overflow that affects gtk+ and several apps: http://openwall.com/lists/oss-security/2016/02/10/2 A commit upstream in gtk+ to fix it is linked in the message above. Reproducible: Steps to Reproduce:
CC: (none) => cvargas, jani.valimaa, matteo.pasotti, olav, tarakbumbaWhiteboard: (none) => MGA5TOO
Created attachment 7448 [details] gtk+2-2.24.9-avoid_integer_overflow.patch I added a patch which i converted from debdiff for gtk+2-224.9 (Cauldron). If i find a spare time i'll prepare a patch for Mageia 5 one (gtk+2-2.24.26) too tonight. Also i' ll patch eom tonight. For both Cauldron and Mageia 5. Should i open seperate bug reports per package for updates?
Patch comes from: https://launchpadlibrarian.net/236011849/gtk2-gdk-xenial-debdiff
(In reply to Atilla ÃNTAÅ from comment #1) > Also i' ll patch eom tonight. For both Cauldron and Mageia 5. Should i open > seperate bug reports per package for updates? Unless we can get everything patched in a timely manner, then yes we could use this bug as a tracker and put the updates in separate bugs that block this one.
David, as i understand from the bug reports and oss-security mailing list this cve isn' t applicable for current gtk+3 versions. It has already included fix since June 2013 (See: https://git.gnome.org/browse/gtk+/commit?id=894b1ae76a32720f4bb3d39cf460402e3ce331d6). Am i right or missed something? If i'm right, then would you mind to remove gtk+3 from bug summary?
Indeed, the affected code appears to no longer be present in gtk+3.0.
Summary: eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0, gtk+3.0 new integer overflow security issue => eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 new integer overflow security issueSource RPM: eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0, gtk+3.0 => eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0
CVE-2013-7447 assigned: http://openwall.com/lists/oss-security/2016/02/10/6
Summary: eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 new integer overflow security issue => eom, gnome-photos, eog, gambas3, thunar, pinpoint, gtk+2.0 new integer overflow security issue (CVE-2013-7447)
Depends on: (none) => 17739
Depends on: (none) => 17738
gtk+2.0 and eom packages both patched and submitted for both Cauldron and Mageia 5. See mga #17738 gtk+2.0 update and mga # 17739 for eom update.
Hardware: i586 => All
Depends on: (none) => 17741
Thunar fixed in Cauldron and in mga5 (bug 17741).
Severity: normal => major
Patches checked into SVN for pinpoint and eog. I'm concerned about gnome-photos and gambas3, because they also have this exact same code, which can be easily patched as the others have been, but they also have many instances of similar g_malloc calls, and I'm wondering if those need to be changed too.
Depends on: (none) => 17745
Depends on: (none) => 17746
gambas3-3.8.4/gb.gtk/src/gtools.cpp: *buf=(char*)g_malloc(sizeof(char)*(len+1)); gambas3-3.8.4/gb.gtk/src/gtools.cpp: *buf=(char*)g_malloc(sizeof(char)*(len+1)); gambas3-3.8.4/gb.gtk/src/gtools.cpp: *buf=(char*)g_malloc(sizeof(char)*(len+1)); gambas3-3.8.4/gb.gtk/src/gtools.cpp: cairo_pixels = (uchar *)g_malloc (height * cairo_stride); gambas3-3.8.4/gb.gtk/src/gmessage.cpp: DIALOG_path=(char*)g_malloc( sizeof(char)*(strlen(buf)+1) ); gambas3-3.8.4/gb.gtk/src/gmessage.cpp: DIALOG_paths=(char**)g_malloc(sizeof(char*)*(g_slist_length(names)+1) ); gambas3-3.8.4/gb.gtk/src/gmessage.cpp: DIALOG_paths[b]=(char*)g_malloc( sizeof(char)*(strlen(buf)+1) ); gambas3-3.8.4/gb.gtk/src/gmessage.cpp: DIALOG_path=(char*)g_malloc( sizeof(char)*(strlen(vl)+1) ); gambas3-3.8.4/gb.gtk/src/gfont.cpp: buf2=(char*)g_malloc(sizeof(char)*(strlen(buf1)+1)); gnome-photos-3.19.4/src/photos-print-preview.c: cairo_pixels = g_malloc (height * cairo_stride); gnome-photos-3.19.4/src/photos-base-item.c: buf = g_malloc0 (stride * roi.height); gnome-photos-3.19.4/src/photos-operation-png-guess-sizes.c: pixels = g_malloc0 (width * bpp); gnome-photos-3.19.4/src/gegl-gtk-view-helper.c: buf = g_malloc0(stride * roi.height); gnome-photos-3.19.4/src/photos-operation-jpg-guess-sizes.c: row_pointer[0] = g_malloc (width * bpp);
After talking to Seth, the original reporter, I've patched just the cairo_pixels one in gambas3, but I have patched all of them in gnome-photos.
Depends on: (none) => 17747
Depends on: (none) => 17748
URL: (none) => http://lwn.net/Vulnerabilities/675834/Version: Cauldron => 5Whiteboard: MGA5TOO => (none)
All updates pushed :o)
Status: NEW => RESOLVEDResolution: (none) => FIXED