17745 – pinpoint new integer overflow security issue (CVE-2013-7447)

Bug 17745 - pinpoint new integer overflow security issue (CVE-2013-7447)

Summary: pinpoint new integer overflow security issue (CVE-2013-7447)

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	5
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/675834/
Whiteboard:	has_procedure advisory MGA5-64-OK
Keywords:	validated_update

Depends on:
Blocks:	17731
	Show dependency tree / graph

Reported:	2016-02-12 20:18 CET by David Walser
Modified:	2016-02-17 20:22 CET (History)
CC List:	2 users (show)

See Also:
Source RPM:	pinpoint
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2016-02-12 20:18:54 CET

+++ This bug was initially created as a clone of Bug #17731 +++

A CVE was requested for an integer overflow that affects gtk+ and several apps:
http://openwall.com/lists/oss-security/2016/02/10/2

A commit upstream in gtk+ to fix it is linked in the message above.

Patched pinpoint packages uploaded for Mageia 5 and Cauldron.

Suggested advisory:
========================

Updated pinpoint packages fix security vulnerability:

Due to a logic error, an attempt to allocate a large block of memory
fails in cairo_new_surface_from_pixbuf, leading to a crash of pinpoint
(CVE-2013-7447).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7447
http://openwall.com/lists/oss-security/2016/02/10/6
========================

Updated packages in core/updates_testing:
========================
pinpoint-0.1.4-18.1.mga5

from pinpoint-0.1.4-18.1.mga5.src.rpm

Comment 1 Lewis Smith 2016-02-12 21:47:35 CET

Testing M5 x64 real h/w: OK

Installed issued pinpoint-0.1.4-18.mga5
Difficult to find out about it. Here is the info:
 https://wiki.gnome.org/action/show/Apps/Pinpoint?action=show&redirect=Pinpoint
and here is the link to a sample script (embedded in the page):
 http://git.gnome.org/browse/pinpoint/tree/introduction.pin
Copy-paste the script to a local file, and edit each *.jpg image reference to a local image. The 'bg' one gets used most.

No man page, use $ pinpoint -h for detailed info.
Could not find a menu entry for it. Do:
 $ pinpoint <script filename>
It worked (space|down|right to advance). It is quite interesting!

Updated to: pinpoint-0.1.4-18.1.mga5
and the presentation worked exactly as previously. Update OK.

CC: (none) => lewyssmith
Whiteboard: (none) => MGA5-64-OK

Comment 2 claire robinson 2016-02-15 11:54:54 CET

Useful package. Validating. Advisory uploaded.

Please push to 5 updates, thanks.

Keywords: (none) => validated_update
Whiteboard: MGA5-64-OK => has_procedure advisory MGA5-64-OK
CC: (none) => sysadmin-bugs

David Walser 2016-02-16 20:25:17 CET

URL: (none) => http://lwn.net/Vulnerabilities/675834/

Comment 3 Mageia Robot 2016-02-17 20:22:33 CET

An update for this issue has been pushed to the Mageia Updates repository.

http://advisories.mageia.org/MGASA-2016-0073.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.