ggAssigning to all packagers collectively, since there is no registered maintainer for this package.

Assignee: bugsquad => pkg-bugs
CC: (none) => marja11

Suggested advisory:
========================

The updated packages fix a security vulnerability:

Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution. (CVE-2017-1000422)

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000422
https://www.debian.org/security/2018/dsa-4088
https://usn.ubuntu.com/usn/usn-3532-1/
========================

Updated packages in core/updates_testing:
========================
gdk-pixbuf2.0-2.36.10-1.2.mga6
lib(64)gdk_pixbuf2.0_0-2.36.10-1.2.mga6
lib(64)gdk_pixbuf2.0-devel-2.36.10-1.2.mga6
lib(64)gdk_pixbuf-gir2.0-2.36.10-1.2.mga6

from SRPMS:
gdk-pixbuf2.0-2.36.10-1.2.mga6.src.rpm

CC: (none) => nicolas.salguero
Source RPM: gdk-pixbuf2.0-2.36.10-1.mga6.src.rpm => gdk-pixbuf2.0-2.36.10-1.1.mga6.src.rpm
Assignee: pkg-bugs => qa-bugs
CVE: (none) => CVE-2017-1000422
Status: NEW => ASSIGNED

Installed and minimally tested without issues.

Tested using gimp.

This lib is extensively used by Gnome DE and apps so someone using Gnome (I'm not) will easily be able to extensively test this update.

System: Mageia 6, Plasma DE, Intel CPU, nVidia GPU using proprietary nvidia340 driver.

$ uname -a
Linux marte 4.14.13-desktop-1.mga6 #1 SMP Wed Jan 10 12:48:53 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep pixbuf
gdk-pixbuf2.0-2.36.10-1.2.mga6
lib64gdk_pixbuf-gir2.0-2.36.10-1.2.mga6
lib64gdk_pixbuf2.0_0-2.36.10-1.2.mga6
$ rpm -ql lib64gdk_pixbuf2.0_0-2.36.10-1.2.mga6
/usr/lib64/gdk-pixbuf-2.0
/usr/lib64/gdk-pixbuf-2.0/2.10.0
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders.cache
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ani.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-bmp.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-icns.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-ico.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-jasper.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-jpeg.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-pnm.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-qtif.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-tga.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-xbm.so
/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-xpm.so
/usr/lib64/gdk-pixbuf-2.0/bin
/usr/lib64/gdk-pixbuf-2.0/bin/gdk-pixbuf-query-loaders
/usr/lib64/libgdk_pixbuf-2.0.so.0
/usr/lib64/libgdk_pixbuf-2.0.so.0.3610.0
/usr/lib64/libgdk_pixbuf_xlib-2.0.so.0
/usr/lib64/libgdk_pixbuf_xlib-2.0.so.0.3610.0
$ strace -o ~/tmp/strace.log gimp
<SNIP>
$ grep pixbuf strace.log 
open("/lib64/libgdk_pixbuf-2.0.so.0", O_RDONLY|O_CLOEXEC) = 3
open("/usr/lib64/libgdk_pixbuf-2.0.so.0.3610.0", O_RDONLY) = 3
stat("/usr/lib64/gegl-0.3/pixbuf.so", {st_mode=S_IFREG|0755, st_size=23744, ...}) = 0
stat("/usr/lib64/gegl-0.3/save-pixbuf.so", {st_mode=S_IFREG|0755, st_size=23728, ...}) = 0
stat("/usr/lib64/gegl-0.3/pixbuf.so", {st_mode=S_IFREG|0755, st_size=23744, ...}) = 0
stat("/usr/lib64/gegl-0.3/pixbuf.so", {st_mode=S_IFREG|0755, st_size=23744, ...}) = 0
open("/usr/lib64/gegl-0.3/pixbuf.so", O_RDONLY|O_CLOEXEC) = 4
stat("/usr/lib64/gegl-0.3/save-pixbuf.so", {st_mode=S_IFREG|0755, st_size=23728, ...}) = 0
stat("/usr/lib64/gegl-0.3/save-pixbuf.so", {st_mode=S_IFREG|0755, st_size=23728, ...}) = 0
open("/usr/lib64/gegl-0.3/save-pixbuf.so", O_RDONLY|O_CLOEXEC) = 4
open("/usr/share/locale/pt_PT/LC_MESSAGES/gdk-pixbuf.mo", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/share/locale/pt/LC_MESSAGES/gdk-pixbuf.mo", O_RDONLY) = 21
open("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders.cache", O_RDONLY) = 22
read(22, " 100\n\n\"/usr/lib64/gdk-pixbuf-2.0"..., 1024) = 1024
stat("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so", {st_mode=S_IFREG|0755, st_size=24368, ...}) = 0
open("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-png.so", O_RDONLY|O_CLOEXEC) = 22
stat("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so", {st_mode=S_IFREG|0755, st_size=11448, ...}) = 0
open("/usr/lib64/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-svg.so", O_RDONLY|O_CLOEXEC) = 24

CC: (none) => mageia

Advisory uploaded.
About to test this update, but heeding PC_LX's comment, will do it under Gnome.
For reference, previous basic & specific test are in:
 https://bugs.mageia.org/show_bug.cgi?id=19070 c3 c4
 https://bugs.mageia.org/show_bug.cgi?id=21658#c8

Keywords: (none) => advisory

Testing Mageia 6 x64
After update & re-boot to ensure updated packages are used; using Gnome.
 gdk-pixbuf2.0-2.36.10-1.2.mga6
 lib64gdk_pixbuf-gir2.0-2.36.10-1.2.mga6
 lib64gdk_pixbuf2.0_0-2.36.10-1.2.mga6

First try the cured problem of Ristretto & Gpicview not properly showing greyscale JPGs:
 $ convert source-image.jpg -colorspace Gray tmp/grey.jpg
 $ ristretto tmp/grey.jpg       OK
 $ gpicview tmp/grey.jpg        OK
as expected.

Next poke Firefox 52 at various image formats.
This site has a useful mix: https://imagej.nih.gov/ij/images/
Mostly GIF (1 animated), JPG, few PNG; few TIF - which FF did *not* display, but offered Evince viewer. Many images are greyscale, but where there was colour, that displayed OK.
 https://developers.google.com/speed/webp/gallery2
shows PNGs alongside 2 new formats WebP-lossless & WebP-lossy (with alpha) which FF recognised & displayed correctly.

OKing & validating the update.

CC: (none) => lewyssmith, sysadmin-bugs
Whiteboard: (none) => MGA6-64-OK
Keywords: (none) => validated_update

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0087.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED