+++ This bug was initially created as a clone of Bug #22399 +++ Debian and Ubuntu have issued advisories on January 15: https://www.debian.org/security/2018/dsa-4088 https://usn.ubuntu.com/usn/usn-3532-1/ The issue appears to have been fixed upstream in 2.36.11, and Debian and Ubuntu have links to the upstream patch/commit: https://security-tracker.debian.org/tracker/CVE-2017-1000422 https://people.canonical.com/~ubuntu-security/cve/2017/CVE-2017-1000422.html I would like to fix this core package in Mageia 5; sysadmins, please submit it.
Suggested advisory: ======================== The updated packages fix a security vulnerability: Gnome gdk-pixbuf 2.36.8 and older is vulnerable to several integer overflow in the gif_get_lzw function resulting in memory corruption and potential code execution (CVE-2017-1000422). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-1000422 https://www.debian.org/security/2018/dsa-4088 https://usn.ubuntu.com/usn/usn-3532-1/ ======================== Updated packages in core/updates_testing: ======================== gdk-pixbuf2.0-2.32.3-1.2.mga5 libgdk_pixbuf2.0_0-2.32.3-1.2.mga5 libgdk_pixbuf2.0-devel-2.32.3-1.2.mga5 libgdk_pixbuf-gir2.0-2.32.3-1.2.mga5 from gdk-pixbuf2.0-2.32.3-1.2.mga5.src.rpm
Assignee: sysadmin-bugs => qa-bugs
Firefox uses this library. The update only affects GIF decoding, which still works fine in a new Firefox instance after updating on Mageia 5 x86_64.
Whiteboard: (none) => MGA5-64-OK
Keywords: (none) => advisory, validated_updateCC: (none) => sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2018-0090.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED