SUSE has issued an advisory today (January 21): https://lists.suse.com/pipermail/sle-security-updates/2021-January/008233.html The issue is fixed upstream in 2.42.2, apparently here: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/bdd3acbd48a575d418ba6bf1b32d7bda2fae1c81 They also fixed another GIF loader issue, that appears to have been fixed in 2.42.0 here: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/086e8adf4cc352cd11572f96066b001b545f354e Ubuntu says 2.38 isn't affected by the CVE, so this may be invalid, but we should check the second issue too: https://ubuntu.com/security/CVE-2020-29385
OK to assign to you, Olav, as having done the new version commits for this SRPM (including this M7 one) ?
Assignee: bugsquad => olav
openSUSE has issued an advisory for this on January 24: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/Z47MEXBMS3R7XMG63LBJMBIYUX3ZTEJI/
(In reply to David Walser from comment #0) > They also fixed another GIF loader issue, that appears to have been fixed in > 2.42.0 here: > https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/ > 086e8adf4cc352cd11572f96066b001b545f354e This one is CVE-2021-20240: https://ubuntu.com/security/CVE-2021-20240 Ubuntu has issued an advisory for that on February 22: https://ubuntu.com/security/notices/USN-4743-1
Severity: normal => majorSummary: gdk-pixbuf2.0 possible new security issues in GIF loader (including CVE-2020-29385) => gdk-pixbuf2.0 possible new security issues in GIF loader (including CVE-2020-29385 and CVE-2021-20240)
Fedora has issued an advisory for this on February 23: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EANWYODLOJDFLMBH6WEKJJMQ5PKLEWML/
Severity: major => critical
2.38.1 isn't affected by either of these.
Resolution: (none) => INVALIDStatus: NEW => RESOLVED