Fedora has issued an advisory on February 12: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PEKBMOO52RXONWKB6ZKKHTVPLF6WC3KF/ Mageia 8 is also affected.
Status comment: (none) => Patch available from FedoraWhiteboard: (none) => MGA8TOO
Assigning to you, Olav, as the principle packager who has dealt with this.
Assignee: bugsquad => olav
openSUSE has issued an advisory for this today (September 7): https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LAG7HNTW3KWGP2EF5FBPHDA3R5UPDYZY/
Debian has issued an advisory for this on September 11: https://www.debian.org/security/2022/dsa-5228
Ubuntu has issued an advisory for this on September 13: https://ubuntu.com/security/notices/USN-5607-1
Hi, Version 2.42.9 (already in Cauldron) solves that issue. Best regards, Nico.
Source RPM: gdk-pixbuf2.0-2.42.6-1.mga9.src.rpm => gdk-pixbuf2.0-2.42.2-1.1.mga8.src.rpmWhiteboard: MGA8TOO => (none)CVE: (none) => CVE-2021-44648CC: (none) => nicolas.salgueroStatus comment: Patch available from Fedora => (none)Version: Cauldron => 8
Status comment: (none) => Patch available from Fedora
Suggested advisory: ======================== The updated packages fix a security vulnerability: GNOME gdk-pixbuf 2.42.6 is vulnerable to a heap-buffer overflow vulnerability when decoding the lzw compressed stream of image data in GIF files with lzw minimum code size equals to 12. (CVE-2021-44648) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44648 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/PEKBMOO52RXONWKB6ZKKHTVPLF6WC3KF/ https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/LAG7HNTW3KWGP2EF5FBPHDA3R5UPDYZY/ https://www.debian.org/security/2022/dsa-5228 https://ubuntu.com/security/notices/USN-5607-1 ======================== Updated packages in core/updates_testing: ======================== gdk-pixbuf2.0-2.42.2-1.2.mga8 lib(64)gdk_pixbuf2.0_0-2.42.2-1.2.mga8 lib(64)gdk_pixbuf2.0-devel-2.42.2-1.2.mga8 lib(64)gdk_pixbuf-gir2.0-2.42.2-1.2.mga8 from SRPM: gdk-pixbuf2.0-2.42.2-1.2.mga8.src.rpm
Assignee: olav => qa-bugsStatus comment: Patch available from Fedora => (none)Status: NEW => ASSIGNED
MGA8-64 Plasma system. No installation issues. I used the test procedure from https://bugs.mageia.org/show_bug.cgi?id=21658#c7 modified because the vulnerability involved decoding GIF images. I downloaded a version of a daily comic strip, in color. $ convert 2340248.gif mallard.jpg converted the image into JPG. $ convert 2340248.gif -colorspace Gray mallardgray.jpg converted to JPG, in grayscale. Both resulting images displayed perfectly in Gwenview. Giving this an OK, and validating. Advisory in Comment 6.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_updateWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisoryCC: (none) => davidwhodgins
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0402.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED