A CVE has been requested for a security issue fixed upstream in gdk-pixbuf: https://www.openwall.com/lists/oss-security/2022/07/23/1
Assigning to all packagers collectively, since there is no registered maintainer for this package
Assignee: bugsquad => pkg-bugsCC: (none) => marja11
CVE-2021-46829 has been assigned, and there's a PoC: https://www.openwall.com/lists/oss-security/2022/07/25/1
Summary: gdk-pixbuf2.0 new heap buffer overflow security issue => gdk-pixbuf2.0 new heap buffer overflow security issue (CVE-2021-46829)
Updated package built for Mageia 8 Advisory: ======================== Updated gdk-pixbuf2.0 package fixes security vulnerability: It was discovered that gdk-pixbuf contained a buffer overwrite in io-gif-animation.c composite_frame() exploitable using a crafted GIF (CVE-2021-46829). References: https://www.openwall.com/lists/oss-security/2022/07/23/1 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-46829 https://www.openwall.com/lists/oss-security/2022/07/25/1 ======================== Updated packages in core/updates_testing: ======================== gdk-pixbuf2.0-2.42.2-1.1.mga8 lib64gdk_pixbuf2.0_0-2.42.2-1.1.mga8 lib64gdk_pixbuf2.0-devel-2.42.2-1.1.mga8 lib64gdk_pixbuf-gir2.0-2.42.2-1.1.mga8 from gdk-pixbuf2.0-2.42.2-1.1.mga8.src.rpm Potential test procedures. https://bugs.mageia.org/show_bug.cgi?id=21680#c7 https://bugs.mageia.org/show_bug.cgi?id=22399#c5
Keywords: (none) => has_procedureCVE: (none) => CVE-2021-46829CC: (none) => mhrambo3501Assignee: pkg-bugs => qa-bugs
Before the update [dave@x3 gdk-pixbuf]$ eog wrap_around.poc (eog:137113): EOG-WARNING **: 19:47:48.318: Error loading Eog typelib: Typelib file for namespace 'Eog', version '3.0' not found (eog:137113): libpeas-WARNING **: 19:47:48.398: Type not found in introspection: 'EogApplicationActivatable' (eog:137113): libpeas-WARNING **: 19:47:48.398: Method 'EogApplicationActivatable.activate' was not found (eog:137113): libpeas-WARNING **: 19:47:48.508: Type not found in introspection: 'EogWindowActivatable' (eog:137113): libpeas-WARNING **: 19:47:48.508: Method 'EogWindowActivatable.activate' was not found Segmentation fault (core dumped) [dave@x3 gdk-pixbuf]$ eog wrap_around.poc (eog:137188): EOG-WARNING **: 19:48:48.478: Error loading Eog typelib: Typelib file for namespace 'Eog', version '3.0' not found (eog:137188): libpeas-WARNING **: 19:48:48.564: Type not found in introspection: 'EogApplicationActivatable' (eog:137188): libpeas-WARNING **: 19:48:48.564: Method 'EogApplicationActivatable.activate' was not found (eog:137188): libpeas-WARNING **: 19:48:48.677: Type not found in introspection: 'EogWindowActivatable' (eog:137188): libpeas-WARNING **: 19:48:48.677: Method 'EogWindowActivatable.activate' was not found Segmentation fault (core dumped) Will test the update when it reaches kernel.org
CC: (none) => davidwhodgins
Confirmed eog no longer segfaults with wrap_around.poc or more_trouble.poc, and continues to work ok with valid images.
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: (none) => MGA8-64-OK
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2022-0269.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED