Bug 6567 - gdk-pixbuf2.0 new security issue CVE-2012-2370
: gdk-pixbuf2.0 new security issue CVE-2012-2370
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 1
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/503372/
: MGA1-32-OK MGA1-64-OK
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-06-25 23:56 CEST by David Walser
Modified: 2012-07-10 00:25 CEST (History)
4 users (show)

See Also:
Source RPM: gdk-pixbuf2.0-2.22.1-3.1.mga1.src.rpm
CVE:


Attachments

Description David Walser 2012-06-25 23:56:44 CEST
An integer overflow in gdk-pixbuf2.0 was fixed upstream in 2.24.1-r1.

Mageia 2 has 2.26.1 which is not affected.

Patched package for Mageia 1 uploaded.

Advisory:
========================

Updated gdk-pixbuf2.0 packages fix security vulnerability:

An integer overflow flaw was found in the way X BitMap (XBM) image
file format loader of gdk-pixbuf, an image loading library used with
GNOME, used to read bitmap file data for certain images. A remote
attacker could provide a specially-crafted XBM image file, which once
loaded in an application linked against gdk-pixbuf, would lead to that
application termination (GLib error and application abort)
(CVE-2012-2370).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2370
https://bugzilla.redhat.com/show_bug.cgi?id=822468
========================

Updated packages in core/updates_testing:
========================
gdk-pixbuf2.0-2.22.1-3.2.mga1
libgdk_pixbuf2.0_0-2.22.1-3.2.mga1
libgdk_pixbuf2.0-devel-2.22.1-3.2.mga1

from gdk-pixbuf2.0-2.22.1-3.2.mga1.src.rpm
Comment 1 Dave Hodgins 2012-07-04 02:42:03 CEST
Testing complete on Mageia 1 i586.

Testing using the attachment (id=210585) from
https://bugzilla.gnome.org/show_bug.cgi?id=672811

Before the update ...
$ eog .

GLib-ERROR **: gmem.c:170: failed to allocate 4294967291 bytes
aborting...
Aborted

After the update, eog starts and displays a message that it could not
load the image test.xbm
Comment 2 Samuel Verschelde 2012-07-08 14:03:02 CEST
tested the same way as in comment #1 on Mageia 1 x86_64

Update validated.

see comment #0 for advisory and SRPM.
Comment 3 Thomas Backlund 2012-07-10 00:25:15 CEST
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2012-0149

Note You need to log in before you can comment on or make changes to this bug.