Debian Bug report logs -
#856444
gdk-pixbuf: CVE-2017-6312: Possible out-of-bounds read
Reported by: Salvatore Bonaccorso <carnil@debian.org>
Date: Wed, 1 Mar 2017 05:57:02 UTC
Severity: serious
Tags: fixed-upstream, patch, security, upstream
Found in versions gdk-pixbuf/2.31.1-3, gdk-pixbuf/2.36.5-3, gdk-pixbuf/2.31.1-2
Fixed in versions gdk-pixbuf/2.36.5-2+deb9u2, gdk-pixbuf/2.36.11-2
Done: Simon McVittie <smcv@debian.org>
Bug is archived. No further changes may be made.
Forwarded to https://bugzilla.gnome.org/show_bug.cgi?id=779012
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#856444; Package src:gdk-pixbuf.
(Wed, 01 Mar 2017 05:57:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Wed, 01 Mar 2017 05:57:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: gdk-pixbuf
Version: 2.31.1-2
Severity: important
Tags: security upstream
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=779012
Hi,
the following vulnerability was published for gdk-pixbuf.
CVE-2017-6312[0]:
Out-of-bounds read on io-ico.c
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2017-6312
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-6312
Please adjust the affected versions in the BTS as needed. There is no
patch upstream yet.
Regards,
Salvatore
Severity set to 'serious' from 'important'
Request was from Jeremy Bicha <jbicha@ubuntu.com>
to control@bugs.debian.org.
(Wed, 22 Mar 2017 14:51:07 GMT) (full text, mbox, link).
No longer marked as found in versions gdk-pixbuf/2.31.1-2.
Request was from Jeremy Bicha <jbicha@ubuntu.com>
to control@bugs.debian.org.
(Wed, 22 Mar 2017 14:51:08 GMT) (full text, mbox, link).
Marked as found in versions gdk-pixbuf/2.31.1-3.
Request was from Jeremy Bicha <jbicha@ubuntu.com>
to control@bugs.debian.org.
(Wed, 22 Mar 2017 14:51:09 GMT) (full text, mbox, link).
Marked as found in versions gdk-pixbuf/2.36.5-3.
Request was from Jeremy Bicha <jbicha@ubuntu.com>
to control@bugs.debian.org.
(Wed, 22 Mar 2017 14:57:03 GMT) (full text, mbox, link).
Severity set to 'important' from 'serious'
Request was from Jeremy Bicha <jbicha@ubuntu.com>
to control@bugs.debian.org.
(Wed, 22 Mar 2017 21:12:04 GMT) (full text, mbox, link).
Marked as found in versions gdk-pixbuf/2.31.1-2.
Request was from Jeremy Bicha <jbicha@ubuntu.com>
to control@bugs.debian.org.
(Wed, 22 Mar 2017 21:12:04 GMT) (full text, mbox, link).
Added tag(s) fixed-upstream.
Request was from bts-link-upstream@lists.alioth.debian.org
to control@bugs.debian.org.
(Thu, 30 Nov 2017 17:06:15 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#856444; Package src:gdk-pixbuf.
(Sat, 13 Jan 2018 15:12:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Sat, 13 Jan 2018 15:12:03 GMT) (full text, mbox, link).
Message #24 received at 856444@bugs.debian.org (full text, mbox, reply):
Control: tags -1 + fixed-upstream patch
Fixed upstream via:
https://git.gnome.org/browse/gdk-pixbuf/commit/?id=dec9ca22d70c0f0d4492333b4e8147afb038afd2
Regards,
Salvatore
Added tag(s) patch.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 856444-submit@bugs.debian.org.
(Sat, 13 Jan 2018 15:12:03 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#856444; Package src:gdk-pixbuf.
(Fri, 02 Feb 2018 20:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>.
(Fri, 02 Feb 2018 20:51:03 GMT) (full text, mbox, link).
Message #31 received at 856444@bugs.debian.org (full text, mbox, reply):
Control: severity -1 serious
Control: fixed -1 2.36.5-2+deb9u2
This has been fixed in a DSA, but not yet in unstable. Raising
severity to RC to not have a regression stretch->buster.
Regards,
Salvatore
Severity set to 'serious' from 'important'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 856444-submit@bugs.debian.org.
(Fri, 02 Feb 2018 20:51:03 GMT) (full text, mbox, link).
Marked as fixed in versions gdk-pixbuf/2.36.5-2+deb9u2.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to 856444-submit@bugs.debian.org.
(Fri, 02 Feb 2018 20:51:04 GMT) (full text, mbox, link).
Message sent on
to Salvatore Bonaccorso <carnil@debian.org>:
Bug#856444.
(Fri, 16 Mar 2018 09:57:08 GMT) (full text, mbox, link).
Message #38 received at 856444-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #856444 in gdk-pixbuf reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below, and you can check the diff of the fix at:
https://salsa.debian.org/gnome-team/gdk-pixbuf/commit/49ae88dba5674b6aa304ef895c4883840147ba4d
------------------------------------------------------------------------
Add patches from upstream to fix crash bugs
- CVE-2017-6312: out-of-bounds read in ico (Closes: #856444)
- CVE-2017-6313: integer underflow in icns (Closes: #856445)
- CVE-2017-6314: infinite loop in tiff (Closes: #856448)
Thanks to Salvatore Bonaccorso for highlighting the relevant commits.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/856444
Added tag(s) pending.
Request was from smcv@debian.org
to 856444-submitter@bugs.debian.org.
(Fri, 16 Mar 2018 09:57:08 GMT) (full text, mbox, link).
Reply sent
to Simon McVittie <smcv@debian.org>:
You have taken responsibility.
(Sat, 17 Mar 2018 23:00:07 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sat, 17 Mar 2018 23:00:07 GMT) (full text, mbox, link).
Message #45 received at 856444-close@bugs.debian.org (full text, mbox, reply):
Source: gdk-pixbuf
Source-Version: 2.36.11-2
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 856444@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Simon McVittie <smcv@debian.org> (supplier of updated gdk-pixbuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Fri, 16 Mar 2018 10:57:57 +0000
Source: gdk-pixbuf
Binary: libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgdk-pixbuf2.0-dev libgdk-pixbuf2.0-doc libgdk-pixbuf2.0-0-udeb gir1.2-gdkpixbuf-2.0
Architecture: source
Version: 2.36.11-2
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Simon McVittie <smcv@debian.org>
Description:
gir1.2-gdkpixbuf-2.0 - GDK Pixbuf library - GObject-Introspection
libgdk-pixbuf2.0-0 - GDK Pixbuf library
libgdk-pixbuf2.0-0-udeb - GDK Pixbuf library - minimal runtime (udeb)
libgdk-pixbuf2.0-bin - GDK Pixbuf library (thumbnailer)
libgdk-pixbuf2.0-common - GDK Pixbuf library - data files
libgdk-pixbuf2.0-dev - GDK Pixbuf library (development files)
libgdk-pixbuf2.0-doc - GDK Pixbuf library (documentation)
Closes: 856444 856445 856448
Changes:
gdk-pixbuf (2.36.11-2) unstable; urgency=medium
.
* Team upload
.
[ Emilio Pozuelo Monfort ]
* Switch triggers to noawait.
.
[ Simon McVittie ]
* Update Vcs-* for move from Alioth svn to Salsa git
* debian/gbp.conf: Add
* Add patches from upstream to fix crash bugs:
- CVE-2017-6312: out-of-bounds read in ico (Closes: #856444)
- CVE-2017-6313: integer underflow in icns (Closes: #856445)
- CVE-2017-6314: infinite loop in tiff (Closes: #856448)
Thanks to Salvatore Bonaccorso for highlighting the relevant commits.
Checksums-Sha1:
a178cd6c3a05fbcaaba377899e8798a55bc55e58 2886 gdk-pixbuf_2.36.11-2.dsc
97a9d8c5de55d0cd51fccd4f9ddc0c3ce2b0f70e 15204 gdk-pixbuf_2.36.11-2.debian.tar.xz
cdaba9274b307419152a825cfc0b82dded41a427 8316 gdk-pixbuf_2.36.11-2_source.buildinfo
Checksums-Sha256:
6c6482b64d3b15bf893d6b3dc1864ab49f92ee994736d53ce84a3d052d57e6c4 2886 gdk-pixbuf_2.36.11-2.dsc
064020524e80e3ac713dd6bdf861660df26c61d9aceb75be74df44a9979c0a0c 15204 gdk-pixbuf_2.36.11-2.debian.tar.xz
71271d006e736a1eb26f096e6bfecb0bd2c7148ec44dd3d262771b43168b12dd 8316 gdk-pixbuf_2.36.11-2_source.buildinfo
Files:
f7428bc77e10ba818008101db0d1abcf 2886 libs optional gdk-pixbuf_2.36.11-2.dsc
ba930d0a440f41c30aa6fb8f2c8df444 15204 libs optional gdk-pixbuf_2.36.11-2.debian.tar.xz
f64e5db20e33524fa973a635f6b5de45 8316 libs optional gdk-pixbuf_2.36.11-2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEENuxaZEik9e95vv6Y4FrhR4+BTE8FAlqr53kACgkQ4FrhR4+B
TE//fg/8D+PIRv7CpqYOXA68hQq5lfPKj0ttWwWTmTvYlBgs112CpAuBhlNczFm8
+q8e5tcwE6dneRwo83IVJ+7qAkxYnWqUGZfWwyopVky8O9bOyrnG/SmkgzT0MnVR
yiRUBUjrxckeQ7o8ZmqKoDoI2SL+8YDAhFSK8BikQkYW1/wYRRcYfYRMTae2j7Y6
7OQ9IJFchrd0xSoNV9BlNi9yI4V+lCn4kWQD72MnBmiCzXTBZuR/A7iVZp4z7Mqc
kUT9sgWOru0FVfrpOm3p0OGNQt2mFa+iycIkqBzVMYBTcSG+nUak1K/L6vdaLAiv
wzlORMpTOfhorknZEfVxZA9ccd2Mfh6mFfftdv+kAjzVwlveCim2DbPblfoJgapi
3SFLlqmH/Nf42M3M+J1pfDgUkYbNalCWHlp6t5BbGu1qIxnwN9zuHzQJ89T1PXgF
5QkR8Bh+rLq8gDYdZ+4kII7VnUziqFZet2UBZlS7fxezO7ymAqHPyeqJQkS6xlXF
OzfYm+gFRiCxdfFOcfVWr3SHUHKLcngQzO2G7sSI4jZ16ltayB3V5n8TrNHfP1Mo
yEuZvZ7rR5qaHx4pGdRyCLYVH+dIBlZn/VXGeAzjuTbPbYAtdCrJo9KG/puhOC96
GRnXgw6s5JGu5lXTf5aBgJ7CbqIiu3QeRggUZIrwukqQAB2xSEc=
=vcOG
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sun, 15 Apr 2018 07:27:31 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:15:54 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon