Debian Bug report logs -
#339431
CVE-2005-3186: Integer overflow in gdk-pixbuf's XPM code
Reported by: Moritz Muehlenhoff <jmm@inutil.org>
Date: Wed, 16 Nov 2005 09:18:09 UTC
Severity: grave
Tags: fixed, fixed-in-experimental, patch, security
Fixed in versions gtk+2.0/2.6.10-2, gtk+2.0/2.8.9-2
Done: Sebastien Bacher <seb128@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded to debian-bugs-dist@lists.debian.org, Debian Security Team <team@security.debian.org>, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
New Bug report received and forwarded. Copy sent to Debian Security Team <team@security.debian.org>, Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gtk+2.0
Severity: grave
Tags: security
Justification: user security hole
An integer overflow in gdk-pixbuf's XPM rendering code can be exploited
to overwrite the heap and exploit arbitrary code through crafted images.
Please see www.idefense.com/application/poi/display?id=339&type=vulnerabilities
for more details.
Cheers,
Moritz
-- System Information:
Debian Release: testing/unstable
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: i386 (i686)
Shell: /bin/sh linked to /bin/bash
Kernel: Linux 2.6.14-1-686
Locale: LANG=C, LC_CTYPE=de_DE.ISO-8859-15@euro (charmap=ISO-8859-15)
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Loic Minier <lool@dooz.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #10 received at 339431@bugs.debian.org (full text, mbox, reply):
tags 339431 + patch
thanks
On Wed, Nov 16, 2005, Moritz Muehlenhoff wrote:
> An integer overflow in gdk-pixbuf's XPM rendering code can be exploited
> to overwrite the heap and exploit arbitrary code through crafted images.
> Please see www.idefense.com/application/poi/display?id=339&type=vulnerabilities
> for more details.
Redhat's bug report for CVE-2005-3186 with a patch attached:
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171071>
Did you identify other packages with a copy of this code? In
particular, did you check Gtk 1?
The Redhat security advisory also fixes CVE-2005-2975, for which I see
no entry in the Debian changelog, could you please investifate on this
id and report whether gtk1 and gtk2 are affected for Debian?
Redhat's advisories:
<http://rhn.redhat.com/errata/RHSA-2005-810.html>
<http://rhn.redhat.com/errata/RHSA-2005-811.html>
Redhat bug for CVE-2005-2975 with two patches attached:
<https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171900>
Cheers,
--
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS! When do we want it? BRAINS!"
Tags added: patch
Request was from Loic Minier <lool@dooz.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Loic Minier <lool@dooz.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #17 received at 339431@bugs.debian.org (full text, mbox, reply):
Security team, did you start work on CVE-2005-3186 and CVE-2005-2975,
CVE-2005-2976 (not described in this report)? Ubuntu has released some
packages which might help <http://www.ubuntu.com/usn/usn-216-1>.
Do you need the Gtk maintainers to prepare an upload for stable?
Uploads are being prepared for unstable and experimental by Sebastien
Bacher (thanks Seb).
Cheers,
--
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS! When do we want it? BRAINS!"
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Loic Minier <lool@dooz.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #22 received at 339431@bugs.debian.org (full text, mbox, reply):
clone 339431 -1
reassign -1 gdk-pixbuf
thanks
Hi,
I believe gdk-pixbuf is affected as well. I suppose you can grab
useful patches from the Ubuntu security fixes:
<http://www.ubuntu.com/usn/usn-216-1>
Cheers,
--
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS! When do we want it? BRAINS!"
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Steve Kemp <skx@debian.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #27 received at 339431@bugs.debian.org (full text, mbox, reply):
On Wed, Nov 16, 2005 at 02:05:11PM +0100, Loic Minier wrote:
> Security team, did you start work on CVE-2005-3186 and CVE-2005-2975,
> CVE-2005-2976 (not described in this report)? Ubuntu has released some
> packages which might help <http://www.ubuntu.com/usn/usn-216-1>.
> Do you need the Gtk maintainers to prepare an upload for stable?
That would certainly be appreciated.
Steve
--
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #34 received at 339431@bugs.debian.org (full text, mbox, reply):
Loic Minier wrote:
> > An integer overflow in gdk-pixbuf's XPM rendering code can be exploited
> > to overwrite the heap and exploit arbitrary code through crafted images.
> > Please see www.idefense.com/application/poi/display?id=339&type=vulnerabilities
> > for more details.
>
> Did you identify other packages with a copy of this code? In
> particular, did you check Gtk 1?
gdk-pixbuf from GTK1 is affected by CVE-2005-3186; the vulnerable code is
present in io-xpm.c:359
> The Redhat security advisory also fixes CVE-2005-2975, for which I see
> no entry in the Debian changelog, could you please investifate on this
> id and report whether gtk1 and gtk2 are affected for Debian?
>
> Redhat's advisories:
> <http://rhn.redhat.com/errata/RHSA-2005-810.html>
> <http://rhn.redhat.com/errata/RHSA-2005-811.html>
>
> Redhat bug for CVE-2005-2975 with two patches attached:
> <https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=171900>
This is all for sid:
gdk-pixbuf is both vulnerable to the integer overflow in pixels calculation
(io-xpm.c:413), as to the endless loop DoS attack (io-xpm:284).
gtk+2.0 is not vulnerable to the integer overflow in pixels calculation,
as it allocates pixbuf through gdk_pixbuf_new(), but is vulnerable to the
endless loop DoS (io-xpm.c:1170).
Cheers,
Moritz
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #39 received at 339431@bugs.debian.org (full text, mbox, reply):
Loic Minier wrote:
> The Redhat security advisory also fixes CVE-2005-2975, for which I see
> no entry in the Debian changelog, could you please investifate on this
> id and report whether gtk1 and gtk2 are affected for Debian?
The vulnerability matrix for Woody and Sarge (the entries are the line
numbers in io-xpm.c, where the vulnerable code is present):
Woody gtk2 Woody gdk-pixbuf Sarge gtk2 Sarge gdk-pixbuf
CVE-2005-2975 1170 284 1170 284
CVE-2005-2976 1317 413 ---- 413
CVE-2005-3186 1255 359 1256 359
Cheers,
Moritz
Tags added: fixed-in-experimental
Request was from Sebastien Bacher <seb128@debian.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Sebastien Bacher <seb128@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #46 received at 339431-close@bugs.debian.org (full text, mbox, reply):
Source: gtk+2.0
Source-Version: 2.6.10-2
We believe that the bug you reported is fixed in the latest version of
gtk+2.0, which is due to be installed in the Debian FTP archive:
gtk+2.0_2.6.10-2.diff.gz
to pool/main/g/gtk+2.0/gtk+2.0_2.6.10-2.diff.gz
gtk+2.0_2.6.10-2.dsc
to pool/main/g/gtk+2.0/gtk+2.0_2.6.10-2.dsc
gtk2-engines-pixbuf_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/gtk2-engines-pixbuf_2.6.10-2_i386.deb
gtk2.0-examples_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/gtk2.0-examples_2.6.10-2_i386.deb
libgtk2.0-0-dbg_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-0-dbg_2.6.10-2_i386.deb
libgtk2.0-0_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-0_2.6.10-2_i386.deb
libgtk2.0-bin_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-bin_2.6.10-2_i386.deb
libgtk2.0-common_2.6.10-2_all.deb
to pool/main/g/gtk+2.0/libgtk2.0-common_2.6.10-2_all.deb
libgtk2.0-dev_2.6.10-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-dev_2.6.10-2_i386.deb
libgtk2.0-doc_2.6.10-2_all.deb
to pool/main/g/gtk+2.0/libgtk2.0-doc_2.6.10-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 339431@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Bacher <seb128@debian.org> (supplier of updated gtk+2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Wed, 16 Nov 2005 16:56:39 +0100
Source: gtk+2.0
Binary: libgtk2.0-dev libgtk2.0-0-dbg gtk2-engines-pixbuf libgtk2.0-0 libgtk2.0-doc gtk2.0-examples libgtk2.0-bin libgtk2.0-common
Architecture: source i386 all
Version: 2.6.10-2
Distribution: unstable
Urgency: medium
Maintainer: Sebastien Bacher <seb128@debian.org>
Changed-By: Sebastien Bacher <seb128@debian.org>
Description:
gtk2-engines-pixbuf - Pixbuf-based theme for GTK+ 2.x
gtk2.0-examples - Examples files for the GTK+ 2.0
libgtk2.0-0 - The GTK+ graphical user interface library
libgtk2.0-0-dbg - The GTK+ libraries and debugging symbols
libgtk2.0-bin - The programs for the GTK+ graphical user interface library
libgtk2.0-common - Common files for the GTK+ graphical user interface library
libgtk2.0-dev - Development files for the GTK+ library
libgtk2.0-doc - Documentation for the GTK+ graphical user interface library
Closes: 309437 315083 323209 339431
Changes:
gtk+2.0 (2.6.10-2) unstable; urgency=medium
.
[ Sebastien Bacher ]
* Patch from Ubuntu update, thanks Martin Pitt.
* SECURITY UPDATE: Arbitrary code execution and DoS.
* Add debian/patches/010_xpm-colors-overflow_CVE-2005-3186.patch:
- io-xpm.c: Add check to XPM reader to prevent integer overflow for
specially crafted number of colors (Closes: #339431).
- CVE-2005-3186
* Add debian/patches/011_xpm-colors-loop_CVE-2005-2975.patch:
- io-xpm.c: Fix endless loop with specially crafted number of colors.
- CVE-2005-2975
.
* debian/rules:
- fix confusing cp usage.
.
[ Loic Minier ]
.
* Update FSF address. [debian/copyright]
* Remove "Copyright:" line, the whole file expresses the copyright already.
(Closes: #323209) [debian/copyright]
* Backport patch from the 2.8 branch removing the warning introduced
somewhere in 2.6 when length wraps in calculation in gdk_property_get.
(Closes: #315083) [debian/patches/064_gdk-property-get-no-warning.patch]
* Add ${misc:Depends} to all packages.
* Remove libgtk2.0-0 dependency from libgtk2.0-common to break the circular
dependency; cross your fingers, don't hold your breath. (Closes: #309437)
Files:
3563b30a4289c32184c55ba195036708 2141 libs optional gtk+2.0_2.6.10-2.dsc
6b971feecb17c4791472aa96acdea3a3 47597 libs optional gtk+2.0_2.6.10-2.diff.gz
7c5d80d99cae36830180239b26a493fa 3138308 misc optional libgtk2.0-common_2.6.10-2_all.deb
af323f59755f3e06ffae3e6b13d3e3aa 2328124 doc optional libgtk2.0-doc_2.6.10-2_all.deb
eb201ab2646f4cea2663316c08514ed2 2052200 libs optional libgtk2.0-0_2.6.10-2_i386.deb
894a6ec816c55e5bc085d911a55afb8f 18192 misc optional libgtk2.0-bin_2.6.10-2_i386.deb
fae0ba120610c486f2a5515eeb61f351 2208758 libdevel optional libgtk2.0-dev_2.6.10-2_i386.deb
7f70323d835bea802bafd6096a610992 3533168 libdevel extra libgtk2.0-0-dbg_2.6.10-2_i386.deb
4dc3b71e3311d5cffa8496d6790f924b 281144 x11 extra gtk2.0-examples_2.6.10-2_i386.deb
2e7ece79ea1ec06a22a05de5cf3e7057 65358 graphics optional gtk2-engines-pixbuf_2.6.10-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDe2QPQxo87aLX0pIRAqNNAJ90/qfcwJjzU3NaowscTVjDY79lZwCgr1jX
1s2lgI1Zb20EQSzGlh4jTDg=
=nUeE
-----END PGP SIGNATURE-----
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Loic Minier <lool@dooz.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #51 received at 339431@bugs.debian.org (full text, mbox, reply):
tags 339431 + pending patch
thanks
Hi,
Sorry for the delay. You can grab the proposed fixes in:
<http://people.dooz.org/~lool/debian/gtk-gdk-cves.tgz> (87M)
MD5: 56148df50af6e28beaca57e4fa3bf6cc
I found the vulnerability matrix by Moritz Muehlenhoff useful:
Woody gtk2 Woody gdk-pixbuf Sarge gtk2 Sarge gdk-pixbuf
CVE-2005-2975 1170 284 1170 284
CVE-2005-2976 1317 413 ---- 413
CVE-2005-3186 1255 359 1256 359
Fixed-in: 2.0.2-5woody2.1 0.17.0-2woody2.1 2.6.4-3.1 0.22.0-8.1
Let me know if you have issues with this.
Cheers,
--
Loïc Minier <lool@dooz.org>
Tags added: pending, patch
Request was from Loic Minier <lool@dooz.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #58 received at 339431@bugs.debian.org (full text, mbox, reply):
Loic Minier wrote:
> Sorry for the delay. You can grab the proposed fixes in:
> <http://people.dooz.org/~lool/debian/gtk-gdk-cves.tgz> (87M)
> MD5: 56148df50af6e28beaca57e4fa3bf6cc
Thanks a lot! Packages are building already.
> I found the vulnerability matrix by Moritz Muehlenhoff useful:
> Woody gtk2 Woody gdk-pixbuf Sarge gtk2 Sarge gdk-pixbuf
> CVE-2005-2975 1170 284 1170 284
> CVE-2005-2976 1317 413 ---- 413
> CVE-2005-3186 1255 359 1256 359
What's the meaning of the numbers above?
I had to rebuild the woody packages since you've built them for
'stable-security' instead of 'oldstable-security', and by that
I've also used woody3 instead of woody2.1, so the version is not
needlessly prolongued.
Could you tell us as well which versions in sid fix these problems?
Regards,
Joey
--
If you come from outside of Finland, you live in wrong country.
-- motd of irc.funet.fi
Please always Cc to me when replying to me on the lists.
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Loic Minier <lool@dooz.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #63 received at 339431@bugs.debian.org (full text, mbox, reply):
On Mon, Nov 21, 2005, Martin Schulze wrote:
> > I found the vulnerability matrix by Moritz Muehlenhoff useful:
> > Woody gtk2 Woody gdk-pixbuf Sarge gtk2 Sarge gdk-pixbuf
> > CVE-2005-2975 1170 284 1170 284
> > CVE-2005-2976 1317 413 ---- 413
> > CVE-2005-3186 1255 359 1256 359
> What's the meaning of the numbers above?
Line numbers of the problematic code, but I found it useful to find out
which version are affected (all CVEs are present in all packages, all
dists, except 2976 in sarge Gtk2).
> I had to rebuild the woody packages since you've built them for
> 'stable-security' instead of 'oldstable-security'
Yes, I awoke in my sleep when I thought about that this night.
> Could you tell us as well which versions in sid fix these problems?
Yes, I checked sid's gdk-pixbuf, and it adresses all 3 CVEs since
version 0.22.0-11. I only checked sid's gtk 2.6.10 this morning, and
it was only vulnerable to CVE-2005-3186 and CVE-2005-2975 (not to
CVE-2005-2976), like the sarge gtk, and was fixed in 2.6.10-2.
FYI, it was also fixed in experimental with a new upstream with this
fixes.
This gives fixed-in versions:
Sid gtk2 Sid gdk-pixbuf
CVE-2005-2975 2.6.10-2 0.22.0-11
CVE-2005-2976 - 0.22.0-11
CVE-2005-3186 2.6.10-2 0.22.0-11
Bye,
--
Loïc Minier <lool@dooz.org>
"What do we want? BRAINS! When do we want it? BRAINS!"
Information forwarded to debian-bugs-dist@lists.debian.org, Sebastien Bacher <seb128@debian.org>
:
Bug#339431
; Package gtk+2.0
.
(full text, mbox, link).
Acknowledgement sent to Martin Schulze <joey@infodrom.org>
:
Extra info received and forwarded to list. Copy sent to Sebastien Bacher <seb128@debian.org>
.
(full text, mbox, link).
Message #68 received at 339431@bugs.debian.org (full text, mbox, reply):
Loic Minier wrote:
> On Mon, Nov 21, 2005, Martin Schulze wrote:
> > > I found the vulnerability matrix by Moritz Muehlenhoff useful:
> > > Woody gtk2 Woody gdk-pixbuf Sarge gtk2 Sarge gdk-pixbuf
> > > CVE-2005-2975 1170 284 1170 284
> > > CVE-2005-2976 1317 413 ---- 413
> > > CVE-2005-3186 1255 359 1256 359
> > What's the meaning of the numbers above?
>
> Line numbers of the problematic code, but I found it useful to find out
> which version are affected (all CVEs are present in all packages, all
> dists, except 2976 in sarge Gtk2).
>
> > I had to rebuild the woody packages since you've built them for
> > 'stable-security' instead of 'oldstable-security'
>
> Yes, I awoke in my sleep when I thought about that this night.
>
> > Could you tell us as well which versions in sid fix these problems?
>
> Yes, I checked sid's gdk-pixbuf, and it adresses all 3 CVEs since
> version 0.22.0-11. I only checked sid's gtk 2.6.10 this morning, and
> it was only vulnerable to CVE-2005-3186 and CVE-2005-2975 (not to
> CVE-2005-2976), like the sarge gtk, and was fixed in 2.6.10-2.
Ok, this results to the following matrix:
old stable (woody) stable (sarge) unstable (sid)
gdk-pixbuf 0.17.0-2woody3 0.22.0-8.1 0.22.0-11
gtk+2.0 2.0.2-5woody3 2.6.4-3.1 2.6.10-2
Regards,
Joey
--
If you come from outside of Finland, you live in wrong country.
-- motd of irc.funet.fi
Please always Cc to me when replying to me on the lists.
Tags added: fixed
Request was from Loic Minier <lool@dooz.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Reply sent to Sebastien Bacher <seb128@debian.org>
:
You have taken responsibility.
(full text, mbox, link).
Notification sent to Moritz Muehlenhoff <jmm@inutil.org>
:
Bug acknowledged by developer.
(full text, mbox, link).
Message #75 received at 339431-close@bugs.debian.org (full text, mbox, reply):
Source: gtk+2.0
Source-Version: 2.8.9-2
We believe that the bug you reported is fixed in the latest version of
gtk+2.0, which is due to be installed in the Debian FTP archive:
gtk+2.0_2.8.9-2.diff.gz
to pool/main/g/gtk+2.0/gtk+2.0_2.8.9-2.diff.gz
gtk+2.0_2.8.9-2.dsc
to pool/main/g/gtk+2.0/gtk+2.0_2.8.9-2.dsc
gtk2-engines-pixbuf_2.8.9-2_i386.deb
to pool/main/g/gtk+2.0/gtk2-engines-pixbuf_2.8.9-2_i386.deb
gtk2.0-examples_2.8.9-2_i386.deb
to pool/main/g/gtk+2.0/gtk2.0-examples_2.8.9-2_i386.deb
libgtk2.0-0-dbg_2.8.9-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-0-dbg_2.8.9-2_i386.deb
libgtk2.0-0_2.8.9-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-0_2.8.9-2_i386.deb
libgtk2.0-bin_2.8.9-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-bin_2.8.9-2_i386.deb
libgtk2.0-common_2.8.9-2_all.deb
to pool/main/g/gtk+2.0/libgtk2.0-common_2.8.9-2_all.deb
libgtk2.0-dev_2.8.9-2_i386.deb
to pool/main/g/gtk+2.0/libgtk2.0-dev_2.8.9-2_i386.deb
libgtk2.0-doc_2.8.9-2_all.deb
to pool/main/g/gtk+2.0/libgtk2.0-doc_2.8.9-2_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 339431@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Sebastien Bacher <seb128@debian.org> (supplier of updated gtk+2.0 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.7
Date: Thu, 15 Dec 2005 15:13:32 +0100
Source: gtk+2.0
Binary: libgtk2.0-dev libgtk2.0-0-dbg gtk2-engines-pixbuf libgtk2.0-0 libgtk2.0-doc gtk2.0-examples libgtk2.0-bin libgtk2.0-common
Architecture: source i386 all
Version: 2.8.9-2
Distribution: unstable
Urgency: low
Maintainer: Sebastien Bacher <seb128@debian.org>
Changed-By: Sebastien Bacher <seb128@debian.org>
Description:
gtk2-engines-pixbuf - Pixbuf-based theme for GTK+ 2.x
gtk2.0-examples - Examples files for the GTK+ 2.0
libgtk2.0-0 - The GTK+ graphical user interface library
libgtk2.0-0-dbg - The GTK+ libraries and debugging symbols
libgtk2.0-bin - The programs for the GTK+ graphical user interface library
libgtk2.0-common - Common files for the GTK+ graphical user interface library
libgtk2.0-dev - Development files for the GTK+ library
libgtk2.0-doc - Documentation for the GTK+ graphical user interface library
Closes: 323080 323209 323705 339431
Changes:
gtk+2.0 (2.8.9-2) unstable; urgency=low
.
* Upload to unstable
.
gtk+2.0 (2.8.9-1) experimental; urgency=low
.
* New upstream version:
Bugs fixed:
- File chooser filter behaves weird
- 2.8.4 to 2.8.6: sound-juicer crash, fileselector assertions
- On unsetting the Model, GtkTreeView does not clear
it's associated TreeSelection
- Crash on selecting a file of null mime-type
- gtktoolbutton leaks a pixbuf
- GdkEvent leaked in gtktreeview.c / gtk_tree_view_key_press
- Typo in trap_activate_cb()
- gtkcalendar.c: The identifier is already declared.
- gtk_menu_attach_to_widget() does not take NULL detacher
- Unhinted fonts are measured incorrectly and drawing
problems occur as a result
- unwanted scrolling in recent gtk
- Toolbars without icons are invisible in icon-only mode
- Search-entry in the TreeView not working properly
- gtktoolbutton.c:562: warning: 'image' is used
uninitialized in this function
- reference count of textbuffer increases with each paste
- gtk_selection_data_get_uris leaks memory
Other changes:
- Remove GMemChunk from public header files to
support building against GLib 2.10
- Report errors in option parsing
- Merge upstream xdgmime changes to handle duplicate glob patterns
.
gtk+2.0 (2.8.8-1) experimental; urgency=low
.
* New upstream version:
GtkFileChooser:
- Make F2 work for renaming bookmarks
GtkEntry:
- Turn off input methods in password entries
- Other fixes * Documentation improvements
- Updated translations
.
gtk+2.0 (2.8.7-1) experimental; urgency=low
.
* New upstream version.
* Security fixes:
- Add check to XPM reader to prevent integer overflow for specially crafted
number of colors (CVE-2005-3186) (Closes: #339431).
- Fix endless loop with specially crafted number of colors (CVE-2005-2975).
* debian/patches/001_fs_documents.patch:
- updated.
* debian/rules:
- fix confusing cp usage.
.
[ Loic Minier ]
* Drop xlibs-dev deps and build-deps.
[debian/control, debian/control.in]
.
gtk+2.0 (2.8.3-1) experimental; urgency=low
.
* New upstream version:
- Fix problems with the handling of initial settings
for font options and cursor themes.
- Add a --ignore-theme-index option to gtk-update-icon-cache.
.
gtk+2.0 (2.8.2-1) experimental; urgency=low
.
* New upstream version:
- Fix a crash with custom icon themes, which affected
the gnome-theme-manager.
- Make sure font and cursor settings are propaged down
to the screen initially.
* debian/control.in:
- require the current pango.
.
gtk+2.0 (2.8.1-1) experimental; urgency=low
.
* New upstream version:
- gtk-update-icon-cache no longer stores copies of symlinked icons,
and it has a --index-only option to omit image data from the cache.
- Make large GtkSizeGroups more efficient.
- Improve positioning of menus in GtkToolbar.
- Make scrolling work on unrealized icon views.
- Avoid unnecessary redraws on range widgets.
- Make sure that all GTK+ applications reload icon themes promptly.
- Ensure that gdk_pango_get_context() and gtk_widget_get_pango_context()
use the same font options and dpi value.
- Multiple memory leak fixes.
* debian/control.in:
- updated the libgtk2.0-dev Depends according to the changes.
* debian/rules:
Add --enable-explicit-deps=yes to make sure stuff like x11 gets listed as a
Requires: in gdk(-x11)-2.0.pc, because otherwise linkage against -lX11 and
friends doesn't get carried through. Whether or not this is correct is
arguable, since libgdk-x11-2.0.so.0* ends up linked against it anyway, but
stuff like gnome-panel seems to be relying on this transience.
Change by Daniel Stone.
.
gtk+2.0 (2.8.0-1) experimental; urgency=low
.
* New upstream version.
* debian/control.in:
- build with the new cairo (Closes: #323705).
- updated the Build-Depends for xorg (Closes: #323080).
* debian/copyright:
- use License instead of Copyright (Closes: #323209).
* debian/patches/001_fs_documents.patch:
- default to Documents.
* debian/rules:
- updated the shlibs.
* debian/watch:
- updated.
.
gtk+2.0 (2.7.2-1) experimental; urgency=low
.
* New upstream version.
* debian/control.in:
- updated the Build-Depends.
* debian/rules:
- updated the shlibs.
- use cairo.
* debian/watch:
- updated.
Files:
1168f708b3152ef02fa14c5e9e7e666d 2127 libs optional gtk+2.0_2.8.9-2.dsc
da7344154109ae591fae0a4193259719 48698 libs optional gtk+2.0_2.8.9-2.diff.gz
5d8775aba46b7812667d5a22100ccebd 3447862 misc optional libgtk2.0-common_2.8.9-2_all.deb
1212947f20296d9feea1fe696c838f55 2460724 doc optional libgtk2.0-doc_2.8.9-2_all.deb
af7362ba651f8621f61abb335678d7b7 2080400 libs optional libgtk2.0-0_2.8.9-2_i386.deb
e51684ba22ce62e57e151a3093115768 21528 misc optional libgtk2.0-bin_2.8.9-2_i386.deb
4afc4ca44ee5005c6cc669f648eb64fe 2260522 libdevel optional libgtk2.0-dev_2.8.9-2_i386.deb
c5dd3fa6f667869273db4c18bdfc55ce 3638590 libdevel extra libgtk2.0-0-dbg_2.8.9-2_i386.deb
6750ab997828faceabefbdbc674caa42 275066 x11 extra gtk2.0-examples_2.8.9-2_i386.deb
a506ee85575a6a5d1f6265ea67833538 56048 graphics optional gtk2-engines-pixbuf_2.8.9-2_i386.deb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
iD8DBQFDoYzVQxo87aLX0pIRAj9/AKDC/eJuPN1peJoLpVgiQ4t43G5nXgCgge3R
KQFgscNEmA4Q4yPDNmpCGPk=
=Umy5
-----END PGP SIGNATURE-----
Tags added: fixed
Request was from Loic Minier <lool@dooz.org>
to control@bugs.debian.org
.
(full text, mbox, link).
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 25 Jun 2007 02:43:30 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 16:13:56 2019;
Machine Name:
beach
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.