CVE-2011-2485: excessive memory use due improper checking of certain return values in GIF image loader

Debian Bug report logs - #631524
CVE-2011-2485: excessive memory use due improper checking of certain return values in GIF image loader

Toggle useless messages

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Luciano Bello <luciano@debian.org>

To: submit@bugs.debian.org

Subject: CVE-2011-2485: excessive memory use due improper checking of certain return values in GIF image loader

Date: Fri, 24 Jun 2011 12:53:52 -0300

Package: gdk-pixbuf
Severity: important
Tags: security patch

Hi,
   	The Red Hat Security Response  Team reported[1] a bug in gdk-pixbuf.
Patch is provided too[2].
	The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2485.
If you fix the vulnerability please also make sure to include the CVE id in your 
changelog entry.

Thanks!

-luciano

[1] http://seclists.org/oss-sec/2011/q2/682
[2] http://git.gnome.org/browse/gdk-
pixbuf/commit/?id=f8569bb13e2aa1584dde61ca545144750f7a7c98

Message #10 received at 631524-close@bugs.debian.org (full text, mbox, reply):

From: Nico Golde <nion@debian.org>

To: 631524-close@bugs.debian.org

Subject: Bug#631524: fixed in gdk-pixbuf 2.23.3-3.1

Date: Tue, 28 Jun 2011 21:04:48 +0000

Source: gdk-pixbuf
Source-Version: 2.23.3-3.1

We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive:

gdk-pixbuf_2.23.3-3.1.debian.tar.gz
  to main/g/gdk-pixbuf/gdk-pixbuf_2.23.3-3.1.debian.tar.gz
gdk-pixbuf_2.23.3-3.1.dsc
  to main/g/gdk-pixbuf/gdk-pixbuf_2.23.3-3.1.dsc
gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
  to main/g/gdk-pixbuf/gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
  to main/g/gdk-pixbuf/libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
  to main/g/gdk-pixbuf/libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
  to main/g/gdk-pixbuf/libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
  to main/g/gdk-pixbuf/libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 631524@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated gdk-pixbuf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Tue, 28 Jun 2011 21:59:16 +0200
Source: gdk-pixbuf
Binary: libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-dev libgdk-pixbuf2.0-doc libgdk-pixbuf2.0-0-udeb gir1.2-gdkpixbuf-2.0
Architecture: source all amd64
Version: 2.23.3-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description: 
 gir1.2-gdkpixbuf-2.0 - GDK Pixbuf library - GObject-Introspection
 libgdk-pixbuf2.0-0 - GDK Pixbuf library
 libgdk-pixbuf2.0-0-udeb - GDK Pixbuf library - minimal runtime (udeb)
 libgdk-pixbuf2.0-dev - GDK Pixbuf library (development files)
 libgdk-pixbuf2.0-doc - GDK Pixbuf library (documentation)
Closes: 631524
Changes: 
 gdk-pixbuf (2.23.3-3.1) unstable; urgency=high
 .
   * Non-maintainer upload by the Security Team.
   * Fix improper check of gif_main_loop() resulting in DoS conditions
     on specially crafted GIF images (CVE-2011-2485; Closes: #631524)
Checksums-Sha1: 
 83615a789d41fdb5688725f04ebec8dad946e5c1 1738 gdk-pixbuf_2.23.3-3.1.dsc
 dc6d225d92acbeb446f043ed45739f7b676754d2 9904 gdk-pixbuf_2.23.3-3.1.debian.tar.gz
 e8a4b6a01fa17ab3403ccbeb8e73eed998953648 189298 libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
 f6941dcbae09e7177c709bdcb06b84042e5af015 661190 libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
 84f045833f223036fb5fbeefa5bef892c4d256c5 52824 libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
 79b2a8bdcbe236b7444dcd627382fdecba5ba33c 562108 libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
 63b4ce75c4fb13f3f2539eb46ba4420c378af4b8 13108 gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
Checksums-Sha256: 
 228d226c0c80905765fcacd3cb786db9b6838147a981d00014674752cebac3e2 1738 gdk-pixbuf_2.23.3-3.1.dsc
 9588a4c29534a6aa5d4622e8d3d405bee44b40707bb21beed9dedb83fdd7d114 9904 gdk-pixbuf_2.23.3-3.1.debian.tar.gz
 8ed085f8e40d6eba30c2eb3b2a5d2f30753187f867a7cabedf5daf9f74ef2fd8 189298 libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
 d1089663e31f6b227437e97ad8849cf7fae03ee6b23d6a9ce06f0f747f2d6921 661190 libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
 563f41a06d397686130b3b49942878c4bdd51f02907b3ac809d3c7e8c3606dcd 52824 libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
 d9c0ed479a44305a5a88509b59f48dbd450f073d246d2e6cac4e78f8b9ba31f1 562108 libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
 1c508ef4d0aeb2929cf9a2a108fb42ff3d49242a1ff31a5b56f9bad9830a2215 13108 gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
Files: 
 b1db96209fbfc6e5edd2a754157a2722 1738 libs optional gdk-pixbuf_2.23.3-3.1.dsc
 d5f38e238b3bb5321bf67f576e122d84 9904 libs optional gdk-pixbuf_2.23.3-3.1.debian.tar.gz
 0f83e4eb1feae8ba1f27a9af71332e08 189298 doc optional libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
 5d7ef1c06c9298170505fdec6ccb6aa3 661190 libs optional libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
 bcb4150b5c281d32d270004edd8c1cd2 52824 libdevel optional libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
 acb74a9770aa63f479a4c7f425581236 562108 debian-installer extra libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
 450e4c6dc913a95442425bac180bddc7 13108 libs optional gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
Package-Type: udeb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEARECAAYFAk4KNMIACgkQHYflSXNkfP8m/ACaA7j1TNmZG0LhY1mjfInju8h4
YjgAn04pO3KNKyuZLEAW7NDRSBySnvwH
=Aleb
-----END PGP SIGNATURE-----

Message #15 received at 631524@bugs.debian.org (full text, mbox, reply):

From: Josselin Mouette <joss@debian.org>

To: Luciano Bello <luciano@debian.org>, 631524@bugs.debian.org

Cc: team@security.debian.org

Subject: Re: Bug#631524: CVE-2011-2485: excessive memory use due improper checking of certain return values in GIF image loader

Date: Wed, 29 Jun 2011 01:50:58 +0200

[Message part 1 (text/plain, inline)]

Le vendredi 24 juin 2011 à 12:53 -0300, Luciano Bello a écrit : 
> Package: gdk-pixbuf
> Severity: important
> Tags: security patch
> 
> Hi,
>    	The Red Hat Security Response  Team reported[1] a bug in gdk-pixbuf.
> Patch is provided too[2].
> 	The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2485.
> If you fix the vulnerability please also make sure to include the CVE id in your 
> changelog entry.

The gtk+2.0 package in lenny and squeeze is affected as well.

Could you please update the security tracker?
(As for the bug, I’m not sure whether it should be cloned or reopened.)

-- 
 .''`.      Josselin Mouette
: :' :
`. `'
  `-

[signature.asc (application/pgp-signature, inline)]

Message #20 received at 631524@bugs.debian.org (full text, mbox, reply):

From: Giuseppe Iuculano <iuculano@debian.org>

To: Josselin Mouette <joss@debian.org>

Cc: Luciano Bello <luciano@debian.org>, 631524@bugs.debian.org, team@security.debian.org

Subject: Re: Bug#631524: CVE-2011-2485: excessive memory use due improper checking of certain return values in GIF image loader

Date: Wed, 29 Jun 2011 20:11:16 +0200

[Message part 1 (text/plain, inline)]

On 06/29/2011 01:50 AM, Josselin Mouette wrote:
> Could you please update the security tracker?

Updated, thanks.

Cheers,
Giuseppe.

[signature.asc (application/pgp-signature, attachment)]

Message #29 received at 631524@bugs.debian.org (full text, mbox, reply):

From: Jonathan Wiltshire <jmw@debian.org>

To: 631524@bugs.debian.org

Subject: Re: CVE-2011-2485: excessive memory use due improper checking of certain return values in GIF image loader

Date: Mon, 09 Jul 2012 07:23:37 -0000

Dear maintainer,

Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:

squeeze (6.0.6) - use target "stable"

Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.

I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.

For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].

0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/631524/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc

Thanks,

with his security hat on:
--
Jonathan Wiltshire                                      jmw@debian.org
Debian Developer                         http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51

Send a report that this bug log contains spam.