Debian Bug report logs -
#631524
CVE-2011-2485: excessive memory use due improper checking of certain return values in GIF image loader
Reported by: Luciano Bello <luciano@debian.org>
Date: Fri, 24 Jun 2011 15:57:02 UTC
Severity: important
Tags: patch, security
Fixed in version gdk-pixbuf/2.23.3-3.1
Done: Nico Golde <nion@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#631524
; Package gdk-pixbuf
.
(Fri, 24 Jun 2011 15:57:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Luciano Bello <luciano@debian.org>
:
New Bug report received and forwarded. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Fri, 24 Jun 2011 15:57:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: gdk-pixbuf
Severity: important
Tags: security patch
Hi,
The Red Hat Security Response Team reported[1] a bug in gdk-pixbuf.
Patch is provided too[2].
The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2485.
If you fix the vulnerability please also make sure to include the CVE id in your
changelog entry.
Thanks!
-luciano
[1] http://seclists.org/oss-sec/2011/q2/682
[2] http://git.gnome.org/browse/gdk-
pixbuf/commit/?id=f8569bb13e2aa1584dde61ca545144750f7a7c98
Reply sent
to Nico Golde <nion@debian.org>
:
You have taken responsibility.
(Tue, 28 Jun 2011 21:16:03 GMT) (full text, mbox, link).
Notification sent
to Luciano Bello <luciano@debian.org>
:
Bug acknowledged by developer.
(Tue, 28 Jun 2011 21:16:05 GMT) (full text, mbox, link).
Message #10 received at 631524-close@bugs.debian.org (full text, mbox, reply):
Source: gdk-pixbuf
Source-Version: 2.23.3-3.1
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive:
gdk-pixbuf_2.23.3-3.1.debian.tar.gz
to main/g/gdk-pixbuf/gdk-pixbuf_2.23.3-3.1.debian.tar.gz
gdk-pixbuf_2.23.3-3.1.dsc
to main/g/gdk-pixbuf/gdk-pixbuf_2.23.3-3.1.dsc
gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
to main/g/gdk-pixbuf/gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
to main/g/gdk-pixbuf/libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
to main/g/gdk-pixbuf/libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
to main/g/gdk-pixbuf/libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
to main/g/gdk-pixbuf/libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 631524@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Nico Golde <nion@debian.org> (supplier of updated gdk-pixbuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Format: 1.8
Date: Tue, 28 Jun 2011 21:59:16 +0200
Source: gdk-pixbuf
Binary: libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-dev libgdk-pixbuf2.0-doc libgdk-pixbuf2.0-0-udeb gir1.2-gdkpixbuf-2.0
Architecture: source all amd64
Version: 2.23.3-3.1
Distribution: unstable
Urgency: high
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Nico Golde <nion@debian.org>
Description:
gir1.2-gdkpixbuf-2.0 - GDK Pixbuf library - GObject-Introspection
libgdk-pixbuf2.0-0 - GDK Pixbuf library
libgdk-pixbuf2.0-0-udeb - GDK Pixbuf library - minimal runtime (udeb)
libgdk-pixbuf2.0-dev - GDK Pixbuf library (development files)
libgdk-pixbuf2.0-doc - GDK Pixbuf library (documentation)
Closes: 631524
Changes:
gdk-pixbuf (2.23.3-3.1) unstable; urgency=high
.
* Non-maintainer upload by the Security Team.
* Fix improper check of gif_main_loop() resulting in DoS conditions
on specially crafted GIF images (CVE-2011-2485; Closes: #631524)
Checksums-Sha1:
83615a789d41fdb5688725f04ebec8dad946e5c1 1738 gdk-pixbuf_2.23.3-3.1.dsc
dc6d225d92acbeb446f043ed45739f7b676754d2 9904 gdk-pixbuf_2.23.3-3.1.debian.tar.gz
e8a4b6a01fa17ab3403ccbeb8e73eed998953648 189298 libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
f6941dcbae09e7177c709bdcb06b84042e5af015 661190 libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
84f045833f223036fb5fbeefa5bef892c4d256c5 52824 libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
79b2a8bdcbe236b7444dcd627382fdecba5ba33c 562108 libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
63b4ce75c4fb13f3f2539eb46ba4420c378af4b8 13108 gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
Checksums-Sha256:
228d226c0c80905765fcacd3cb786db9b6838147a981d00014674752cebac3e2 1738 gdk-pixbuf_2.23.3-3.1.dsc
9588a4c29534a6aa5d4622e8d3d405bee44b40707bb21beed9dedb83fdd7d114 9904 gdk-pixbuf_2.23.3-3.1.debian.tar.gz
8ed085f8e40d6eba30c2eb3b2a5d2f30753187f867a7cabedf5daf9f74ef2fd8 189298 libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
d1089663e31f6b227437e97ad8849cf7fae03ee6b23d6a9ce06f0f747f2d6921 661190 libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
563f41a06d397686130b3b49942878c4bdd51f02907b3ac809d3c7e8c3606dcd 52824 libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
d9c0ed479a44305a5a88509b59f48dbd450f073d246d2e6cac4e78f8b9ba31f1 562108 libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
1c508ef4d0aeb2929cf9a2a108fb42ff3d49242a1ff31a5b56f9bad9830a2215 13108 gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
Files:
b1db96209fbfc6e5edd2a754157a2722 1738 libs optional gdk-pixbuf_2.23.3-3.1.dsc
d5f38e238b3bb5321bf67f576e122d84 9904 libs optional gdk-pixbuf_2.23.3-3.1.debian.tar.gz
0f83e4eb1feae8ba1f27a9af71332e08 189298 doc optional libgdk-pixbuf2.0-doc_2.23.3-3.1_all.deb
5d7ef1c06c9298170505fdec6ccb6aa3 661190 libs optional libgdk-pixbuf2.0-0_2.23.3-3.1_amd64.deb
bcb4150b5c281d32d270004edd8c1cd2 52824 libdevel optional libgdk-pixbuf2.0-dev_2.23.3-3.1_amd64.deb
acb74a9770aa63f479a4c7f425581236 562108 debian-installer extra libgdk-pixbuf2.0-0-udeb_2.23.3-3.1_amd64.udeb
450e4c6dc913a95442425bac180bddc7 13108 libs optional gir1.2-gdkpixbuf-2.0_2.23.3-3.1_amd64.deb
Package-Type: udeb
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAk4KNMIACgkQHYflSXNkfP8m/ACaA7j1TNmZG0LhY1mjfInju8h4
YjgAn04pO3KNKyuZLEAW7NDRSBySnvwH
=Aleb
-----END PGP SIGNATURE-----
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#631524
; Package gdk-pixbuf
.
(Tue, 28 Jun 2011 23:54:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Josselin Mouette <joss@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Tue, 28 Jun 2011 23:54:05 GMT) (full text, mbox, link).
Message #15 received at 631524@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Le vendredi 24 juin 2011 à 12:53 -0300, Luciano Bello a écrit :
> Package: gdk-pixbuf
> Severity: important
> Tags: security patch
>
> Hi,
> The Red Hat Security Response Team reported[1] a bug in gdk-pixbuf.
> Patch is provided too[2].
> The CVE (Common Vulnerabilities & Exposures) assigned is CVE-2011-2485.
> If you fix the vulnerability please also make sure to include the CVE id in your
> changelog entry.
The gtk+2.0 package in lenny and squeeze is affected as well.
Could you please update the security tracker?
(As for the bug, I’m not sure whether it should be cloned or reopened.)
--
.''`. Josselin Mouette
: :' :
`. `'
`-
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#631524
; Package gdk-pixbuf
.
(Wed, 29 Jun 2011 18:21:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Giuseppe Iuculano <iuculano@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Wed, 29 Jun 2011 18:21:05 GMT) (full text, mbox, link).
Message #20 received at 631524@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On 06/29/2011 01:50 AM, Josselin Mouette wrote:
> Could you please update the security tracker?
Updated, thanks.
Cheers,
Giuseppe.
[signature.asc (application/pgp-signature, attachment)]
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Mon, 05 Sep 2011 07:35:15 GMT) (full text, mbox, link).
Bug unarchived.
Request was from jmw@debian.org
to control@bugs.debian.org
.
(Sun, 08 Jul 2012 17:18:07 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
:
Bug#631524
; Package gdk-pixbuf
.
(Mon, 09 Jul 2012 07:27:22 GMT) (full text, mbox, link).
Acknowledgement sent
to Jonathan Wiltshire <jmw@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
.
(Mon, 09 Jul 2012 07:27:22 GMT) (full text, mbox, link).
Message #29 received at 631524@bugs.debian.org (full text, mbox, reply):
Dear maintainer,
Recently you fixed one or more security problems and as a result you closed
this bug. These problems were not serious enough for a Debian Security
Advisory, so they are now on my radar for fixing in the following suites
through point releases:
squeeze (6.0.6) - use target "stable"
Please prepare a minimal-changes upload targetting each of these suites,
and submit a debdiff to the Release Team [0] for consideration. They will
offer additional guidance or instruct you to upload your package.
I will happily assist you at any stage if the patch is straightforward and
you need help. Please keep me in CC at all times so I can
track [1] the progress of this request.
For details of this process and the rationale, please see the original
announcement [2] and my blog post [3].
0: debian-release@lists.debian.org
1: http://prsc.debian.net/tracker/631524/
2: <201101232332.11736.thijs@debian.org>
3: http://deb.li/prsc
Thanks,
with his security hat on:
--
Jonathan Wiltshire jmw@debian.org
Debian Developer http://people.debian.org/~jmw
4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC 74C3 5394 479D D352 4C51
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Tue, 07 Aug 2012 07:28:53 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 13:42:12 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.