Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

gdk-pixbuf: CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability

Related Vulnerabilities: CVE-2017-2862   cve-2015-4491  

Source

Debian Bug report logs - #874552
gdk-pixbuf: CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability

version graph

Package: src:gdk-pixbuf; Maintainer for src:gdk-pixbuf is Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>;

Reported by: Salvatore Bonaccorso <carnil@debian.org>

Date: Thu, 7 Sep 2017 09:15:02 UTC

Severity: grave

Tags: fixed-upstream, patch, security, upstream

Found in version gdk-pixbuf/2.36.5-1

Fixed in versions gdk-pixbuf/2.36.5-2+deb9u1, gdk-pixbuf/2.36.10-1, gdk-pixbuf/2.31.1-2+deb8u6

Done: Moritz Muehlenhoff <jmm@hullmann>

Bug is archived. No further changes may be made.

Forwarded to https://bugzilla.gnome.org/show_bug.cgi?id=784866

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>:
Bug#874552; Package src:gdk-pixbuf. (Thu, 07 Sep 2017 09:15:04 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>. (Thu, 07 Sep 2017 09:15:04 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: gdk-pixbuf: CVE-2017-2862: JPEG gdk_pixbuf__jpeg_image_load_increment Code Execution Vulnerability
Date: Thu, 07 Sep 2017 11:12:05 +0200
Source: gdk-pixbuf
Version: 2.36.5-1
Severity: grave
Tags: upstream patch security
Forwarded: https://bugzilla.gnome.org/show_bug.cgi?id=784866

Hi,

the following vulnerability was published for gdk-pixbuf.

CVE-2017-2862[0]:
| An exploitable heap overflow vulnerability exists in the
| gdk_pixbuf__jpeg_image_load_increment functionality of Gdk-Pixbuf
| 2.36.6. A specially crafted jpeg file can cause a heap overflow
| resulting in remote code execution. An attacker can send a file or url
| to trigger this vulnerability.

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2017-2862
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-2862
[1] https://bugzilla.gnome.org/show_bug.cgi?id=784866

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

Added tag(s) fixed-upstream. Request was from bts-link-upstream@lists.alioth.debian.org to control@bugs.debian.org. (Mon, 11 Sep 2017 17:33:32 GMT) (full text, mbox, link).

Marked as fixed in versions gdk-pixbuf/2.36.5-2+deb9u1. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Fri, 15 Sep 2017 09:03:04 GMT) (full text, mbox, link).

Added tag(s) pending. Request was from Emilio Pozuelo Monfort <pochu@debian.org> to control@bugs.debian.org. (Tue, 19 Sep 2017 21:39:04 GMT) (full text, mbox, link).

Reply sent to Emilio Pozuelo Monfort <pochu@debian.org>:
You have taken responsibility. (Tue, 19 Sep 2017 22:09:07 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Tue, 19 Sep 2017 22:09:07 GMT) (full text, mbox, link).

Message #16 received at 874552-close@bugs.debian.org (full text, mbox, reply):

From: Emilio Pozuelo Monfort <pochu@debian.org>
To: 874552-close@bugs.debian.org
Subject: Bug#874552: fixed in gdk-pixbuf 2.36.10-1
Date: Tue, 19 Sep 2017 22:05:02 +0000
Source: gdk-pixbuf
Source-Version: 2.36.10-1

We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874552@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Emilio Pozuelo Monfort <pochu@debian.org> (supplier of updated gdk-pixbuf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Tue, 19 Sep 2017 23:39:30 +0200
Source: gdk-pixbuf
Binary: libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-bin libgdk-pixbuf2.0-common libgdk-pixbuf2.0-dev libgdk-pixbuf2.0-doc libgdk-pixbuf2.0-0-udeb gir1.2-gdkpixbuf-2.0
Architecture: source
Version: 2.36.10-1
Distribution: unstable
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Emilio Pozuelo Monfort <pochu@debian.org>
Description:
 gir1.2-gdkpixbuf-2.0 - GDK Pixbuf library - GObject-Introspection
 libgdk-pixbuf2.0-0 - GDK Pixbuf library
 libgdk-pixbuf2.0-0-udeb - GDK Pixbuf library - minimal runtime (udeb)
 libgdk-pixbuf2.0-bin - GDK Pixbuf library (thumbnailer)
 libgdk-pixbuf2.0-common - GDK Pixbuf library - data files
 libgdk-pixbuf2.0-dev - GDK Pixbuf library (development files)
 libgdk-pixbuf2.0-doc - GDK Pixbuf library (documentation)
Closes: 874552 875704
Changes:
 gdk-pixbuf (2.36.10-1) unstable; urgency=medium
 .
   [ Jeremy Bicha ]
   * New upstream release 2.36.9.
   * Drop obsolete 0001-skip-perturb-for-cve-2015-4491-original-test.patch
   * debian/libgdk-pixbuf2.0-0.symbols: Add new symbol
 .
   [ Emilio Pozuelo Monfort ]
   * New upstream release 2.36.10.
     - CVE-2017-2862: fix code execution vulnerability in jpeg loader.
       Closes: #874552.
   * Switch to copyright format 1.0.
   * copyright: exclude non-free test ref images.
   * rules: drop obsolete dh_strip --dbgsym-migration switch.
   * postinst: make loaders.cache reproducible. Thanks Chris Lamb for the
     patch. Closes: #875704.
Checksums-Sha1:
 9b2275f6d86b4fc9a32b48b477ef161645a618d7 2925 gdk-pixbuf_2.36.10-1.dsc
 1d0a8e77214d59645473535f5efb2d7837d05750 5497116 gdk-pixbuf_2.36.10.orig.tar.xz
 4e866228368033ab943bf0df9574dc5c99a15610 13468 gdk-pixbuf_2.36.10-1.debian.tar.xz
 7b568a4b5b52c4fb71b9fb52733aa57d9fbcd987 7811 gdk-pixbuf_2.36.10-1_source.buildinfo
Checksums-Sha256:
 ef75ef876dc753c3454f6634a452385dd60404b8e3d4076a11cf60d51345245d 2925 gdk-pixbuf_2.36.10-1.dsc
 9226eee3be46811d25e3f2d9a1267ad6d8e78d9af95d8bc68d6556e92f3f0aaf 5497116 gdk-pixbuf_2.36.10.orig.tar.xz
 c2c77ec156d79af102d57d1cadbafac5d36dec9445fd7e1705f3d50884d51ebf 13468 gdk-pixbuf_2.36.10-1.debian.tar.xz
 1ebdad2d2c77b861badbbf702f3a574d016c646ab70e8de30ad0d15fc5e7cf6a 7811 gdk-pixbuf_2.36.10-1_source.buildinfo
Files:
 b20fb3c4d3b59b03e20ea3d22938de1d 2925 libs optional gdk-pixbuf_2.36.10-1.dsc
 db7251a0f639617b94de1a0616908e6a 5497116 libs optional gdk-pixbuf_2.36.10.orig.tar.xz
 62da12266104f6e39b4cbe3fcee9ad50 13468 libs optional gdk-pixbuf_2.36.10-1.debian.tar.xz
 11427115aface882ab2d93fda732568c 7811 libs optional gdk-pixbuf_2.36.10-1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEcJymx+vmJZxd92Q+nUbEiOQ2gwIFAlnBjrAACgkQnUbEiOQ2
gwIalhAAtGgKq0bwpFQNRSBhWb3CaWLl2EmPjjCiEZ+BAGwIkcJaToavIXaC+bTs
RfydRQY7jBDwZQxDRM4Jh+d8shO0Kxot+soRFvpr+g017vgoZpg7spQnBL2QuxLr
4snIhjtlx/BKe48OkRt0w5wU2MPQ4RaS1hjCyAyv5PpNUps1cmOkjs7uuuyx6uoF
uEEvvmmwvUSQfCUMm7fklwVS1ZBxFFTPNvOtupiaAX1eO0Nt9PFS3mDa8YV/qPXd
6n3VLt+0vRTZ217FC+Cd//74TaJQGZ66YBWVjXD1FW8M9GQ/le3Tc2VHxEc/bJBL
N8ebXVE7OQM7Rq1ON14otIOJzUNZRcqisumFZsns8EFtZe/9z2HyRYtT8BpZLxZK
lvOgxVpp8CJxt5cSnJEwzVKeNtKZvcireE54lWgEijAZDqqZQruRMashPD52PkWQ
kY9XXpHYqxupQ7htBC3nhzCrPZYhCDj+RZ07Hz/b912GJTDhnm7rBVesmbJ5Cejq
h47iZEOdPNDw4Paki3pWj5Ddfq1hz4zznY70cx6av63RbxyM7VGb0R1pfSCMKaVd
dBI7fZbowzE22rpB2pVN2Xxv7qIZKcHRwtSnM5Q+VLC5hrHV9TcdXR5pE5xTNbnr
svPp8jSrqZEdDhIPche7FBTNdoanbHP+8B8ud3VP+AUCWjg4X9c=
=J95R
-----END PGP SIGNATURE-----

Reply sent to Moritz Muehlenhoff <jmm@hullmann>:
You have taken responsibility. (Sat, 23 Sep 2017 11:36:04 GMT) (full text, mbox, link).

Notification sent to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer. (Sat, 23 Sep 2017 11:36:04 GMT) (full text, mbox, link).

Message #21 received at 874552-close@bugs.debian.org (full text, mbox, reply):

From: Moritz Muehlenhoff <jmm@hullmann>
To: 874552-close@bugs.debian.org
Subject: Bug#874552: fixed in gdk-pixbuf 2.31.1-2+deb8u6
Date: Sat, 23 Sep 2017 11:33:15 +0000
Source: gdk-pixbuf
Source-Version: 2.31.1-2+deb8u6

We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 874552@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Moritz Muehlenhoff <jmm@hullmann> (supplier of updated gdk-pixbuf package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Fri, 15 Sep 2017 18:57:50 +0200
Source: gdk-pixbuf
Binary: libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-0-dbg libgdk-pixbuf2.0-common libgdk-pixbuf2.0-dev libgdk-pixbuf2.0-doc libgdk-pixbuf2.0-0-udeb gir1.2-gdkpixbuf-2.0
Architecture: source all amd64
Version: 2.31.1-2+deb8u6
Distribution: jessie-security
Urgency: medium
Maintainer: Debian GNOME Maintainers <pkg-gnome-maintainers@lists.alioth.debian.org>
Changed-By: Moritz Muehlenhoff <jmm@hullmann>
Description:
 gir1.2-gdkpixbuf-2.0 - GDK Pixbuf library - GObject-Introspection
 libgdk-pixbuf2.0-0 - GDK Pixbuf library
 libgdk-pixbuf2.0-0-dbg - GDK Pixbuf library - debug symbols
 libgdk-pixbuf2.0-0-udeb - GDK Pixbuf library - minimal runtime (udeb)
 libgdk-pixbuf2.0-common - GDK Pixbuf library - data files
 libgdk-pixbuf2.0-dev - GDK Pixbuf library (development files)
 libgdk-pixbuf2.0-doc - GDK Pixbuf library (documentation)
Closes: 874552
Changes:
 gdk-pixbuf (2.31.1-2+deb8u6) jessie-security; urgency=medium
 .
   * CVE-2017-2862 (Closes: #874552)
Checksums-Sha1:
 c01dc1fe82c84a4a247f2d87ad2d6544c099458d 2916 gdk-pixbuf_2.31.1-2+deb8u6.dsc
 dfdaaff0189d90a1f70888887ce7283d45a9c5ad 18820 gdk-pixbuf_2.31.1-2+deb8u6.debian.tar.xz
 46effa1866f7c184e4032e60da49a0844bc6ec4d 294066 libgdk-pixbuf2.0-common_2.31.1-2+deb8u6_all.deb
 89775fed366e24c561ef26e4bdc1f541678f409d 177558 libgdk-pixbuf2.0-doc_2.31.1-2+deb8u6_all.deb
 e73c617f87f74785647776b2804ccdb9bd2e827a 167134 libgdk-pixbuf2.0-0_2.31.1-2+deb8u6_amd64.deb
 9637269fe9185858c8ac4cb8747f698f1ecd0fe4 431734 libgdk-pixbuf2.0-0-dbg_2.31.1-2+deb8u6_amd64.deb
 9360699e2940daa172cbeccfdc5df5e9fd6ce457 52824 libgdk-pixbuf2.0-dev_2.31.1-2+deb8u6_amd64.deb
 dd6c405482c9f0798f50a99fa2d96064828de380 372618 libgdk-pixbuf2.0-0-udeb_2.31.1-2+deb8u6_amd64.udeb
 2d717dc6f65fd3d134c8f5c48e810a7e4da0a332 16902 gir1.2-gdkpixbuf-2.0_2.31.1-2+deb8u6_amd64.deb
Checksums-Sha256:
 8847edd7110cbdb23a98285176f8f2954746197f4d84476455b8e3353661ccf4 2916 gdk-pixbuf_2.31.1-2+deb8u6.dsc
 08b58c4ba182eba172ce086f92cdb974844c1a09c759c1f2c73dca78313b746a 18820 gdk-pixbuf_2.31.1-2+deb8u6.debian.tar.xz
 7288698ee5d88501aada98736822f440672f23549fbbacca1c04ba66dac4b286 294066 libgdk-pixbuf2.0-common_2.31.1-2+deb8u6_all.deb
 90057dcab131ac42e55a8c54dec07f533f00892a62fbb4fa42138a7e60115af1 177558 libgdk-pixbuf2.0-doc_2.31.1-2+deb8u6_all.deb
 a75cbe337cb96fddd51d124344abf562d71572d9e38c8577a6011ee58d028701 167134 libgdk-pixbuf2.0-0_2.31.1-2+deb8u6_amd64.deb
 9f0b54a817e3ec2b837a199254e5b63d45f9b65f312ee74cfb4604a390c9d3de 431734 libgdk-pixbuf2.0-0-dbg_2.31.1-2+deb8u6_amd64.deb
 07a96374ac8d76314a19e390e2eb3d0da79c0ca8990c2c9e2cd038ee95715181 52824 libgdk-pixbuf2.0-dev_2.31.1-2+deb8u6_amd64.deb
 706d7aa27030a20af0be8c887a3a5a457588bed818557f503913a602b3df73c4 372618 libgdk-pixbuf2.0-0-udeb_2.31.1-2+deb8u6_amd64.udeb
 9a752121d78b6d56e76689983acb5131a2fd61c165bc1e6b470db1d912c2fc9a 16902 gir1.2-gdkpixbuf-2.0_2.31.1-2+deb8u6_amd64.deb
Files:
 3b34b0bffa8c1e0bfd53d1b04472df62 2916 libs optional gdk-pixbuf_2.31.1-2+deb8u6.dsc
 843a1c9345c88089f8682cb666fa81e3 18820 libs optional gdk-pixbuf_2.31.1-2+deb8u6.debian.tar.xz
 f01aad0e21f495c22253c4e79221cfe8 294066 libs optional libgdk-pixbuf2.0-common_2.31.1-2+deb8u6_all.deb
 8a6d43187b3e79241ec54e448b15738f 177558 doc optional libgdk-pixbuf2.0-doc_2.31.1-2+deb8u6_all.deb
 e88905fc36186f57337583e51df2af1d 167134 libs optional libgdk-pixbuf2.0-0_2.31.1-2+deb8u6_amd64.deb
 6187b472c113d1836c2360d79f88d426 431734 debug extra libgdk-pixbuf2.0-0-dbg_2.31.1-2+deb8u6_amd64.deb
 1da78b5905ece0620a85f83db04417c3 52824 libdevel optional libgdk-pixbuf2.0-dev_2.31.1-2+deb8u6_amd64.deb
 b4a00e6e4e27f37cd7b99b13b747d2b5 372618 debian-installer extra libgdk-pixbuf2.0-0-udeb_2.31.1-2+deb8u6_amd64.udeb
 14fa63b0f50c0a0353a19ba3ae376b76 16902 introspection optional gir1.2-gdkpixbuf-2.0_2.31.1-2+deb8u6_amd64.deb

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEEtuYvPRKsOElcDakFEMKTtsN8TjYFAlm8CRoACgkQEMKTtsN8
TjZALw/+KVZ+7UsgCl9K8mWsR5/K1eaBV3sANIryqpRi+wznBPSLP0LXqR9oMyZ7
QaoQx6kZZX0EVJ9XIsrvG98SrO0PsK1M/aJZrE5kP8O/RXAPuDg4T0PV6iLGasR7
KZR4q8n3Xh4DeeZnsJLRORYnARlcWN0GdbG27CACsBnrMjc9gyw/eTLMxHvXl+oG
IzUXamI6CTvkTJk8G3c7Sy+5y427xJsLWyGPBaXr51ga1G+wHYf8px34lNHhQP4r
EMT8P8/rm+tPkh4SV2miiAejNSB7Six/3V2y89kv6b+vNrNSnEdqkJOMBcuZHkIN
yLjPggOu/gi4XWYsWNmc1n78G3aiHN4/hdiRPqoklx3LvnxoubVaTxgo2keDeJmh
5gUhHRHMyu7PNxJ42sQxAnwY0YzWvr60Zq5UsWxb1gSL3nEIS9SziyLPCq1YyrgB
QgF4YhPCH3Y3buT7irgrYGbXfUfGFvtgZFpFgFe7SdjnRaLSoDKRY28ugFLfcKt3
tAJxgPKH1Bz8UW9Lo72Srm5Dii+kP7bp4fxbTBydKWRzeu6WL4TA3/QONQoGrnE9
rdkE26UvObLEJZIMsCHThcTH0gdXW0QnTU8o2scf2M1snEACnXKidy2g7PQs5xRz
1S1K4wAhpnnuNdbIlDV1HUUWj4EKUiBkPkS/Kt+yTw/A+q/Wtbs=
=6RM6
-----END PGP SIGNATURE-----

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Sun, 05 Nov 2017 07:32:15 GMT) (full text, mbox, link).

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Jun 19 13:19:16 2019; Machine Name: beach

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started