[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: [SECURITY] [DLA 1234-1] gdk-pixbuf security update



On 08/01/18 20:22, Pascal Hambourg wrote:
> Hello,
> 
> Le 08/01/2018 à 15:55, Chris Lamb a écrit :
>>
>> Package        : gdk-pixbuf
>> Version        : 2.26.1-1+deb7u7
>> CVE ID         : CVE-2017-1000422
>>
>> It was discovered that there were several integer overflows in
>> gdk-pixbuf, a library to manipulate images for the GTK graphics toolkit.
>> This could have led to memory corruption and potential code execution.
>>
>> For Debian 7 "Wheezy", this issue has been fixed in gdk-pixbuf version
>> 2.26.1-1+deb7u7.
> 
> The following message was printed while upgrading on i386 :
> 
> Paramétrage de libgdk-pixbuf2.0-common (2.26.1-1+deb7u7) ...
> Paramétrage de libgdk-pixbuf2.0-0:i386 (2.26.1-1+deb7u7) ...
> g_module_open() failed for
> /usr/lib/i386-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so:
> /usr/lib/i386-linux-gnu/gdk-pixbuf-2.0/2.10.0/loaders/libpixbufloader-gif.so:
> undefined symbol: g_uint64_checked_mul
> 
> ("Paramétrage" means "Setup")
> 
> dpkg -s libgdk-pixbuf2.0-0 prints "Status: install ok installed".
> 
> Is it harmless or should I worry ?

g_uint64_checked_mul was introduced in glib 2.48, but wheezy has 2.32. Since
this is used in a plugin, the build didn't fail, as gdk-pixbuf allows for
undefined symbols on plugins at build time. This means the gif loader is
currently broken. The patch should be updated to do a manual overflow check.

Cheers,
Emilio


Reply to: