Bug#818615: jessie-pu: package gtk+2.0

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#818615: jessie-pu: package gtk+2.0
From: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 18 Mar 2016 19:33:16 +0100
Message-id: <[🔎] 145832599619.4020.17172577426713991949.reportbug@pisco.westfalen.local>
Reply-to: Moritz Muehlenhoff <jmm@debian.org>, 818615@bugs.debian.org

Package: release.debian.org
Severity: normal

Hi,
I'd like to fix a security issue in GTK, which doesn't really warrant
a DSA. Debdiff below, I've been running this on my jessie
workstation for a day now.

Cheers,
        Moritz

diff -Nru gtk+2.0-2.24.25/debian/changelog gtk+2.0-2.24.25/debian/changelog
--- gtk+2.0-2.24.25/debian/changelog	2015-03-03 19:39:59.000000000 +0100
+++ gtk+2.0-2.24.25/debian/changelog	2016-03-17 23:20:16.000000000 +0100
@@ -1,3 +1,9 @@
+gtk+2.0 (2.24.25-3+deb8u1) jessie; urgency=medium
+
+  * CVE-2013-7447 (Closes: #799275)
+
+ -- Moritz M�off <jmm@debian.org>  Thu, 17 Mar 2016 00:17:18 +0100
+
 gtk+2.0 (2.24.25-3) unstable; urgency=medium
 
   * 0002-gdk-Fix-GdkWindowFilter-internal-refcounting.patch
diff -Nru gtk+2.0-2.24.25/debian/patches/099_CVE-2013-7447.patch gtk+2.0-2.24.25/debian/patches/099_CVE-2013-7447.patch
--- gtk+2.0-2.24.25/debian/patches/099_CVE-2013-7447.patch	1970-01-01 01:00:00.000000000 +0100
+++ gtk+2.0-2.24.25/debian/patches/099_CVE-2013-7447.patch	2016-03-17 23:15:42.000000000 +0100
@@ -0,0 +1,30 @@
+From 894b1ae76a32720f4bb3d39cf460402e3ce331d6 Mon Sep 17 00:00:00 2001
+From: Matthias Clasen <mclasen@redhat.com>
+Date: Sat, 29 Jun 2013 22:06:54 -0400
+Subject: Avoid integer overflow
+
+Use g_malloc_n in gdk_cairo_set_source_pixbuf when allocating
+a large block of memory, to avoid integer overflow.
+
+Pointed out by Bert Massop in
+https://bugzilla.gnome.org/show_bug.cgi?id=703220
+---
+ gdk/gdkcairo.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/gdk/gdkcairo.c b/gdk/gdkcairo.c
+index 19bed04..2e1d8dc 100644
+--- a/gdk/gdkcairo.c
++++ b/gdk/gdkcairo.c
+@@ -213,7 +213,7 @@ gdk_cairo_set_source_pixbuf (cairo_t         *cr,
+     format = CAIRO_FORMAT_ARGB32;
+ 
+   cairo_stride = cairo_format_stride_for_width (format, width);
+-  cairo_pixels = g_malloc (height * cairo_stride);
++  cairo_pixels = g_malloc_n (height, cairo_stride);
+   surface = cairo_image_surface_create_for_data ((unsigned char *)cairo_pixels,
+                                                  format,
+                                                  width, height, cairo_stride);
+-- 
+cgit v0.12
+
diff -Nru gtk+2.0-2.24.25/debian/patches/series gtk+2.0-2.24.25/debian/patches/series
--- gtk+2.0-2.24.25/debian/patches/series	2015-03-03 19:36:04.000000000 +0100
+++ gtk+2.0-2.24.25/debian/patches/series	2016-03-17 23:17:03.000000000 +0100
@@ -14,3 +14,4 @@
 061_use_pdf_as_default_printing_standard.patch
 065_gir_set_packages.patch
 098_multiarch_module_path.patch
+099_CVE-2013-7447.patch

Reply to:

Follow-Ups:
- Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Bug#818615: jessie-pu: package gtk+2.0
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
  - From: owner@bugs.debian.org (Debian Bug Tracking System)
- Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
  - From: owner@bugs.debian.org (Debian Bug Tracking System)

Prev by Date: Сда{L25} площади для торговых потребностей в районе станции метро Багратионовской.
Next by Date: Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
Previous by thread: Сда{L25} площади для торговых потребностей в районе станции метро Багратионовской.
Next by thread: Processed: Re: Bug#818615: jessie-pu: package gtk+2.0
Index(es):
- Date
- Thread