Bug 152684

Thomas Kristensen discovered a bitmap file that would cause the Evolution
mail reader to crash. This issue was caused by a flaw that affects
versions of the gdk-pixbuf package prior to 0.20. To exploit this flaw, a
remote attacker could send (via email) a carefully-crafted BMP file, which
would cause Evolution to crash. The Common Vulnerabilities
and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0111
to this issue.


http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0111
https://rhn.redhat.com/errata/RHSA-2004-102.html



------- Additional Comments From michal 2004-03-11 15:55:26 ----

Created an attachment (id=576)
a patch to fix the issue for RH73

This is a patch to fix the issue for gdk-pixbuf-0.14.0 as used in RH7.3.
I redid rpms and I am running with new binaries right now.



------- Additional Comments From skvidal.edu 2004-04-30 20:08:28 ----

Did you write the patch yourself or was it derived from multiple locations. Do
you have a test bmp to check the problem?
could you attach it?




------- Additional Comments From michal 2004-04-30 20:37:16 ----

The patch from comment #1 is a direct adaptation to gdk-pixbuf-0.14.0
of the following two

gdk-pixbuf-0.22.0-bmp-colormap.patch
gdk-pixbuf-0.22.0-ico-width.patch

from gdk-pixbuf-0.22.0-6.1.0.src.rpm update to RH9.  Actually in an rpm
I build myself these were two separate patches as well.

No, I do not have a test bmp file but if you will look at the code and
how it was patched the problem is quite clear (indices to 'buff' used
in 'Colormap' calculations may be out of range if you are not careful).
The other one is a typo in io-ico.c; most likely "cut-and-paste".



------- Additional Comments From skvidal.edu 2004-04-30 20:49:47 ----

ok, thanks - I read through the patch and compared it to cvs diffs from
gdk-pixbuf cvs, in addition to checking versus the debian stable patch to this
problem. The solutions are a little different but in general all doing the same
thing. Just a bounds check on the colormap.

I'll build packages for rhl 7.3 from this patch. Thanks.




------- Additional Comments From skvidal.edu 2004-04-30 20:58:14 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
gdk-pixbuf packages built on rhl7.3
2012f5913623ef172537eeef0edcbc66  gdk-pixbuf-0.14.0-9.legacy.i386.rpm
db4501b1295adc9cd90b71e79dd2b732  gdk-pixbuf-0.14.0-9.legacy.src.rpm
fa4b123dc1f12043ffab3fd69531720f  gdk-pixbuf-devel-0.14.0-9.legacy.i386.rpm
0d5ccac11136e816a2023d3f0fa03135  gdk-pixbuf-gnome-0.14.0-9.legacy.i386.rpm
 
http://linux.duke.edu/~skvidal/RPMS/legacy/gdk-pixbuf/
QA NEEDED
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFAk0ps1Aj3x2mIbMcRApYKAJ0fc81JZwuFolniPdtOsA+tif3i9gCfcYks
RQJLC29tyVI4aDkwBOHHvPQ=
=9lEw
-----END PGP SIGNATURE-----




------- Additional Comments From jkeating 2004-05-18 18:23:37 ----

This patch needs to be backported to the 7.2 version of gtk-pixbuf, and forward
ported to the 8.0 version.

7.2:  gdk-pixbuf-0.14.0-0.7.2.src.rpm

8.0:  gdk-pixbuf-0.18.0-4.src.rpm

I will try to get to this when possible, but anybody else is very welcome to try.



------- Additional Comments From marcdeslauriers 2004-05-27 16:08:01 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are packages for 8.0:

a0110da39212cdcda8cd6fec51a2ea65ac6d004d  gdk-pixbuf-0.18.0-5.legacy.i386.rpm
f7a46cdec209f0bc448977824fc787916309dc80  gdk-pixbuf-0.18.0-5.legacy.src.rpm
ffd82f667e3b3cb2249509849c543d365ba2a1cc  gdk-pixbuf-devel-0.18.0-5.legacy.i386.rpm
dbbbaf0921a80b9504061d6d00ad1c5284a299e7  gdk-pixbuf-gnome-0.18.0-5.legacy.i386.rpm

http://www.infostrategique.com/linuxrpms/legacy/8.0/gdk-pixbuf-0.18.0-5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/8.0/gdk-pixbuf-0.18.0-5.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/8.0/gdk-pixbuf-devel-0.18.0-5.legacy.i386.rpm
http://www.infostrategique.com/linuxrpms/legacy/8.0/gdk-pixbuf-gnome-0.18.0-5.legacy.i386.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFAtp7OLMAs/0C4zNoRAj9SAKCCQr7M4prIehyzRs3zHr3+uUQsRgCfU1vF
FIbAF8PhMdzFTZ0IZs5HpIQ=
=VsNz
-----END PGP SIGNATURE-----



------- Additional Comments From jkeating 2004-05-31 12:27:55 ----

Pushed to updates-testing.

  http://download.fedoralegacy.org/redhat/
 
cebed6a9021cf4002f6d403a115ad9d21f2a9c03 
7.3/updates-testing/SRPMS/gdk-pixbuf-0.14.0-9.legacy.1.src.rpm
f7d01aa00978b6d4e1f341cf4e5c4b5f1bc90602 
7.3/updates-testing/i386/gdk-pixbuf-0.14.0-9.legacy.1.i386.rpm
c7c4614f2ab7c662f8f1c025f5490851c3d1b418 
7.3/updates-testing/i386/gdk-pixbuf-devel-0.14.0-9.legacy.1.i386.rpm
e060399ff750d635fb3f540608902778d5b55791 
7.3/updates-testing/i386/gdk-pixbuf-gnome-0.14.0-9.legacy.1.i386.rpm



------- Additional Comments From dwb7.edu 2004-06-18 10:18:55 ----

On Friday 18 June 2004 13:11, David Botsch wrote:
> Well... after updating several rpms yesterday including gdk-pixbuf
> and libxml2, it seems that upon an X restart the background image at
> the login screen no longer appears (bg image is specificied in
> /etc/X11/gdm/gdm.conf and the bg image is a .png)
>
> I have yet to try a reboot.
>
> Anyone else noticing this? Thoughts?

Could be that the png lib isn't listed as a buildreq, and thus
gtk-pixbuf doesn't have the capability of loading it.  I'll take a
look, if you would please add the above comments to the bugzilla
report?

-- 
Jesse Keating RHCE      (geek.j2solutions.net)   
Fedora Legacy Team      (www.fedoralegacy.org)
GPG Public Key          (geek.j2solutions.net/jkeating.j2solutions.pub)




------- Additional Comments From dwb7.edu 2004-06-18 10:24:58 ----

COnfirmed. Rebuild the rpm on a computer which has libpng-devel and the
background is back.



------- Additional Comments From dwb7.edu 2004-06-21 10:51:15 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Updated rpms available with libpng-devel, libtiff-devel, and libjpeg-devel
added to the buildreqs:

RH7.3:

http://cf.ccmr.cornell.edu/publicdownloads/fedoralegacy-testing/gdk-pixbuf

> sha1sum -b *
6331175703c6e540d0d535a00a292f8ecfb0adb4 *gdk-pixbuf-0.14.0-9.legacy.2.i386.rpm
d14f2b450493c080cabfed244965a8e526e7c5f5 *gdk-pixbuf-0.14.0-9.legacy.2.src.rpm
7d757307e2ca18ac00941eb61d27aab9ba77d57e
*gdk-pixbuf-devel-0.14.0-9.legacy.2.i386.rpm
e00795f30cbd3208c1de9a042a8befd20c0e0e49
*gdk-pixbuf-gnome-0.14.0-9.legacy.2.i386.rpm

- -DWB
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFA10oMSY7s7uPf/IURAh91AKC4iFuk6k/UEHtxKKckINYiWyBlswCfU8rA
a383GE3HW2Oefl10NArfwmM=
=qwxU
-----END PGP SIGNATURE-----



------- Additional Comments From jpdalbec 2004-06-21 11:20:31 ----

Dave, please sign your RPMs.



------- Additional Comments From dwb7.edu 2004-06-21 11:36:29 ----

The SRPM is signed per the QA instructions (and the sha1sums are also signed).



------- Additional Comments From florin.edu 2004-07-13 05:06:31 ----

The RH73 RPMs earlier than gdk-pixbuf-0.14.0-9.legacy.2 seem to break the image
loading in GNOME for me too (tested on several boxes, all the patches current).
However, gdk-pixbuf-0.14.0-9.legacy.2 seems to work fine.



------- Additional Comments From jpdalbec 2004-08-23 10:47:27 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

d14f2b450493c080cabfed244965a8e526e7c5f5  gdk-pixbuf-0.14.0-9.legacy.2.src.rpm

I've been running RPMs that I built from this SRPM for a while now in
production and I haven't seen any problems.  I don't have my original
copy of the SRPM but I used fedora-unrpm to unpack this SRPM and the
SRPM from my original "rpm -ba" build and the files were identical.

Oh yeah.  Good signature on the SRPM.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBKleyJL4A+ldA7asRAhBYAJ9brQ8ApHJj5+2g2myh1NkRvIQXAACfej+o
iNk8RI15hEf1TN5uaWmyMl8=
=mU2r
-----END PGP SIGNATURE-----



------- Additional Comments From dom 2004-09-07 12:41:47 ----

This needs new packages to be built for updates-testing, so reopening.



------- Additional Comments From florin.edu 2004-09-14 07:47:32 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The RH73 RPMs earlier than gdk-pixbuf-0.14.0-9.legacy.2 seem to break the image
loading in GNOME for me too (tested on several boxes, all the patches current).
However, gdk-pixbuf-0.14.0-9.legacy.2 seems to work fine.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBRyS/AGQJapWEHkoRAh3uAJ9dhOSYPANzIvpZzPjxdKQcPFdSpwCdE+Pn
r59lu/cHtGRStoc/RS+MWNc=
=//XV
-----END PGP SIGNATURE-----




------- Additional Comments From ckelley 2004-09-14 09:59:30 ----

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
d14f2b450493c080cabfed244965a8e526e7c5f5  gdk-pixbuf-0.14.0-9.legacy.2.src.rpm
 
spec file looks good
gdk-pixbuf-bmp-colormap-bug.patch is small, and fairly easy to understand
rpmbuild -ba generates good packages
tried several gnome applications, including galeon -- they all seem to function
 
PUBLISH
 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
 
iD8DBQFBR02QyQ+yTHz+jJkRArvKAKCpECHl++6jRhUIFchhN7t07voD/ACfR8zT
3x+/RBw28k0ETUOzYBtQkPs=
=VAtT
-----END PGP SIGNATURE-----




------- Additional Comments From marcdeslauriers 2004-09-17 13:07:53 ----

This bug has been superseded by bug 2005




------- Bug moved to this database by dkl 2005-03-30 18:23 -------

This bug previously known as bug 1371 at https://bugzilla.fedora.us/
https://bugzilla.fedora.us/show_bug.cgi?id=1371
Originally filed under the Fedora Legacy product and Package request component.

Attachments:
a patch to fix the issue for RH73
https://bugzilla.fedora.us/attachment.cgi?action=view&id=576

Unknown priority P2. Setting to default priority "normal".
Unknown platform PC. Setting to default platform "All".
Unknown severity major. Setting to default severity "normal".
The original reporter of this bug does not have
   an account here. Reassigning to the person who moved
   it here, dkl.
   Previous reporter was jonny.strom.
Setting qa contact to the default for this product.
   This bug either had no qa contact or an invalid one.