Bug 1926787 (CVE-2021-20240)
Summary: | CVE-2021-20240 gdk-pixbuf: integer wraparound in the GIF loader of gdk-pixbuf via crafted input leads to segmentation fault | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | erik-fedora, fedora, gnome-sig, klember, manisandro, mclasen, otte, rh-spice-bugs, rjones, rschiron, scorneli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | gdk-pixbuf 2.42.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in gdk-pixbuf. An integer wraparound leading to an out of bounds write can occur when a crafted GIF image is loaded. An attacker may cause applications to crash or could potentially execute code on the victim system. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2022-04-18 02:28:46 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1926789, 1926790, 1928821 | ||
Bug Blocks: | 1926792 |
Description
Marian Rehak
2021-02-09 13:09:33 UTC
Created gdk-pixbuf2 tracking bugs for this issue: Affects: fedora-all [bug 1926789] Created mingw-gdk-pixbuf tracking bugs for this issue: Affects: fedora-all [bug 1926790] Vulnerable code seems to be introduced in https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/4e7b5345d2fc8f0d1dee93d8ba9ab805bc95d42f in upstream version 2.39.2. Statement: This issue did not affect the versions of gdk-pixbuf2 as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code. Upstream fix: https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/commit/80704d84055d8f33cd66824d78d16b89fc45db45 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20240 |