Bug 715337 (CVE-2011-2485)

Summary: CVE-2011-2485 gdk-pixbuf: incorrect error detection in the GIF image loader
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, extras-orphan, mbarnes, mclasen, mjc, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 16:25:07 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 716373, 837559, 837560, 837561, 837562    
Bug Blocks: 715365    
Description Flags
Proposed patch from Matthias Clasen none

Description Jan Lieskovsky 2011-06-22 14:55:52 UTC
It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
routine did not properly handle certain return values from its subroutines.
A remote attacker could provide a specially-crafted GIF image, which once
opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
to return partially initialized pixbuf structure, possibly having huge
width and height, leading to that particular application termination due
excessive memory use.


Red Hat would like to thank the Pidgin project for reporting this issue.
Upstream acknowledges Mark Doliner as the original reporter.

Comment 1 Jan Lieskovsky 2011-06-22 15:02:04 UTC
Created attachment 506029 [details]
Proposed patch from Matthias Clasen

Comment 5 Jan Lieskovsky 2011-06-22 16:40:21 UTC
The CVE identifier of CVE-2011-2485 has been assigned to this issue.

Comment 8 Jan Lieskovsky 2011-06-24 08:33:07 UTC
This issue affects the versions of the gdk-pixbuf packages, as shipped with
Red Hat Enterprise Linux 4 and 5.


This issue affects the versions of the gdk-pixbuf package, as shipped with
Fedora release of 14 and 15.

The gdk-pixbuf2 package updates for Fedora release of 14 and 15, addressing
this issue has been already scheduled. The particular versions are:
1) gdk-pixbuf2-2.22.0-2.fc14 for Fedora 14
2) gdk-pixbuf2-2.23.3-2.fc15 for Fedora 15

Comment 10 Jan Lieskovsky 2011-06-24 08:41:29 UTC
Created gdk-pixbuf tracking bugs for this issue

Affects: fedora-all [bug 716373]

Comment 11 Tomas Hoger 2011-08-19 14:18:21 UTC
Matthias, you seem to have a good understanding of this issue.  Do you know when this issue was introduced, and if it really affects gdk-pixbuf (0.x version for gtk+ 1.x) as mentioned in comment #8 and comment #10?  My quick testing suggests it may not be affected, given that gdk_pixbuf_new_from_file() returns error (and reports a lot of assertion failures to stderr) when trying to load test image.

Comment 12 Matthias Clasen 2011-08-19 15:51:34 UTC
The code certainly looks like it might have the same problem. 
gdk_pixbuf__gif_image_load does not even look at the return value
of gif_main_loop and just blindly returns the pixbuf.

Comment 14 Huzaifa S. Sidhpurwala 2012-07-04 08:49:26 UTC
*** Bug 714754 has been marked as a duplicate of this bug. ***

Comment 17 Josh Bressers 2014-06-13 16:25:07 UTC
I'm closing this bug. There are no longer outstanding tasks open for it.