Bug 727081 (CVE-2011-2897)
Summary: | CVE-2011-2897 gdk-pixbuf: GIF loader buffer overflow when initializing decompression tables | ||||||
---|---|---|---|---|---|---|---|
Product: | [Other] Security Response | Reporter: | Tomas Hoger <thoger> | ||||
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
Status: | CLOSED WONTFIX | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | unspecified | CC: | bruno, mclasen | ||||
Target Milestone: | --- | Keywords: | Security | ||||
Target Release: | --- | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
Whiteboard: | |||||||
Fixed In Version: | Doc Type: | Bug Fix | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2019-05-31 09:39:11 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Bug Depends On: | 731308 | ||||||
Bug Blocks: | |||||||
Attachments: |
|
Description
Tomas Hoger
2011-08-01 09:48:32 UTC
Created attachment 516104 [details] Load image using gdk-pixbuf This only calls gdk_pixbuf_new_from_file() to have specified image file parsed by gdk-pixbuf. Crash can be reproduced using the reproducer for SDL_image, see: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2007-6697#c1 CVE-2011-2897 was assigned here: http://thread.gmane.org/gmane.comp.security.oss.general/5646 (In reply to comment #0) > This problem was corrected upstream long ago: > > http://git.gnome.org/browse/gdk-pixbuf/commit/gdk-pixbuf/io-gif.c?id=3bac204e0d0241a0d68586ece7099e6acf0e9bea Relevant part is addition of this check to gif_prepare_lzw(): + if (context->lzw_set_code_size > MAX_LZW_BITS) { It may need some different way to report error in older gdk-pixbuf version. This issue affects gdk-pixbuf packages shipped with Red Hat Enterprise Linux 4 and 5. The code is not used by other packages in the distribution. The data written past the end of the buffer is not attacker controlled, which makes it more difficult to exploit for anything bug crash. Hence we do not plan to address this problem immediately. It may be fixed in the future gdk-pixbuf package updates. Created gdk-pixbuf tracking bugs for this issue Affects: fedora-all [bug 731308] |