Bug 154272 - gdk-pixbuf CAN-2005-0891 - possible DoS in BMP images processing
gdk-pixbuf CAN-2005-0891 - possible DoS in BMP images processing
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: gdk-pixbuf (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, 1, rh90, rh73
: Security
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-04-08 18:02 EDT by Michal Jaegermann
Modified: 2007-04-18 13:23 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-07-15 22:08:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michal Jaegermann 2005-04-08 18:02:22 EDT
Description of problem:

https://rhn.redhat.com/errata/RHSA-2005-343.html
details a double free vulnerability in gdk-pixbuf.  RHEL sources referenced
in the quoted advisory, as well as gdk-pixbuf-0.22.0-16.fc3.src.rpm,
differ from the current gdk-pixbuf Legacy updates by one patch. Namely
by gdk-pixbuf-0.22.0-bmpcrash.patch.

That patch applies directly to the current Legacy sources and resulting
packages recompile without any issues.

Version-Release number of selected component (if applicable):
gdk-pixbuf-0.22.0-7.73.2.legacy and similar
Comment 1 Matthew Miller 2005-04-12 19:40:37 EDT
The gdk-pixbuf-0.22.0-bmpcrash.patch is in the latest FC2 update
(gdk-pixbuf-0.22.0-12.fc2, from March 30), by the way.
Comment 2 Michal Jaegermann 2005-04-12 22:00:06 EDT
ftp://ftp.harddata.com/pub/Legacy_srpms/gdk-pixbuf-0.22.0-7.73.3hd.src.rpm
for some "sample" patched srpm.  In this case recompiling srpm from FC2 or
FC3 updates will really have the same effect.
Comment 3 Pekka Savola 2005-05-11 03:39:05 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Packages to fix the issue:
 
http://www.netcore.fi/pekkas/linux/gdk-pixbuf-0.22.0-7.73.3.legacy.src.rpm (RHL73)
http://www.netcore.fi/pekkas/linux/gdk-pixbuf-0.22.0-7.90.3.legacy.src.rpm (RHL9)
http://www.netcore.fi/pekkas/linux/gdk-pixbuf-0.22.0-11.3.4.1.legacy.src.rpm (FC1)
 
a12c087fa02e9f7a0345dc88235ec90f4e153070  gdk-pixbuf-0.22.0-11.3.4.1.legacy.src.rpm
0403a4cdfd0ccc73968e1a60df26ac884f65cd54  gdk-pixbuf-0.22.0-7.73.3.legacy.src.rpm
163854473bd3c08e7d47cd77952c1810e1d7120e  gdk-pixbuf-0.22.0-7.90.3.legacy.src.rpm
 
* Wed May 11 2005 Pekka Savola <pekkas@netcore.fi> 1:0.22.0-7.90.3.legacy
- - Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #154272
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCgbZwGHbTkzxSL7QRAv8PAKCbwVlnS3JsYWlaDTd6Jm8aY/nsOACgpD9r
62IqnyPot5Y9LfPyaKPqRP4=
=F23d
-----END PGP SIGNATURE-----
Comment 4 Donald Maner 2005-06-16 22:02:48 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did QA on the RHL73 and RHL9 package.

0403a4cdfd0ccc73968e1a60df26ac884f65cd54 gdk-pixbuf-0.22.0-7.73.3.legacy.src.rpm
163854473bd3c08e7d47cd77952c1810e1d7120e gdk-pixbuf-0.22.0-7.90.3.legacy.src.rpm

I compared sha1sums of the individual files in each .src.rpm to the prevously
released FedoraLegacy update, and they all match.

Patch is as expected.

specfile changes are to package version, addition of new patch, and changelog.

+PUBLISH gdk-pixbuf-0.22.0-7.73.3.legacy
+PUBLISH gdk-pixbuf-0.22.0-7.90.3.legacy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCsi78TnwK660bsQMRAmLHAJ0VtUQZUU8PJTsptZBPbYJYC2T7MACgiBbP
AkCZx0VRUndiqHm/a7sv8hs=
=rdMK
-----END PGP SIGNATURE-----
Comment 5 Pekka Savola 2005-06-17 00:34:43 EDT
FC1 publish, anyone?
Comment 6 Donald Maner 2005-06-18 16:54:19 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I performed QA on the FC1 package.

a12c087fa02e9f7a0345dc88235ec90f4e153070  gdk-pixbuf-0.22.0-11.3.4.1.legacy.src.rpm

Used rpm-build-compare to compare the above versions to the previous versions.

Only patch addition is CAN-2005-0891 patch.

Patch is as expected.

specfile changes are adding the patch, adding 1.legacy to version, and adding to
changelog.

+PUBLISH FC1

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)

iD8DBQFCtIlqTnwK660bsQMRAjZ9AJ9x6dU5QzAJF+sftlK/RbR07v1ejgCfe1wy
0UdbiuvU1akgpUMqTgVNTyM=
=tpAs
-----END PGP SIGNATURE-----
Comment 7 Pekka Savola 2005-06-18 17:05:10 EDT
Thanks!
Comment 8 Marc Deslauriers 2005-06-24 14:48:44 EDT
These were pushed to updates-testing
Comment 9 Pekka Savola 2005-06-29 08:52:08 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
Quick test on RHL9 and RHL73.  Used 'mrproject', 'nautilus', and 'galeon'
very briefly to see that a couple of packages which Require gdk-pixbuf
seem to work OK.
 
+VERIFY RHL9, RHL73
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFCwpljGHbTkzxSL7QRAr0bAKCJbS4BPTMoVu/25r8nUWJLKQxI7gCdF8E9
3PhE2G7Q1eEowtubx3z6K/0=
=4BY2
-----END PGP SIGNATURE-----
Comment 10 Eric Jon Rostetter 2005-06-30 14:11:55 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
++VERIFY for RHL 9
 
Packages:
gdk-pixbuf-0.22.0-7.90.3.legacy.i386.rpm
gdk-pixbuf-devel-0.22.0-7.90.3.legacy.i386.rpm
gdk-pixbuf-gnome-0.22.0-7.90.3.legacy.i386.rpm
 
SHA1 checksums all match test update advisory.  Signatures verify okay.
 
Installed on a desktop machine I use everyday for hours on end with gnome
interface.  Installed without issues.  Used it for 3 days without problem.
Did not do any actual testing of it directly, just noted that it installed
and after 3 days I saw no problems.
 
Vote for release for RHL 9. ++VERIFY
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
 
iD8DBQFCxDWU4jZRbknHoPIRAlK7AJwKPaATGaT9d75ZD60cEgA8GuPBAQCcClQn
u4cojAFoevSsqLgPHZL0n7M=
=K7yI
-----END PGP SIGNATURE-----
Comment 11 Pekka Savola 2005-07-14 03:08:03 EDT
Timeout over.
Comment 12 Marc Deslauriers 2005-07-15 22:08:16 EDT
Packages were released to updates.

Note You need to log in before you can comment on or make changes to this bug.