Bug 154272
| Summary: | gdk-pixbuf CAN-2005-0891 - possible DoS in BMP images processing | ||
|---|---|---|---|
| Product: | [Retired] Fedora Legacy | Reporter: | Michal Jaegermann <michal> |
| Component: | gdk-pixbuf | Assignee: | Fedora Legacy Bugs <bugs> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | donjr, mattdm, pekkas |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | LEGACY, 1, rh90, rh73 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-07-16 02:08:46 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Michal Jaegermann
2005-04-08 22:02:22 UTC
The gdk-pixbuf-0.22.0-bmpcrash.patch is in the latest FC2 update (gdk-pixbuf-0.22.0-12.fc2, from March 30), by the way. ftp://ftp.harddata.com/pub/Legacy_srpms/gdk-pixbuf-0.22.0-7.73.3hd.src.rpm for some "sample" patched srpm. In this case recompiling srpm from FC2 or FC3 updates will really have the same effect. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Packages to fix the issue: http://www.netcore.fi/pekkas/linux/gdk-pixbuf-0.22.0-7.73.3.legacy.src.rpm (RHL73) http://www.netcore.fi/pekkas/linux/gdk-pixbuf-0.22.0-7.90.3.legacy.src.rpm (RHL9) http://www.netcore.fi/pekkas/linux/gdk-pixbuf-0.22.0-11.3.4.1.legacy.src.rpm (FC1) a12c087fa02e9f7a0345dc88235ec90f4e153070 gdk-pixbuf-0.22.0-11.3.4.1.legacy.src.rpm 0403a4cdfd0ccc73968e1a60df26ac884f65cd54 gdk-pixbuf-0.22.0-7.73.3.legacy.src.rpm 163854473bd3c08e7d47cd77952c1810e1d7120e gdk-pixbuf-0.22.0-7.90.3.legacy.src.rpm * Wed May 11 2005 Pekka Savola <pekkas> 1:0.22.0-7.90.3.legacy - - Add BMP loader double free crash from RHEL3 (CAN-2005-0891), #154272 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCgbZwGHbTkzxSL7QRAv8PAKCbwVlnS3JsYWlaDTd6Jm8aY/nsOACgpD9r 62IqnyPot5Y9LfPyaKPqRP4= =F23d -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I did QA on the RHL73 and RHL9 package. 0403a4cdfd0ccc73968e1a60df26ac884f65cd54 gdk-pixbuf-0.22.0-7.73.3.legacy.src.rpm 163854473bd3c08e7d47cd77952c1810e1d7120e gdk-pixbuf-0.22.0-7.90.3.legacy.src.rpm I compared sha1sums of the individual files in each .src.rpm to the prevously released FedoraLegacy update, and they all match. Patch is as expected. specfile changes are to package version, addition of new patch, and changelog. +PUBLISH gdk-pixbuf-0.22.0-7.73.3.legacy +PUBLISH gdk-pixbuf-0.22.0-7.90.3.legacy -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCsi78TnwK660bsQMRAmLHAJ0VtUQZUU8PJTsptZBPbYJYC2T7MACgiBbP AkCZx0VRUndiqHm/a7sv8hs= =rdMK -----END PGP SIGNATURE----- FC1 publish, anyone? -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I performed QA on the FC1 package. a12c087fa02e9f7a0345dc88235ec90f4e153070 gdk-pixbuf-0.22.0-11.3.4.1.legacy.src.rpm Used rpm-build-compare to compare the above versions to the previous versions. Only patch addition is CAN-2005-0891 patch. Patch is as expected. specfile changes are adding the patch, adding 1.legacy to version, and adding to changelog. +PUBLISH FC1 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (MingW32) iD8DBQFCtIlqTnwK660bsQMRAjZ9AJ9x6dU5QzAJF+sftlK/RbR07v1ejgCfe1wy 0UdbiuvU1akgpUMqTgVNTyM= =tpAs -----END PGP SIGNATURE----- Thanks! These were pushed to updates-testing -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Quick test on RHL9 and RHL73. Used 'mrproject', 'nautilus', and 'galeon' very briefly to see that a couple of packages which Require gdk-pixbuf seem to work OK. +VERIFY RHL9, RHL73 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFCwpljGHbTkzxSL7QRAr0bAKCJbS4BPTMoVu/25r8nUWJLKQxI7gCdF8E9 3PhE2G7Q1eEowtubx3z6K/0= =4BY2 -----END PGP SIGNATURE----- -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ++VERIFY for RHL 9 Packages: gdk-pixbuf-0.22.0-7.90.3.legacy.i386.rpm gdk-pixbuf-devel-0.22.0-7.90.3.legacy.i386.rpm gdk-pixbuf-gnome-0.22.0-7.90.3.legacy.i386.rpm SHA1 checksums all match test update advisory. Signatures verify okay. Installed on a desktop machine I use everyday for hours on end with gnome interface. Installed without issues. Used it for 3 days without problem. Did not do any actual testing of it directly, just noted that it installed and after 3 days I saw no problems. Vote for release for RHL 9. ++VERIFY -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iD8DBQFCxDWU4jZRbknHoPIRAlK7AJwKPaATGaT9d75ZD60cEgA8GuPBAQCcClQn u4cojAFoevSsqLgPHZL0n7M= =K7yI -----END PGP SIGNATURE----- Timeout over. Packages were released to updates. |