Bug 173274 - gdk-pixbuf multiple vulnerabilities, CVE-2005-2975, CVE-2005-2976, CVE-2005-3186
Summary: gdk-pixbuf multiple vulnerabilities, CVE-2005-2975, CVE-2005-2976, CVE-2005-3186
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: gdk-pixbuf
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
URL:
Whiteboard: LEGACY, rh73, rh90, 1, 2
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2005-11-15 20:34 UTC by Jeff Sheltren
Modified: 2007-04-18 17:34 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2006-03-17 00:49:06 UTC
Embargoed:


Attachments (Terms of Use)

Description Jeff Sheltren 2005-11-15 20:34:45 UTC
A bug was found in the way gdk-pixbuf processes XPM images. An attacker
could create a carefully crafted XPM file in such a way that it could cause
an application linked with gdk-pixbuf to execute arbitrary code when the
file was opened by a victim. The Common Vulnerabilities and Exposures
project has assigned the name CVE-2005-3186 to this issue.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code or crash when the file was opened by a victim. The
Common Vulnerabilities and Exposures project has assigned the name
CVE-2005-2976 to this issue.

Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim.
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2005-2975 to this issue. 

See https://rhn.redhat.com/errata/RHSA-2005-810.html

Comment 1 Michal Jaegermann 2005-11-21 08:34:46 UTC
At least on RH7.3 source rpm gdk-pixbuf-0.22.0-12.el2.3.src.rpm recompiles
without any real changes.

Comment 2 Marc Deslauriers 2006-02-20 01:16:47 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

3f19c11c5de388b4895ae73cbcb1a2e0958c7a80 
7.3/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm
73cdb160dd42758aff93f18b2ffedcb76a6ee507  9/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm
cb482dce175e1e2913dd6e6e5344f8309a5b1e8e 
1/gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm
00cd30c407d5fe88522c67115f1d4073e610693f 
2/gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD+RonLMAs/0C4zNoRAjWUAJ9KvwAbAidpy+QpILSiA+k2DcfYcACfX7P0
wt1tLvKXGYbvRYbcJB7+ooo=
=qOLt
-----END PGP SIGNATURE-----


Comment 3 Pekka Savola 2006-02-20 06:39:28 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
cb482dce175e1e2913dd6e6e5344f8309a5b1e8e  gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm
00cd30c407d5fe88522c67115f1d4073e610693f  gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm
3f19c11c5de388b4895ae73cbcb1a2e0958c7a80  gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm
73cdb160dd42758aff93f18b2ffedcb76a6ee507  gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD+WVDGHbTkzxSL7QRAoOgAJ9727tGzdziN1HCIBE2ynieGqW/5QCeL8Yu
vLl3h5LB39NXeJqVjOvmHic=
=D2Io
-----END PGP SIGNATURE-----


Comment 4 Marc Deslauriers 2006-02-24 00:06:05 UTC
Packages were sent to updates-testing

Comment 5 Pekka Savola 2006-03-01 07:40:23 UTC
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signatures OK, upgrades OK.
Tested mproject which depends on this, works OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD4DBQFEBVDWGHbTkzxSL7QRAq3pAKCpSecjCpqQVPoUDSpA16bGr0dl+QCVGfqG
uRyiFSpGq9w85wy7wjawOg==
=FjBw
-----END PGP SIGNATURE-----


Comment 6 Pekka Savola 2006-03-10 07:15:32 UTC
Timeout over.

Comment 7 Marc Deslauriers 2006-03-17 00:49:06 UTC
Packages were pushed to updates.


Note You need to log in before you can comment on or make changes to this bug.