Bug 173274 - gdk-pixbuf multiple vulnerabilities, CVE-2005-2975, CVE-2005-2976, CVE-2005-3186
gdk-pixbuf multiple vulnerabilities, CVE-2005-2975, CVE-2005-2976, CVE-2005-3186
Status: CLOSED ERRATA
Product: Fedora Legacy
Classification: Retired
Component: gdk-pixbuf (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Fedora Legacy Bugs
LEGACY, rh73, rh90, 1, 2
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-11-15 15:34 EST by Jeff Sheltren
Modified: 2007-04-18 13:34 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-03-16 19:49:06 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jeff Sheltren 2005-11-15 15:34:45 EST
A bug was found in the way gdk-pixbuf processes XPM images. An attacker
could create a carefully crafted XPM file in such a way that it could cause
an application linked with gdk-pixbuf to execute arbitrary code when the
file was opened by a victim. The Common Vulnerabilities and Exposures
project has assigned the name CVE-2005-3186 to this issue.

Ludwig Nussel discovered an integer overflow bug in the way gdk-pixbuf
processes XPM images. An attacker could create a carefully crafted XPM file
in such a way that it could cause an application linked with gdk-pixbuf to
execute arbitrary code or crash when the file was opened by a victim. The
Common Vulnerabilities and Exposures project has assigned the name
CVE-2005-2976 to this issue.

Ludwig Nussel also discovered an infinite-loop denial of service bug in the
way gdk-pixbuf processes XPM images. An attacker could create a carefully
crafted XPM file in such a way that it could cause an application linked
with gdk-pixbuf to stop responding when the file was opened by a victim.
The Common Vulnerabilities and Exposures project has assigned the name
CVE-2005-2975 to this issue. 

See https://rhn.redhat.com/errata/RHSA-2005-810.html
Comment 1 Michal Jaegermann 2005-11-21 03:34:46 EST
At least on RH7.3 source rpm gdk-pixbuf-0.22.0-12.el2.3.src.rpm recompiles
without any real changes.
Comment 2 Marc Deslauriers 2006-02-19 20:16:47 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Here are updated packages to QA:

3f19c11c5de388b4895ae73cbcb1a2e0958c7a80 
7.3/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm
73cdb160dd42758aff93f18b2ffedcb76a6ee507  9/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm
cb482dce175e1e2913dd6e6e5344f8309a5b1e8e 
1/gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm
00cd30c407d5fe88522c67115f1d4073e610693f 
2/gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm

http://www.infostrategique.com/linuxrpms/legacy/7.3/gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/9/gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/1/gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm
http://www.infostrategique.com/linuxrpms/legacy/2/gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (GNU/Linux)

iD8DBQFD+RonLMAs/0C4zNoRAjWUAJ9KvwAbAidpy+QpILSiA+k2DcfYcACfX7P0
wt1tLvKXGYbvRYbcJB7+ooo=
=qOLt
-----END PGP SIGNATURE-----
Comment 3 Pekka Savola 2006-02-20 01:39:28 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA w/ rpm-build-compare.sh:
 - source integrity good
 - spec file changes minimal
 - patches verified to come from RHEL
 
+PUBLISH RHL73, RHL9, FC1, FC2
 
cb482dce175e1e2913dd6e6e5344f8309a5b1e8e  gdk-pixbuf-0.22.0-11.3.4.2.legacy.src.rpm
00cd30c407d5fe88522c67115f1d4073e610693f  gdk-pixbuf-0.22.0-12.fc2.1.legacy.src.rpm
3f19c11c5de388b4895ae73cbcb1a2e0958c7a80  gdk-pixbuf-0.22.0-7.73.4.legacy.src.rpm
73cdb160dd42758aff93f18b2ffedcb76a6ee507  gdk-pixbuf-0.22.0-7.90.4.legacy.src.rpm
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD8DBQFD+WVDGHbTkzxSL7QRAoOgAJ9727tGzdziN1HCIBE2ynieGqW/5QCeL8Yu
vLl3h5LB39NXeJqVjOvmHic=
=D2Io
-----END PGP SIGNATURE-----
Comment 4 Marc Deslauriers 2006-02-23 19:06:05 EST
Packages were sent to updates-testing
Comment 5 Pekka Savola 2006-03-01 02:40:23 EST
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
QA for RHL9.  Signatures OK, upgrades OK.
Tested mproject which depends on this, works OK.
 
+VERIFY RHL9
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
 
iD4DBQFEBVDWGHbTkzxSL7QRAq3pAKCpSecjCpqQVPoUDSpA16bGr0dl+QCVGfqG
uRyiFSpGq9w85wy7wjawOg==
=FjBw
-----END PGP SIGNATURE-----
Comment 6 Pekka Savola 2006-03-10 02:15:32 EST
Timeout over.
Comment 7 Marc Deslauriers 2006-03-16 19:49:06 EST
Packages were pushed to updates.

Note You need to log in before you can comment on or make changes to this bug.