Bug 714754 - pidgin: DoS (excessive memory consumption) by processing certain GIF images used as buddy icon
Summary: pidgin: DoS (excessive memory consumption) by processing certain GIF images u...
Status: CLOSED DUPLICATE of bug 715337
Alias: None
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 716377
Blocks: 714770
TreeView+ depends on / blocked
Reported: 2011-06-20 15:36 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:45 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-07-04 08:49:26 UTC

Attachments (Terms of Use)

Description Jan Lieskovsky 2011-06-20 15:36:36 UTC
The following security flaw has been found in the way gdk-pixbuf, an image
loading library, loaded certain Graphics Interchange Format (GIF) image files:

It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
routine did not properly handle certain return values from its subroutines.
A remote attacker could provide a specially-crafted GIF image, which once
opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
to return partially initialized pixbuf structure, possibly having huge
width and height, leading to that particular application termination due
excessive memory use.


[1] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2011-2485
[2] http://git.gnome.org/browse/gdk-pixbuf/commit/?id=f8569bb13e2aa1584dde61ca545144750f7a7c98

For Pidgin the above gdk-pixbuf library deficiency would mean:

A remote attacker could set a specially-crafted GIF image as their buddy icon that could lead to Pidgin being terminated due to excessive memory use.

[3] http://www.pidgin.im/news/security/?id=52


Red Hat would like to thank the Pidgin project for reporting this issue.
Upstream acknowledges Mark Doliner as the original reporter.

Comment 1 Jan Lieskovsky 2011-06-20 15:42:50 UTC
This issue affects the versions of the pidgin package, as shipped with
Red Hat Enterprise Linux 4, 5, and 6.


This issue affects the versions of the pidgin package, as shipped with
Fedora release of 13, 14, and 15.

Comment 7 Jan Lieskovsky 2011-06-24 08:51:32 UTC
Created pidgin tracking bugs for this issue

Affects: fedora-all [bug 716377]

Comment 8 Jan Lieskovsky 2011-06-24 09:20:06 UTC
Relevant upstream patch:
[4] http://developer.pidgin.im/viewmtn/revision/info/e802003adbf0be4496de3de8ac03b47c1e471d00

Comment 9 Huzaifa S. Sidhpurwala 2012-07-04 08:49:26 UTC

*** This bug has been marked as a duplicate of bug 715337 ***

Note You need to log in before you can comment on or make changes to this bug.