Red Hat Bugzilla – Bug 715337
CVE-2011-2485 gdk-pixbuf: incorrect error detection in the GIF image loader
Last modified: 2015-11-24 10:05:23 EST
It was found that gdk-pixbuf GIF image loader gdk_pixbuf__gif_image_load()
routine did not properly handle certain return values from its subroutines.
A remote attacker could provide a specially-crafted GIF image, which once
opened in an application, linked against gdk-pixbuf would lead to gdk-pixbuf
to return partially initialized pixbuf structure, possibly having huge
width and height, leading to that particular application termination due
excessive memory use.
Red Hat would like to thank the Pidgin project for reporting this issue.
Upstream acknowledges Mark Doliner as the original reporter.
Created attachment 506029 [details]
Proposed patch from Matthias Clasen
The CVE identifier of CVE-2011-2485 has been assigned to this issue.
This issue affects the versions of the gdk-pixbuf packages, as shipped with
Red Hat Enterprise Linux 4 and 5.
This issue affects the versions of the gdk-pixbuf package, as shipped with
Fedora release of 14 and 15.
The gdk-pixbuf2 package updates for Fedora release of 14 and 15, addressing
this issue has been already scheduled. The particular versions are:
1) gdk-pixbuf2-2.22.0-2.fc14 for Fedora 14
2) gdk-pixbuf2-2.23.3-2.fc15 for Fedora 15
Created gdk-pixbuf tracking bugs for this issue
Affects: fedora-all [bug 716373]
Matthias, you seem to have a good understanding of this issue. Do you know when this issue was introduced, and if it really affects gdk-pixbuf (0.x version for gtk+ 1.x) as mentioned in comment #8 and comment #10? My quick testing suggests it may not be affected, given that gdk_pixbuf_new_from_file() returns error (and reports a lot of assertion failures to stderr) when trying to load test image.
The code certainly looks like it might have the same problem.
gdk_pixbuf__gif_image_load does not even look at the return value
of gif_main_loop and just blindly returns the pixbuf.
*** Bug 714754 has been marked as a duplicate of this bug. ***
I'm closing this bug. There are no longer outstanding tasks open for it.