--------------------------------------------------------------------- Fedora Legacy Test Update Notification FEDORALEGACY-2005-2005 Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2005 2005-02-09 ---------------------------------------------------------------------
Name : gdk-pixbuf Versions : rh7.3: gdk-pixbuf-0.22.0-7.73.2.legacy Versions : rh9: gdk-pixbuf-0.22.0-7.90.2.legacy Summary : An image loading library used with GNOME. Description : The gdk-pixbuf package contains an image loading library used with the GNOME desktop environment. The GdkPixBuf library provides image loading facilities, the rendering of a GdkPixBuf into various formats (drawables or GdkRGB buffers), and a cache interface.
--------------------------------------------------------------------- Update Information:
Updated gdk-pixbuf packages that fix several security flaws are now available.
The gdk-pixbuf package contains an image loading library used with the GNOME GUI desktop environment.
Thomas Kristensen discovered a bitmap file that would cause the Evolution mail reader to crash. This issue was caused by a flaw that affects versions of the gdk-pixbuf package prior to 0.20. To exploit this flaw, a remote attacker could send (via email) a carefully-crafted BMP file, which would cause Evolution to crash. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0111 to this issue.
During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw was discovered in the BMP image processor of gdk-pixbuf. An attacker could create a carefully crafted BMP file which would cause an application to enter an infinite loop and not respond to user input when the file was opened by a victim. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to this issue.
During a security audit, Chris Evans discovered a stack and a heap overflow in the XPM image decoder. An attacker could create a carefully crafted XPM file which could cause an application linked with gtk2 to crash or possibly execute arbitrary code when the file was opened by a victim. (CAN-2004-0782, CAN-2004-0783)
Chris Evans also discovered an integer overflow in the ICO image decoder. An attacker could create a carefully crafted ICO file which could cause an application linked with gtk2 to crash when the file is opened by a victim. (CAN-2004-0788)
Users of gdk-pixbuf are advised to upgrade to these packages, which contain backported patches and are not vulnerable to these issues.
--------------------------------------------------------------------- Changelogs
rh73: * Thu Jan 06 2005 John Dalbec <jpdalbec ysu edu> 1:0.22.0-7.73.2.legacy - added db1-devel buildreq because gnome-config --libs insists on it - added hack from Pavel Kankovsky to get loaders to install correctly
* Wed Sep 15 2004 Matthias Clasen <mclasen redhat com> - 1:0.22.0-11.2.2E - Fix a bug in the previous change that broke the xpm loader
* Fri Sep 03 2004 Matthias Clasen <mclasen redhat com> - 1:0.22.0-11.1.2E - Fix issues in the xpm and ico loaders found by Chris Evans (#130711)
* Fri Aug 20 2004 Owen Taylor <otaylor redhat com> - 1:0.22.0-10.0.2E - Fix problem with infinite loop on bad BMP data (#130455, test BMP from Chris Evans, fix from Manish Singh)
* Wed Sep 15 2004 Matthias Clasen <mclasen redhat com> - 1:0.22.0-11.2.2E - Fix a bug in the previous change that broke the xpm loader
* Fri Sep 03 2004 Matthias Clasen <mclasen redhat com> - 1:0.22.0-11.1.2E - Fix issues in the xpm and ico loaders found by Chris Evans (#130711)
* Fri Aug 20 2004 Owen Taylor <otaylor redhat com> - 1:0.22.0-10.0.2E - Fix problem with infinite loop on bad BMP data (#130455, test BMP from Chris Evans, fix from Manish Singh)
--------------------------------------------------------------------- This update can be downloaded from: http://download.fedoralegacy.org/ (sha1sums)
Attachment:
signature.asc
Description: OpenPGP digital signature