Fedora Legacy Test Update Notification: gdk-pixbuf

Marc Deslauriers marcdeslauriers at videotron.ca
Thu Feb 10 02:13:49 UTC 2005 

---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-2005
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2005
2005-02-09
---------------------------------------------------------------------

Name        : gdk-pixbuf
Versions    : rh7.3: gdk-pixbuf-0.22.0-7.73.2.legacy
Versions    : rh9: gdk-pixbuf-0.22.0-7.90.2.legacy
Summary     : An image loading library used with GNOME.
Description :
The gdk-pixbuf package contains an image loading library used with the
GNOME desktop environment. The GdkPixBuf library provides image
loading facilities, the rendering of a GdkPixBuf into various formats
(drawables or GdkRGB buffers), and a cache interface.

---------------------------------------------------------------------
Update Information:

Updated gdk-pixbuf packages that fix several security flaws are now
available.

The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment.

Thomas Kristensen discovered a bitmap file that would cause the
Evolution mail reader to crash. This issue was caused by a flaw that
affects versions of the gdk-pixbuf package prior to 0.20. To exploit
this flaw, a remote attacker could send (via email) a carefully-crafted
BMP file, which would cause Evolution to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0111 to this issue.

During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw
was discovered in the BMP image processor of gdk-pixbuf. An attacker
could create a carefully crafted BMP file which would cause an
application to enter an infinite loop and not respond to user input when
the file was opened by a victim. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to
this issue.

During a security audit, Chris Evans discovered a stack and a heap
overflow in the XPM image decoder. An attacker could create a carefully
crafted XPM file which could cause an application linked with gtk2 to
crash or possibly execute arbitrary code when the file was opened by a
victim. (CAN-2004-0782, CAN-2004-0783)

Chris Evans also discovered an integer overflow in the ICO image
decoder. An attacker could create a carefully crafted ICO file which
could cause an application linked with gtk2 to crash when the file is
opened by a victim. (CAN-2004-0788)

Users of gdk-pixbuf are advised to upgrade to these packages, which
contain backported patches and are not vulnerable to these issues.

---------------------------------------------------------------------
Changelogs

rh73:
* Thu Jan 06 2005 John Dalbec <jpdalbec at ysu.edu> 1:0.22.0-7.73.2.legacy
- added db1-devel buildreq because gnome-config --libs insists on it
- added hack from Pavel Kankovsky to get loaders to install correctly

* Sat Sep 18 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1:0.22.0-7.73.1.legacy
- Changed release number and built packages

* Thu Sep 16 2004 Pavel Kankovsky <peak at argo.troja.mff.cuni.cz> 
1:0.22.0-7.legacy
- added buildreqs from previous legacy pkgs (minus pointless libdb1-devel)
- fix for CAN-2004-0111 included in 0.22.0

* Wed Sep 15 2004 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-11.2.2E
- Fix a bug in the previous change that broke the xpm loader

* Fri Sep 03 2004 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-11.1.2E
- Fix issues in the xpm and ico loaders
   found by Chris Evans (#130711)

* Fri Aug 20 2004 Owen Taylor <otaylor at redhat.com> - 1:0.22.0-10.0.2E
- Fix problem with infinite loop on bad BMP data (#130455,
   test BMP from Chris Evans, fix from Manish Singh)

rh9:
* Sat Feb 05 2005 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1:0.22.0-7.90.2.legacy
- Added missing automake14 BuildRequires

* Sat Sep 18 2004 Marc Deslauriers <marcdeslauriers at videotron.ca> 
1:0.22.0-7.90.1.legacy
- Changed release number and ajusted spec file parameters for rh9

* Thu Sep 16 2004 Pavel Kankovsky <peak at argo.troja.mff.cuni.cz> 
1:0.22.0-7.legacy
- added buildreqs from previous legacy pkgs (minus pointless libdb1-devel)
- fix for CAN-2004-0111 included in 0.22.0

* Wed Sep 15 2004 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-11.2.2E
- Fix a bug in the previous change that broke the xpm loader

* Fri Sep 03 2004 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-11.1.2E
- Fix issues in the xpm and ico loaders
   found by Chris Evans (#130711)

* Fri Aug 20 2004 Owen Taylor <otaylor at redhat.com> - 1:0.22.0-10.0.2E
- Fix problem with infinite loop on bad BMP data (#130455,
   test BMP from Chris Evans, fix from Manish Singh)

---------------------------------------------------------------------
This update can be downloaded from:
   http://download.fedoralegacy.org/
(sha1sums)

rh7.3:
a29384912cdf63b635694050c1ecf2f8f56f2e3c 
redhat/7.3/updates-testing/i386/gdk-pixbuf-0.22.0-7.73.2.legacy.i386.rpm
2e9223509766118f53b1934f77ed9d625558772c 
redhat/7.3/updates-testing/i386/gdk-pixbuf-devel-0.22.0-7.73.2.legacy.i386.rpm
550e131ff9707a021c1949472ed94c23aec2391c 
redhat/7.3/updates-testing/i386/gdk-pixbuf-gnome-0.22.0-7.73.2.legacy.i386.rpm
ed74d85b0419e4b3eba53a2a65cd87be1b460572 
redhat/7.3/updates-testing/SRPMS/gdk-pixbuf-0.22.0-7.73.2.legacy.src.rpm

rh9:
1783c789f1eca62ee264eb7dd5aaef93084a154a 
redhat/9/updates-testing/i386/gdk-pixbuf-0.22.0-7.90.2.legacy.i386.rpm
a7c5d85e2d367b81425ddd0eab32fb18b1b316b2 
redhat/9/updates-testing/i386/gdk-pixbuf-devel-0.22.0-7.90.2.legacy.i386.rpm
50eea5f1886468a5ec6c9d0d10765afcae9791a1 
redhat/9/updates-testing/i386/gdk-pixbuf-gnome-0.22.0-7.90.2.legacy.i386.rpm
ccc7442f3dd7dd696a5000cbd5cc1d9624f89673 
redhat/9/updates-testing/SRPMS/gdk-pixbuf-0.22.0-7.90.2.legacy.src.rpm

---------------------------------------------------------------------

Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050209/8817c888/attachment.sig>

More information about the fedora-legacy-list mailing list