Fedora Legacy Test Update Notification: gdk-pixbuf
Marc Deslauriers
marcdeslauriers at videotron.ca
Thu Feb 10 02:13:49 UTC 2005
---------------------------------------------------------------------
Fedora Legacy Test Update Notification
FEDORALEGACY-2005-2005
Bugzilla https://bugzilla.fedora.us/show_bug.cgi?id=2005
2005-02-09
---------------------------------------------------------------------
Name : gdk-pixbuf
Versions : rh7.3: gdk-pixbuf-0.22.0-7.73.2.legacy
Versions : rh9: gdk-pixbuf-0.22.0-7.90.2.legacy
Summary : An image loading library used with GNOME.
Description :
The gdk-pixbuf package contains an image loading library used with the
GNOME desktop environment. The GdkPixBuf library provides image
loading facilities, the rendering of a GdkPixBuf into various formats
(drawables or GdkRGB buffers), and a cache interface.
---------------------------------------------------------------------
Update Information:
Updated gdk-pixbuf packages that fix several security flaws are now
available.
The gdk-pixbuf package contains an image loading library used with the
GNOME GUI desktop environment.
Thomas Kristensen discovered a bitmap file that would cause the
Evolution mail reader to crash. This issue was caused by a flaw that
affects versions of the gdk-pixbuf package prior to 0.20. To exploit
this flaw, a remote attacker could send (via email) a carefully-crafted
BMP file, which would cause Evolution to crash. The Common
Vulnerabilities and Exposures project (cve.mitre.org) has assigned the
name CAN-2004-0111 to this issue.
During testing of a previously fixed flaw in Qt (CAN-2004-0691), a flaw
was discovered in the BMP image processor of gdk-pixbuf. An attacker
could create a carefully crafted BMP file which would cause an
application to enter an infinite loop and not respond to user input when
the file was opened by a victim. The Common Vulnerabilities and
Exposures project (cve.mitre.org) has assigned the name CAN-2004-0753 to
this issue.
During a security audit, Chris Evans discovered a stack and a heap
overflow in the XPM image decoder. An attacker could create a carefully
crafted XPM file which could cause an application linked with gtk2 to
crash or possibly execute arbitrary code when the file was opened by a
victim. (CAN-2004-0782, CAN-2004-0783)
Chris Evans also discovered an integer overflow in the ICO image
decoder. An attacker could create a carefully crafted ICO file which
could cause an application linked with gtk2 to crash when the file is
opened by a victim. (CAN-2004-0788)
Users of gdk-pixbuf are advised to upgrade to these packages, which
contain backported patches and are not vulnerable to these issues.
---------------------------------------------------------------------
Changelogs
rh73:
* Thu Jan 06 2005 John Dalbec <jpdalbec at ysu.edu> 1:0.22.0-7.73.2.legacy
- added db1-devel buildreq because gnome-config --libs insists on it
- added hack from Pavel Kankovsky to get loaders to install correctly
* Sat Sep 18 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
1:0.22.0-7.73.1.legacy
- Changed release number and built packages
* Thu Sep 16 2004 Pavel Kankovsky <peak at argo.troja.mff.cuni.cz>
1:0.22.0-7.legacy
- added buildreqs from previous legacy pkgs (minus pointless libdb1-devel)
- fix for CAN-2004-0111 included in 0.22.0
* Wed Sep 15 2004 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-11.2.2E
- Fix a bug in the previous change that broke the xpm loader
* Fri Sep 03 2004 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-11.1.2E
- Fix issues in the xpm and ico loaders
found by Chris Evans (#130711)
* Fri Aug 20 2004 Owen Taylor <otaylor at redhat.com> - 1:0.22.0-10.0.2E
- Fix problem with infinite loop on bad BMP data (#130455,
test BMP from Chris Evans, fix from Manish Singh)
rh9:
* Sat Feb 05 2005 Marc Deslauriers <marcdeslauriers at videotron.ca>
1:0.22.0-7.90.2.legacy
- Added missing automake14 BuildRequires
* Sat Sep 18 2004 Marc Deslauriers <marcdeslauriers at videotron.ca>
1:0.22.0-7.90.1.legacy
- Changed release number and ajusted spec file parameters for rh9
* Thu Sep 16 2004 Pavel Kankovsky <peak at argo.troja.mff.cuni.cz>
1:0.22.0-7.legacy
- added buildreqs from previous legacy pkgs (minus pointless libdb1-devel)
- fix for CAN-2004-0111 included in 0.22.0
* Wed Sep 15 2004 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-11.2.2E
- Fix a bug in the previous change that broke the xpm loader
* Fri Sep 03 2004 Matthias Clasen <mclasen at redhat.com> - 1:0.22.0-11.1.2E
- Fix issues in the xpm and ico loaders
found by Chris Evans (#130711)
* Fri Aug 20 2004 Owen Taylor <otaylor at redhat.com> - 1:0.22.0-10.0.2E
- Fix problem with infinite loop on bad BMP data (#130455,
test BMP from Chris Evans, fix from Manish Singh)
---------------------------------------------------------------------
This update can be downloaded from:
http://download.fedoralegacy.org/
(sha1sums)
rh7.3:
a29384912cdf63b635694050c1ecf2f8f56f2e3c
redhat/7.3/updates-testing/i386/gdk-pixbuf-0.22.0-7.73.2.legacy.i386.rpm
2e9223509766118f53b1934f77ed9d625558772c
redhat/7.3/updates-testing/i386/gdk-pixbuf-devel-0.22.0-7.73.2.legacy.i386.rpm
550e131ff9707a021c1949472ed94c23aec2391c
redhat/7.3/updates-testing/i386/gdk-pixbuf-gnome-0.22.0-7.73.2.legacy.i386.rpm
ed74d85b0419e4b3eba53a2a65cd87be1b460572
redhat/7.3/updates-testing/SRPMS/gdk-pixbuf-0.22.0-7.73.2.legacy.src.rpm
rh9:
1783c789f1eca62ee264eb7dd5aaef93084a154a
redhat/9/updates-testing/i386/gdk-pixbuf-0.22.0-7.90.2.legacy.i386.rpm
a7c5d85e2d367b81425ddd0eab32fb18b1b316b2
redhat/9/updates-testing/i386/gdk-pixbuf-devel-0.22.0-7.90.2.legacy.i386.rpm
50eea5f1886468a5ec6c9d0d10765afcae9791a1
redhat/9/updates-testing/i386/gdk-pixbuf-gnome-0.22.0-7.90.2.legacy.i386.rpm
ccc7442f3dd7dd696a5000cbd5cc1d9624f89673
redhat/9/updates-testing/SRPMS/gdk-pixbuf-0.22.0-7.90.2.legacy.src.rpm
---------------------------------------------------------------------
Please test and comment in bugzilla.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 256 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/fedora-legacy-list/attachments/20050209/8817c888/attachment.sig>
More information about the fedora-legacy-list
mailing list