Your message dated Sat, 22 Jun 2024 10:32:09 +0000
with message-id <e1sky2t-004yso...@fasolo.debian.org>
and subject line Bug#1071265: fixed in gdk-pixbuf 2.42.10+dfsg-1+deb12u1
has caused the Debian Bug report #1071265,
regarding CVE-2022-48622: memory corruption via crafted .ani files (Windows
animated cursors)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1071265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071265
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gdk-pixbuf
Version: 2.38.1+dfsg-1
Severity: important
Tags: security upstream fixed-upstream patch
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Control: fixed -1 2.42.12+dfsg-1
gdk-pixbuf has a memory corruption vulnerability leading to at least denial
of service, and possibly arbitrary code execution, when a user loads a
crafted ANI file (a Windows animated cursor) into a gdk-pixbuf-based
image viewer, thumbnailer, etc.
A mitigation is that the gdk-pixbuf-based thumbnailer used in GNOME is
sandboxed using bubblewrap.
This was fixed upstream in 2.42.12 by
<https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/172>
(specifically the first commit "ANI: Reject files with multiple anih
chunks", but applying the other two commits would be a good idea IMO).
I uploaded 2.42.12 as a team upload from a "maintainer of last resort"
point of view, but I seem to have become a single point of failure for
too many libraries already, so I would prefer not to be the only one
who ever uploads gdk-pixbuf.
For stable updates, an uploader could either apply the security fixes
as patches, or do a 2.42.12+dfsg-0+deb12u1. If doing the latter, beware
that the new upstream release disables support for several file formats
by default (including .ani but also more common formats like .bmp)
which would be a disruptive change as discussed upstream in
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/169,
so building with -Dothers=enabled would probably be necessary.
smcv
--- End Message ---
--- Begin Message ---
Source: gdk-pixbuf
Source-Version: 2.42.10+dfsg-1+deb12u1
Done: Salvatore Bonaccorso <car...@debian.org>
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Salvatore Bonaccorso <car...@debian.org> (supplier of updated gdk-pixbuf
package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Thu, 13 Jun 2024 23:04:36 +0200
Source: gdk-pixbuf
Architecture: source
Version: 2.42.10+dfsg-1+deb12u1
Distribution: bookworm
Urgency: medium
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Salvatore Bonaccorso <car...@debian.org>
Closes: 1071265
Changes:
gdk-pixbuf (2.42.10+dfsg-1+deb12u1) bookworm; urgency=medium
.
* ANI: Reject files with multiple anih chunks (CVE-2022-48622)
(Closes: #1071265)
* ANI: Reject files with multiple INAM or IART chunks
* ANI: Validate anih chunk size
Checksums-Sha1:
7f4431270e9826b5750b6a46933b22fb128ce976 3328
gdk-pixbuf_2.42.10+dfsg-1+deb12u1.dsc
51a597a12c66c5677f032e491042b465bc792de1 22156
gdk-pixbuf_2.42.10+dfsg-1+deb12u1.debian.tar.xz
ad7a1963c42ec4d8c0ad1dc077e811a98f545d5a 7233
gdk-pixbuf_2.42.10+dfsg-1+deb12u1_source.buildinfo
Checksums-Sha256:
61d9a589c47389c3668d0e0e00b578b4bd362e820ccf0753c44912940a466f2b 3328
gdk-pixbuf_2.42.10+dfsg-1+deb12u1.dsc
91b7d1795ffedc62c832c4a7cd4d425c39117372bf4bd69720b5c7d8dd93605e 22156
gdk-pixbuf_2.42.10+dfsg-1+deb12u1.debian.tar.xz
1ab391bedf15643656fb26af026c447943f68db120837738aedb3fc31df229bb 7233
gdk-pixbuf_2.42.10+dfsg-1+deb12u1_source.buildinfo
Files:
f24a0e5068051d09aeacc97589a8a89a 3328 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u1.dsc
21ef15fa34c4c6c97c957c499d652501 22156 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u1.debian.tar.xz
b98af29cabe438c24573f9d5113c839c 7233 libs optional
gdk-pixbuf_2.42.10+dfsg-1+deb12u1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQKmBAEBCgCQFiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmZrx9RfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2
NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQSHGNhcm5pbEBk
ZWJpYW4ub3JnAAoJEAVMuPMTQ89ENi0P/jYTMdULHzaBIMP2azoKR+IPg217faOB
A1joR7olHCPiocfl/2UjwBxMHoAbIH2gJ/fcUnL+d+lw/8ImnD3PP8nxpV0LKX0a
dGG+xVFcocKEvMXpGjbriH1EgQKDasa+A/BoOe+315hAfNzPpe75EU1uOIp4daFI
zOHfBQIKlR6x9FPcTArIzeCWQ3nFhopC+skRf+xW/OvnZIbac6N2d8Qgofrzotwi
8PZxSphLnvqwRfLumhXpCnGweeFyTl6w7SBtmmmorZyQfBozxtnN+p45v48bNJtc
KNUCJatkeG8UUqUdaNs1CH2Eb+UfulvvIyfxp5lDCDqB4TJUWY5zBUnBBJvlRskv
CLqPamhQAjyKcdBRfJYLPUFzadSpDoviKFqdUddR7LEUbBZhIEO0zi+fBNsaiWGS
EOXbJXMZnZpEAd7N185k0rubpyRGfkDMk1nKnDGfDgL4MRGfckE7+sDLy4LKlDvd
SrqhzunABLT9MoYYI2yhb5PVimJkseE1Dz0osBD8+sRY/dOnf0WsQOA2rztUYD1l
abe4MqWHCd8HmGgkvvNeto5BfEG8kxjbUhh8Fik+j0baiJPm9sGqo2kwpKF8Y/ss
lWGY8+wn8Nys4Dam31pLLKyv1HphiQ6YeoUbol+JI36Zzdglg9lweGYVq4tEkOWB
Nq3s+nXeSidW
=pipz
-----END PGP SIGNATURE-----
pgpkuqjjiSKRn.pgp
Description: PGP signature
--- End Message ---
