Your message dated Sat, 22 Jun 2024 19:47:35 +0000
with message-id <e1sl6hz-006vf3...@fasolo.debian.org>
and subject line Bug#1071265: fixed in gdk-pixbuf 2.42.2+dfsg-1+deb11u2
has caused the Debian Bug report #1071265,
regarding CVE-2022-48622: memory corruption via crafted .ani files (Windows
animated cursors)
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1071265: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1071265
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: gdk-pixbuf
Version: 2.38.1+dfsg-1
Severity: important
Tags: security upstream fixed-upstream patch
X-Debbugs-Cc: Debian Security Team <t...@security.debian.org>
Control: fixed -1 2.42.12+dfsg-1
gdk-pixbuf has a memory corruption vulnerability leading to at least denial
of service, and possibly arbitrary code execution, when a user loads a
crafted ANI file (a Windows animated cursor) into a gdk-pixbuf-based
image viewer, thumbnailer, etc.
A mitigation is that the gdk-pixbuf-based thumbnailer used in GNOME is
sandboxed using bubblewrap.
This was fixed upstream in 2.42.12 by
<https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/172>
(specifically the first commit "ANI: Reject files with multiple anih
chunks", but applying the other two commits would be a good idea IMO).
I uploaded 2.42.12 as a team upload from a "maintainer of last resort"
point of view, but I seem to have become a single point of failure for
too many libraries already, so I would prefer not to be the only one
who ever uploads gdk-pixbuf.
For stable updates, an uploader could either apply the security fixes
as patches, or do a 2.42.12+dfsg-0+deb12u1. If doing the latter, beware
that the new upstream release disables support for several file formats
by default (including .ani but also more common formats like .bmp)
which would be a disruptive change as discussed upstream in
https://gitlab.gnome.org/GNOME/gdk-pixbuf/-/merge_requests/169,
so building with -Dothers=enabled would probably be necessary.
smcv
--- End Message ---
--- Begin Message ---
Source: gdk-pixbuf
Source-Version: 2.42.2+dfsg-1+deb11u2
Done: Jeremy Bícha <jbi...@ubuntu.com>
We believe that the bug you reported is fixed in the latest version of
gdk-pixbuf, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1071...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Jeremy Bícha <jbi...@ubuntu.com> (supplier of updated gdk-pixbuf package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 05 Jun 2024 10:04:29 -0400
Source: gdk-pixbuf
Built-For-Profiles: noudeb
Architecture: source
Version: 2.42.2+dfsg-1+deb11u2
Distribution: bullseye
Urgency: high
Maintainer: Debian GNOME Maintainers
<pkg-gnome-maintain...@lists.alioth.debian.org>
Changed-By: Jeremy Bícha <jbi...@ubuntu.com>
Closes: 1071265
Changes:
gdk-pixbuf (2.42.2+dfsg-1+deb11u2) bullseye; urgency=high
.
[ Ian Constantin ]
* SECURITY UPDATE: heap memory corruption (Closes: #1071265)
- debian/patches/CVE-2022-48622-*.patch: adds checks for invalid ani files
to gdk-pixbuf/io-ani.c.
- tests/tests-images/fail/CVE-2022-48622.ani: test file.
- debian/source/include-binaries: including binary test file.
- CVE-2022-48622
Checksums-Sha1:
cfc23b188d7ec2575db38c8b9c7c3e4410a2ca59 3186
gdk-pixbuf_2.42.2+dfsg-1+deb11u2.dsc
b1b9c253c8a28225213703e8678562219501c902 37484
gdk-pixbuf_2.42.2+dfsg-1+deb11u2.debian.tar.xz
d446c69706d4194d70cf675b1bcfe48b86eae051 12737
gdk-pixbuf_2.42.2+dfsg-1+deb11u2_source.buildinfo
Checksums-Sha256:
75494c6db3917a144438ad1b084300e84a1f6ed7f38c354bee9200b2ce44a1eb 3186
gdk-pixbuf_2.42.2+dfsg-1+deb11u2.dsc
45a5a344bc44deea1a6daf3131b070c38af6645759f787f9ab87e9e9f318da93 37484
gdk-pixbuf_2.42.2+dfsg-1+deb11u2.debian.tar.xz
f36e2f7423662a20c787c6f24121cbab42eef64b62fe62c728091325697266a0 12737
gdk-pixbuf_2.42.2+dfsg-1+deb11u2_source.buildinfo
Files:
7742874090ed26230bcdab41c890e661 3186 libs optional
gdk-pixbuf_2.42.2+dfsg-1+deb11u2.dsc
1e3f77a6fd642205d1b07b099ed591cc 37484 libs optional
gdk-pixbuf_2.42.2+dfsg-1+deb11u2.debian.tar.xz
5c46177922999d850152fc5181b2c043 12737 libs optional
gdk-pixbuf_2.42.2+dfsg-1+deb11u2_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEETQvhLw5HdtiqzpaW5mx3Wuv+bH0FAmZ23K0ACgkQ5mx3Wuv+
bH3c7Q/+KksVc161WNOjv5Vp5A5Pgx5nPTLhZ1+m4oU8a3uoRzrxQKBCh2sDmdOa
kxjBl8TXudnCSTtC1LNYRNFpikp/y8bnq2PPo/zJKZKNaYJe2+bpgiP4AwcKqZu1
hXzFyHplPBgcEE7viMyr17i9SaqYLf6NYSMEW+62RpRo0jqZ59w2Lie+vFLCsHCr
9kyt5ExOJJIau/0Xkde//v5w7VsAlRHSQki7PBxsjnNbTYTxomrfO87//5mK8WjP
Zg+HqN/Rll/PLdX9+NEp4kWKdiArEdRAEMJASS34xPwcj6vq0IeiaY/+eO19QvKe
2CrJoyBNo17JaicWLKU7EX+8dImYR1ZMxfQ4BH9TsNFdfiRe32CxEGOKNJ+NNzV7
d2lecj2CyI9HeIf9LDw+2XuEzigXWoieAwSBTvmsayqYm8a0+1CNwVZtVDkJ6Si7
yllGGNPT6W1NdiHcMUA6nev8x0TQSI5N4aRdkA6R5UyjApOOqmba73Lg97hLN3oc
yQ6Wic10qD1QjxrvN5MDXKGpyrbAKHhIvzz+YuCUhwWcUIxJZYncUbbHNc60FpqC
SAIUvuicV2X5phjXbowCNNuzmkZN8JJwHrlQyvLI0rPWd3rhLiTygZQ3keLbY8aZ
CQGHxl+93c79e1k2Y3bZRDoTvvdoRBTpAMmQE8mIMn7uVjvludI=
=C8Xl
-----END PGP SIGNATURE-----
pgpIcWufxC3Jc.pgp
Description: PGP signature
--- End Message ---
