On Sun, Jan 16, 2005 at 12:04:56AM +0100, Loïc Minier wrote: > Elimar Riesebieter <[EMAIL PROTECTED]> - Sun, Sep 05, 2004:
> > This seems only be related to the icon-theme > > http://grandmasta.home.comcast.net/Gno-SX-2.6/Gno-SX-icon-7.21.tar.bz2 > > Any other icon-the works, so the bug can safely be closed. > Steve Langasek <[EMAIL PROTECTED]> - Mon, Sep 13, 2004: > > On Mon, Sep 13, 2004 at 08:13:05AM +0200, J.H.M. Dassen (Ray) wrote: > > > On Sun, Sep 12, 2004 at 18:40:36 -0700, Steve Langasek wrote: > > > > Hmm? The galeon in unstable does have a dependency on libgdk-pixbuf2, > > > > and > > > > does in fact call gdk_pixbuf functions directly. > > > I've double checked now, but haven't changed my assessment. > > > http://packages.debian.org/unstable/gnome/galeon does not list > > > libgdk-pixbuf2 as a dependency, and when I install galeon 1.3.17-1 in an > > > i386 unstable pbuilder chroot, libgdk-pixbuf2 does not get installed. > > > libgdk-pixbuf2's description is "The GdkPixBuf image library, gtk+ 1.2 > > > version" and indeed it depends on libgtk1.2. > > > There is a galeon package that depends on libgdk-pixbuf2, but that is the > > > GNOME1 galeon 1.2.5-0.woody.1 package in woody. > > Ok, I see that you're right about this; the gdk_pixbuf library that > > the current galeon package depends on indeed comes from libgtk2.0-0. > JHM / vorlon, you looked into this in september, prior to gdk-pixbuf > 0.22.0-7, fixing CAN-2004-0788. I tried with "w3m-img" (which seems to > use gdb-pixbuf) to load **/*.png, and couldn't get a crasher, do you > think it was the very same overflow as in CAN-2004-0788? It seems the obvious way to check this would be to downgrade to a vulnerable version of gdk-pixbuf. Note that w3m-img does *not* use the same version of gdk-pixbuf as galeon; for libgtk2.0-0, CAN-2004-0788 was fixed with version 2.4.9-2 on 17 Sep 2004. -- Steve Langasek postmodern programmer
signature.asc
Description: Digital signature
